CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/05/28 3:27 a.m.•14 views

CVE-2026-5737

CVE-2026-5737 concerns the Independent Analytics plugin for WordPress, vulnerable through an unauthenticated SSRF in versions up to 2.14.9. A public tracking route at /wp-json/iawp/search accepts attacker-controlled referrer_url values when signatures match, compounded by a scheduled favicon fetc...

ATTACKERKB•added 2026/05/28 3:27 a.m.•7 views

CVE-2026-5737

The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrerurl values when the signature matches, combined with a...

Vulnrichment•added 2026/05/28 3:27 a.m.•6 views

Exploits0References11

CVE-2026-5737 Independent Analytics <= 2.14.9 - Unauthenticated Server-Side Request Forgery via Tracking Route

EUVD•added 2026/05/28 3:27 a.m.•8 views

EUVD-2026-32702

CNNVD•added 2026/05/28 12:0 a.m.•5 views

Nautobot 代码问题漏洞

Nautobot is a web automation platform developed by the Nautobot team. Versions prior to Nautobot 2.4.33 and 3.1.2 contained code vulnerabilities. These vulnerabilities stemmed from the Webhook data model and related features being configurable by users with sufficient permissions to send requests...

8.5CVSS5.9AI score0.00037EPSS

Exploits0References6

Positive Technologies•added 2026/05/28 12:0 a.m.•8 views

PT-2026-44535

Name of the Vulnerable Software and Affected Versions Kibana affected versions not specified Description An authenticated user with connector management privileges can perform a Server-Side Request Forgery SSRF, which is a flaw that allows an attacker to induce the server-side application to make...

7.7CVSS5.8AI score0.00033EPSS

Exploits0References4

Positive Technologies•added 2026/05/28 12:0 a.m.•8 views

PT-2026-44394

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no...

4.2CVSS6AI score0.00034EPSS

Exploits1References2

CNNVD•added 2026/05/28 12:0 a.m.•8 views

Local Deep Research 代码问题漏洞

Local Deep Research is an AI search assistant developed by LearningCircuit. Versions of Local Deep Research prior to 1.6.10 contained code vulnerabilities. These vulnerabilities stemmed from defects in the URL checking logic, which could be exploited by attackers, leading to SSRF attacks...

5CVSS5.8AI score0.00035EPSS

Exploits0References7

Positive Technologies•added 2026/05/28 12:0 a.m.•8 views

PT-2026-44509

Name of the Vulnerable Software and Affected Versions Kibana affected versions not specified Description Server-Side Request Forgery SSRF allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with...

7.7CVSS5.8AI score0.00033EPSS

Exploits0References4

Positive Technologies•added 2026/05/28 12:0 a.m.•7 views

PT-2026-44731

A source code audit led to the discovery of three significant security vulnerabilities in the trestle/core/remote/cache.py module. Finding 1 Critical: SSRF CWE-918 The HTTPSFetcher. do fetch method passes a user-supplied URL directly to requests.get without validation. This allows an attacker to...

6.7CVSS6AI score0.00012EPSS

Exploits0References5

CNNVD•added 2026/05/28 12:0 a.m.•6 views

flowintel 安全漏洞

Flowintel is an open-source security analyst case and task management platform developed by flowintel. Versions of FlowIntel 3.3.0 and earlier contain security vulnerabilities. These vulnerabilities stem from the external reference URL detection function in the app/case/task.py file, which has a...

6.2CVSS5.8AI score0.00044EPSS

CNNVD•added 2026/05/28 12:0 a.m.•5 views

WordPress plugin Independent Analytics 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

RedhatCVE•added 2026/05/27 8:14 p.m.•7 views

CVE-2026-9372

A flaw has been found in ItzCrazyKns Vane up to 1.12.1. This vulnerability affects unknown code of the file src/app/api/providers/route.ts of the component Model Provider API. This manipulation of the argument baseURL causes server-side request forgery. Remote exploitation of the attack is...

7.5CVSS6.7AI score0.00053EPSS

RedhatCVE•added 2026/05/27 8:13 p.m.•7 views

CVE-2026-42335

MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch chat/api/oss/geturl endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse...

6.3CVSS5.8AI score0.00049EPSS

NVD•added 2026/05/27 6:16 p.m.•11 views

CVE-2026-48128

Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to targ...

5.1CVSS0.00077EPSS

NVD•added 2026/05/27 6:16 p.m.•9 views

CVE-2026-45061

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint POST /api/plugin validates the submitted URL with a single substring check: url.includes".tar.gz". Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes thi...

7.7CVSS0.00032EPSS