CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added last week•20 views

CVE-2026-48294

Adobe Acrobat PDF Extension Chrome versions 26.5.2.2 and earlier are affected by a UXSS-class cross-origin data disclosure vulnerability. An attacker could exploit this vulnerability to gain access to data regarding the victim's session. Exploitation of this issue requires user interaction in tha...

7.4CVSS0.00784EPSS

Positive Technologies•added 2026/06/16 12:0 a.m.•11 views

PT-2026-50077

8.2CVSS5.3AI score0.00784EPSS

NVD•added 2026/06/10 12:16 a.m.•14 views

CVE-2026-46518

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, a stored cross-site scripting vulnerability in the prescription CSS/HTML multi-print feature allows a patient portal user to execute arbitrary JavaScript in a...

8.7CVSS0.00462EPSS

Exploits1References1

EUVD•added 2026/06/09 10:50 p.m.•6 views

EUVD-2026-35869

7.7CVSS5.5AI score0.00462EPSS

Exploits1References1

RedhatCVE•added 2026/06/06 6:43 p.m.•13 views

CVE-2026-50235

Lyrion Music Server 9.2.0 contains a reflected cross-site scripting vulnerability in advanced search parameters that fail to properly sanitize user input before displaying it in search forms. Attackers can inject malicious scripts through unfiltered search parameters to execute arbitrary JavaScri...

6.1CVSS5.6AI score0.00158EPSS

Exploits2References1

RedhatCVE•added 2026/06/05 7:31 p.m.•10 views

CVE-2026-33569

Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise the device...

6.5CVSS5.4AI score0.00186EPSS

RedhatCVE•added 2026/06/05 7:28 p.m.•9 views

CVE-2026-4914

Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required...

5.4CVSS5.5AI score0.00345EPSS

RedhatCVE•added 2026/06/05 7:26 p.m.•7 views

CVE-2026-39381

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any...

5.3CVSS5.4AI score0.00193EPSS

RedhatCVE•added 2026/06/05 7:25 p.m.•5 views

CVE-2026-44423

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records SSH username, device UID, remote IP, terminal type, authenticated fla...

6.5CVSS5.5AI score0.00246EPSS

Exploits1References1

CNNVD•added 2026/06/05 12:0 a.m.•4 views

Termix 安全漏洞

Termix is a server management platform developed by Karmaa’s individual developers. Versions of Termix 1.7.0 and later contain security vulnerabilities. These vulnerabilities stem from the disabling of TLS certificate verification, which may allow man-in-the-middle attackers to intercept and modi...

8CVSS5.4AI score0.00127EPSS

Exploits1References2

Positive Technologies•added 2026/06/01 12:0 a.m.•13 views

PT-2026-45457

An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load with unrestricted deserialization...

6.2AI score0.00144EPSS

Exploits0References4

NVD•added 2026/05/28 6:16 p.m.•12 views

CVE-2026-45296

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several appapikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...

7.7CVSS0.00231EPSS

ATTACKERKB•added 2026/05/28 4:51 p.m.•11 views

CVE-2026-45296

Exploits0References2Affected Software1

EUVD•added 2026/05/28 4:51 p.m.•9 views

EUVD-2026-32971

Vulnrichment•added 2026/05/28 4:51 p.m.•8 views

CVE-2026-45296 OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding

Cvelist•added 2026/05/28 4:51 p.m.•27 views

CVE-2026-45296 OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding

7.7CVSS0.00231EPSS

Positive Technologies•added 2026/05/28 12:0 a.m.•7 views

PT-2026-44457

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...

CNNVD•added 2026/05/28 12:0 a.m.•8 views

OpenReplay 访问控制错误漏洞

OpenReplay is an open-source, developer-friendly, self-hosted session replay software. Versions of OpenReplay prior to 1.26.0 contained an access control vulnerability. This vulnerability stemmed from the lack of verification that the project belonged to the same tenant during API key...

NVD•added 2026/05/27 11:16 p.m.•10 views

CVE-2026-45322

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.runshell passes a command string...

7.8CVSS0.0172EPSS