Lucene search
+L

559 matches found

CVE
CVE
added 2026/04/18 12:41 a.m.26 views

CVE-2026-35465

CVE-2026-35465 affects SecureDrop Client

7.5CVSS6.1AI score0.00439EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/18 12:41 a.m.3 views

CVE-2026-35465 SecureDrop Client has path injection in read_gzip_header_filename()

SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Server can achieve code execution on the Client's virtual machine sd-app by exploiting improper...

7.5CVSS6.4AI score0.00439EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/18 12:0 a.m.16 views

PT-2026-33546

Name of the Vulnerable Software and Affected Versions SecureDrop Client versions prior to 0.17.5 Description Improper filename validation during gzip archive extraction allows a compromised SecureDrop Server to achieve code execution on the Client virtual machine sd-app. This occurs because the...

7.5CVSS6.2AI score0.00439EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/04/16 12:0 a.m.4 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: sqlite (UTSA-2026-007182)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007182 advisory. An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via...

7.5CVSS5.8AI score0.00301EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/04/14 2:45 a.m.34 views

CVE-2026-40315 PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries

PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the tableprefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers...

7.2CVSS0.00297EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/10 7:32 p.m.10 views

PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries

Summary The tableprefix configuration value is directly used to construct SQL table identifiers without validation. If an attacker controls this value, they can manipulate SQL query structure, leading to unauthorized data access e.g., reading internal SQLite tables such as sqlitemaster and...

9.8CVSS6AI score0.00297EPSS
Exploits1References5Affected Software1
EUVD
EUVD
added 2026/03/31 10:49 p.m.8 views

EUVD-2026-17293

SciTokens is vulnerable to SQL Injection in KeyCache...

9.8CVSS6AI score0.00492EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/31 10:49 p.m.9 views

SciTokens is vulnerable to SQL Injection in KeyCache

Summary The KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format to construct SQL queries with user-supplied data such as issuer and keyid. This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. Ran the POC below...

9.8CVSS6.3AI score0.00492EPSS
Exploits1References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/31 1:31 a.m.2 views

CVE-2026-32714

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format to construct SQL queries with user-supplied data such as issuer and keyid. This allowed an attacker to...

9.8CVSS6.1AI score0.00492EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/30 7:42 p.m.3 views

CVE-2026-31799 Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters "before" and "after" and from version 2.1.0-beta to before version 2.17.0 for parameters "sectionid" and "userid", the /api/v2?cmd=gethomestats endpoint passe...

4.9CVSS5.9AI score0.004EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/28 4:56 a.m.8 views

CVE-2026-33735

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the /api/settings/import-database endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a fu...

8.8CVSS6AI score0.00385EPSS
Exploits1References1
SUSE CVE
SUSE CVE
added 2026/03/28 12:26 a.m.5 views

SUSE CVE-2026-32767

SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlyin...

9.8CVSS6.2AI score0.00541EPSS
Exploits1References3
Snyk
Snyk
added 2026/03/27 11:25 p.m.4 views

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management via the restore process. An attacker can gain unauthorized administrative privileges by uploading a crafted SQLite database file, allowing access to user management, audit logs, debug endpoints, and operato...

8.6CVSS5.9AI score0.00388EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/27 8:56 p.m.4 views

CVE-2026-33906

Ella Core is a 5G core designed for private networks. Prior to version 1.7.0, the NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. A NetworkManager could replace the production database with a tamper...

7.2CVSS5.9AI score0.00388EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/03/27 1:16 a.m.10 views

CVE-2026-33735

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the /api/settings/import-database endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a fu...

8.8CVSS0.00385EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/27 12:36 a.m.3 views

CVE-2026-33735

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the /api/settings/import-database endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a fu...

8.7CVSS5.8AI score0.00385EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/27 12:36 a.m.5 views

CVE-2026-33735 MyTube has an Improper Access Control that Allows Complete Application Takeover

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the /api/settings/import-database endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a fu...

8.7CVSS5.9AI score0.00385EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/03/27 12:36 a.m.3 views

CVE-2026-33735 MyTube has an Improper Access Control that Allows Complete Application Takeover

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the /api/settings/import-database endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a fu...

8.7CVSS5.9AI score0.00385EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/26 8:32 p.m.4 views

CVE-2026-33545 MobSF has SQL Injection in its SQLite Database Viewer Utils

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst...

5.3CVSS6AI score0.00276EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/26 8:32 p.m.14 views

CVE-2026-33545

MobSF is a mobile application security testing tool used. Prior to version 4.4.6, MobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst...

5.3CVSS5.9AI score0.00276EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder