CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/05/18 12:0 a.m.•11 views

PT-2026-41791

Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions 0.7.0 through 0.8.x Description An integer overflow exists in the memcached text protocol parser of OpenTelemetry eBPF Instrumentation OBI. When parsing memcached storage commands such as set, add,...

7.5CVSS6AI score0.00353EPSS

Exploits1References21

Positive Technologies•added 2026/05/17 12:0 a.m.•11 views

PT-2026-41558

Name of the Vulnerable Software and Affected Versions GitBucket version 4.23.1 Description An issue allows unauthenticated remote code execution through weak secret token generation and insecure file upload functionality. Attackers can brute-force the Blowfish encryption key, upload a malicious J...

9.8CVSS6.5AI score0.00589EPSS

Exploits1References7

EUVD•added 2026/05/16 3:28 p.m.•7 views

EUVD-2021-34838

Home Assistant Community Store HACS 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, th...

CVE•added 2026/05/16 3:28 p.m.•16 views

CVE-2021-47942

CVE-2021-47942 concerns Home Assistant Community Store (HACS) 1.10.0. The vulnerability is a path traversal flaw exposed via the /hacsfiles/ endpoint, allowing unauthenticated attackers to read sensitive files (notably .storage/auth) and retrieve credentials/refresh tokens. With this access, an a...

Exploits1References4Affected Software1

Cvelist•added 2026/05/16 3:28 p.m.•30 views

CVE-2021-47942 Home Assistant Community Store 1.10.0 Path Traversal Account Takeover

Home Assistant Community Store HACS prior to 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh...

8.7CVSS0.00498EPSS

Vulnrichment•added 2026/05/16 3:28 p.m.•6 views

CVE-2021-47942 Home Assistant Community Store 1.10.0 Path Traversal Account Takeover

ATTACKERKB•added 2026/05/16 3:28 p.m.•9 views

CVE-2021-47942

Veracode•added 2026/05/16 6:40 a.m.•24 views

LFS Object Overwrite

Gogs is vulnerable to LFS object overwrite. The vulnerability is due to overwritable LFS objects across different repositories, where attackers can manipulate the uploaded file like injecting backdoor, and Gogs does not verify uploaded LFS file content against its claimed SHA-256...

9.3CVSS7.1AI score0.00327EPSS

Exploits1References4Affected Software1

Veracode•added 2026/05/16 5:34 a.m.•9 views

Improper Cleanup Of Namespace Data

OpenBao is vulnerable to improper cleanup of namespace data.The vulnerability is due to incomplete cleanup when retries occur after an initial namespace deletion failure, which allows an attacker to potentially retain access to outstanding leases or leave residual storage entries that should have...

7.5CVSS5.8AI score0.00248EPSS

Exploits0References3Affected Software1

Veracode•added 2026/05/16 5:33 a.m.•10 views

Secret Key Exposure

Pyroscope is vulnerable to Secret Key Exposure. The vulnerability is due to improper exposure of Tencent COS storage backend configuration values through the Pyroscope API, allowing attackers with API access to retrieve the secretkey used for cloud storage authentication...

9.1CVSS5.8AI score0.00337EPSS

Exploits0References2Affected Software1

Veracode•added 2026/05/16 5:17 a.m.•10 views

Authorization Bypass

StudioCMS is vulnerable to Improper Access Control. The vulnerability is due to missing await handling for the asynchronous isAuthorized function in the S3 storage manager, where authorization checks in the POST and PUT handlers always evaluate as successful because unresolved Promise objects are...

7.6CVSS5.8AI score0.00183EPSS

Exploits1References3Affected Software1

RedhatCVE•added 2026/05/16 1:57 a.m.•12 views

CVE-2026-44647

OneDev is a Git server with CI/CD, kanban, and packages. Prior to 15.0.2, there is behavior that breaks the expected boundary between repository-controlled LFS metadata and server-local filesystem paths. A repository object can steer raw blob reads to arbitrary local files that the server account...

7.1CVSS5.9AI score0.00319EPSS

RedhatCVE•added 2026/05/16 1:57 a.m.•15 views

CVE-2026-44592

Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENTDISCOVERABLE=true the default, and the NixOS module default, anyone who can reach /proto can register as a worker without any credentials by sending a fresh, never-registered worker UUID. The resulting session has...

9.4CVSS5.9AI score0.00157EPSS

CNNVD•added 2026/05/16 12:0 a.m.•9 views

WordPress plugin theme Wibar 跨站脚本漏洞

6.4CVSS5.8AI score0.00243EPSS

EUVD•added 2026/05/15 9:26 p.m.•10 views

EUVD-2026-30656

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.3, the audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHEDIR/audio/transcriptions/.. The /cache/path route serve...

8.7CVSS5.8AI score0.0018EPSS

Exploits1References1

RedhatCVE•added 2026/05/15 7:57 p.m.•5 views

CVE-2026-8596

Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for special...

8.5CVSS6.2AI score0.00439EPSS