Lucene search
K

317 matches found

Tenable Nessus
Tenable Nessus
added 6 days ago5 views

SUSE SLES12 Security Update : google-osconfig-agent (SUSE-SU-2026:2665-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2665-1 advisory. - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header...

10CVSS7.4AI score0.01557EPSS
Exploits1References44
OSV
OSV
added last week2 views

SUSE-SU-2026:2665-1 Security update for google-osconfig-agent

This update for google-osconfig-agent fixes the following issues: - CVE-2026-33186: google.golang.org/grpc: authorization bypass due to improper validation of the HTTP/2: path pseudo- header bsc1260264. - CVE-2026-39821: Update golang.org/x/net/idna dependency bsc1266603. - CVE-2026-39827: Update...

10CVSS7.3AI score0.01557EPSS
Exploits1References26
Tenable Nessus
Tenable Nessus
added 2026/06/26 12:0 a.m.6 views

SUSE SLES15 Security Update : google-osconfig-agent (SUSE-SU-2026:2611-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2611-1 advisory. This update for google-osconfig-agent fixes the following issue - CVE-2026-33186: Update google.golang.org/grpc dependency...

10CVSS6.6AI score0.01557EPSS
Exploits1References38
OSV
OSV
added 2026/06/24 9:0 a.m.2 views

SUSE-SU-2026:2611-1 Security update for google-osconfig-agent

This update for google-osconfig-agent fixes the following issue - CVE-2026-33186: Update google.golang.org/grpc dependency bsc1260264. - CVE-2026-39821: Update golang.org/x/net/idna dependency bsc1266603. - CVE-2026-39827: Update golang.org/x/crypto dependency bsc1266171. - CVE-2026-39828: Update...

10CVSS6.7AI score0.01557EPSS
Exploits1References22
NVD
NVD
added 2026/06/23 6:18 p.m.11 views

CVE-2026-52846

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as img src=x onerror=alert, can bypass the tag-stripping logic, potentially leaving dangerous...

4.2CVSS0.00153EPSS
Exploits1References1
CVE
CVE
added 2026/06/23 5:47 p.m.24 views

CVE-2026-52846

Summary: CVE-2026-52846 affects Caddy's stripHTML template function, which cannot reliably strip certain malformed HTML (e.g., <img src=x onerror=alert()>). This can bypass tag-stripping and may enable client-side XSS when untrusted strings are rendered as HTML. The issue originates in func...

4.2CVSS5.8AI score0.00153EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/06/22 3:42 p.m.31 views

CVE-2026-50184 Angular: Request Credential & Cache Policy Stripping in Angular Service Worker

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during...

5.7CVSS0.0015EPSS
Exploits0References2
OSV
OSV
added 2026/06/22 12:8 p.m.2 views

SUSE-SU-2026:2487-1 Security update for rmt-server

This update for rmt-server fixes the following issues - CVE-2026-26961: rack: mismatch in header handling can allow to smuggle multipart content bsc1261398. - CVE-2026-26962: rack: improper unfolding of folded multipart headers can lead to header injection or response splitting bsc1261471. -...

7.5CVSS5.9AI score0.0043EPSS
Exploits0References22
Vulnrichment
Vulnrichment
added 2026/06/22 11:43 a.m.7 views

CVE-2026-56422 MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields

Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys id and ownership/scope foreign keys eventid, orgid, userid, sharinggroupid, galaxyclusteruuid, organisationuuid, and related nested object identifiers without consistently...

9.4CVSS6AI score0.00362EPSS
Exploits0References16
CVE
CVE
added 2026/06/22 11:43 a.m.19 views

CVE-2026-56422

CVE-2026-56422 affects MISP core controllers and models where client-controlled fields (ids and ownership/scope keys such as event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, etc.) were not consistently stripped or revalidated, enabling an authenticated user to ...

9.4CVSS6AI score0.00362EPSS
Exploits0References16
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in Ruby 2.5, JRuby

A issue was discovered in Ruby between versions 2.6.7, 2.7.x up to 2.7.3, and 3.x up to 3.0.1. The Net::IMAP library does not raise an exception when the StartTLS command fails with an unknown response. This may allow man-in-the-middle attackers to bypass TLS protections by leveraging the network...

7.4CVSS6.6AI score0.02909EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/06/16 9:28 p.m.6 views

Caddy: stripHTML template function bypass

Summary Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as img src=x onerror=alert, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow...

4.2CVSS5.4AI score0.00153EPSS
Exploits1References2Affected Software2
Tenable Nessus
Tenable Nessus
added 2026/06/14 12:0 a.m.13 views

FreeBSD : caddy -- multiple vulnerabilities (94f93681-6775-11f1-8044-002590af0794)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 94f93681-6775-11f1-8044-002590af0794 advisory. Caddy project reports: Caddy 2.11.4 contains multiple security fixes. GitHub Security Advisory...

8.1CVSS5.9AI score0.00409EPSS
Exploits3References8
CNNVD
CNNVD
added 2026/06/09 12:0 a.m.15 views

lldpd 缓冲区错误漏洞

LLDPD is a daemon capable of receiving and sending LLDP frames. Versions of LLDPD prior to 1.0.22 contained a buffer error vulnerability. This vulnerability stemmed from an error in the memmove byte count calculation by the lldpddecode function when stripping the 802.1Q VLAN tag, which could lead...

6.5CVSS5.6AI score0.00225EPSS
Exploits0References1
FreeBSD
FreeBSD
added 2026/06/08 12:0 a.m.72 views

caddy -- multiple vulnerabilities

Caddy project reports: Caddy 2.11.4 contains multiple security fixes. GitHub Security Advisory GHSA-qrp7-cvwr-j2c6 reports: Windows-encoded backslashes in request paths could bypass path-scoped authorization rules before files are served by fileserver. GitHub Security Advisory GHSA-f59h-q822-g45g...

8.1CVSS5.2AI score0.00409EPSS
Exploits3References4
OSV
OSV
added 2026/06/05 5:40 a.m.6 views

BIT-AIRFLOW-2026-40961 Apache Airflow: Open Redirect Bypass Vulnerability

A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the issafeurl check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to apache-airflow 3.2.2 or later. As a defense-in-dept...

7.2CVSS5.5AI score0.00625EPSS
Exploits0References4
OSV
OSV
added 2026/06/04 6:1 p.m.7 views

GHSA-2GCR-MFCQ-WCC3 Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Summary app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte...

5.3CVSS5.8AI score0.0026EPSS
Exploits0References5
OSV
OSV
added 2026/06/01 9:16 a.m.9 views

PYSEC-2026-174

Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's str.lstrip to the requested path segment when verifying the JWT's sub...

3.1CVSS5.8AI score0.00344EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/11 3:44 p.m.35 views

CVE-2026-42845 Grav: Anonymous Page Content Overwrite via Form File Upload filename Override

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload GHSA-w4rc-p66m-x6qq. Public form uploads now strip path components from the POST-supplied filename and hard-block page-content extensions md, yaml...

8.7CVSS5.8AI score0.00622EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.9 views

Grav CMS 安全漏洞

Grav CMS is an open-source file-based content management system developed by Grav. Versions of Grav CMS prior to 9.1.0 contained security vulnerabilities. These vulnerabilities stemmed from the lack of path stripping during file uploads and the failure to strictly prevent the extension of page...

8.7CVSS5.8AI score0.00622EPSS
Exploits0References1
Rows per page
Query Builder