Lucene search
K

44 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.9 views

CVE-2026-44719

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a databaseid without verifying that the requesting user was a collaborator on that...

5.3CVSS5.5AI score0.00278EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/01 4:53 p.m.14 views

EUVD-2026-33708

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the fileslock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or...

6.3CVSS5.7AI score0.00211EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/05/30 5:37 a.m.269 views

RestroPress-WordPress-Plugin-Sensitive-API-Key-amp-Token-Exposure-Vulnerability-Exploitation

📌 Overview CVE-2025-9209 is a critical information disclo...

9.8CVSS7.2AI score0.02196EPSS
Exploits6
Snyk
Snyk
added 2026/05/29 5:16 p.m.8 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via host resolution in the CLI authentication layer. An attacker can obtain authentication tokens intended for GitHub or GitHub Enterprise by causing authenticated requests to be sent to external hosts, as the ho...

9.1CVSS5.4AI score0.00289EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 3:8 a.m.5 views

Incorrect Authorization

Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Authorization via the user-facing APIs when the Organizations feature is disabled. An...

7.1CVSS5.5AI score0.00214EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.7 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References3
Cvelist
Cvelist
added 2026/05/15 6:45 p.m.41 views

CVE-2026-46407 Vvveb: admin/auth-token IDOR allows unauthorized disclosure of administrator REST API tokens

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator to load another administrator's REST API token list by supplying that user's adminid. This can...

8.1CVSS0.00218EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/13 3:36 p.m.7 views

CVE-2026-44479 Vercel: Non-interactive mode includes CLI arguments in suggested command output

Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode --non-interactive or auto-detected AI agent, commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the us...

5.5CVSS5.8AI score0.0016EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/18 7:22 a.m.7 views

CVE-2026-31987

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue...

7.5CVSS5.7AI score0.00739EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.5 views

CVE-2026-35185

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...

8.7CVSS5.9AI score0.00355EPSS
Exploits1References1
OSV
OSV
added 2026/03/23 6:17 p.m.12 views

CVE-2026-33512 AVideo has an unauthenticated decrypt oracle leaking any ciphertext

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a decryptString action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly e.g., view/url2Embed.json.php, so any user can recover...

7.5CVSS5.8AI score0.00234EPSS
Exploits1References4
EUVD
EUVD
added 2026/03/20 6:19 p.m.5 views

EUVD-2026-13748

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading traffic over...

8.7CVSS5.8AI score0.00204EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/13 12:0 a.m.8 views

PT-2026-25366

LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP Model Context Protocol OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, without verifying that the browser hitting the redire...

7.6CVSS5.8AI score0.00244EPSS
Exploits1References8
Cvelist
Cvelist
added 2026/03/09 8:18 a.m.36 views

CVE-2025-41772 wwwupdate.cgi Session token in URL

An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR...

7.5CVSS0.00318EPSS
Exploits0References1
CVE
CVE
added 2026/03/09 8:18 a.m.14 views

CVE-2025-41772

The CVE-2025-41772 entry concerns the wwwupdate.cgi endpoint in UBR, where session tokens are exposed in plaintext in URL parameters. An unauthenticated remote attacker can obtain valid session tokens via the URL, enabling potential session hijacking. The connected CVE records confirm the vulnera...

7.5CVSS5.8AI score0.00318EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/09 12:0 a.m.6 views

PT-2026-24038

Name of the Vulnerable Software and Affected Versions UBR affected versions not specified Description An unauthenticated remote attacker can obtain valid session tokens. These tokens are exposed in plaintext within the URL parameters of the ''wwwupdate.cgi'' endpoint. The issue involves the...

7.5CVSS5.8AI score0.00318EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/02/19 3:25 a.m.4 views

CVE-2025-11754 Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 - Missing Authorization to Sensitive Information Exposure

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin...

7.5CVSS5.3AI score0.00369EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/01/12 9:54 p.m.3 views

CVE-2026-22794 Account Takeover Vulnerability in Appsmith

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.93, the server uses the Origin value from the request headers as the email link baseUrl without validation. If an attacker controls the Origin, password reset / email verification links in emails can be...

9.6CVSS6.7AI score0.00393EPSS
Exploits3References2
Tenable Nessus
Tenable Nessus
added 2025/12/10 12:0 a.m.11 views

Jenkins LTS < 2.528.3 / Jenkins weekly < 2.541 Multiple Vulnerabilities

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.528.3 or Jenkins weekly prior to 2.541. It is, therefore, affected by multiple vulnerabilities: - A cross-site request forgery CSRF vulnerability in Jenkins 2.540 a...

7.5CVSS7.6AI score0.00506EPSS
Exploits0References5
OSV
OSV
added 2025/11/20 3:30 p.m.3 views

GHSA-62VX-HPCR-M9CH @perfood/couch-auth may expose session tokens, passwords

Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access...

8.7CVSS6.7AI score0.00182EPSS
Exploits0References4
Rows per page
Query Builder