Lucene search
K

1315 matches found

OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-365 TigerVNC accessible via the network and not just via a UNIX socket as intended

Summary jupyter-remote-desktop-proxy was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by jupyter-remote-desktop-proxy were still accessible via the network. This vulnerability does not affect users having...

9CVSS5.8AI score0.0087EPSS
Exploits0References6
NVD
NVD
added 2026/06/26 8:17 p.m.6 views

CVE-2026-52781

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants elements unrestricted data- attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount ...

6.4CVSS0.0015EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 7:0 p.m.29 views

CVE-2026-52781 OpenProject: Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description"

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants elements unrestricted data- attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount ...

6.4CVSS0.0015EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 7:0 p.m.13 views

CVE-2026-52781

OpenProject CVE-2026-52781 affects the open-source, web-based project management software. Prior to versions 17.3.3 and 17.4.1, the HTML sanitizer allowed elements to have unrestricted data-* attributes via a :data wildcard. An attacker could inject data-controller="poll-for-changes" into a work...

6.4CVSS5.9AI score0.0015EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 7:0 p.m.8 views

CVE-2026-52781

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants elements unrestricted data- attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount ...

6.4CVSS5.9AI score0.0015EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.10 views

PT-2026-52912

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.3 OpenProject versions prior to 17.4.1 Description The HTML sanitizer allows elements to have unrestricted data- attributes through a :data wildcard. An attacker can inject data-controller="poll-for-changes"...

6.4CVSS6.1AI score0.0015EPSS
Exploits0References3
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in libjpeg-turbo

All versions of Libjpeg-turbo have a stack-based buffer overflow in the “transform” component. A remote attacker can send a malformed JPEG file to the service, causing arbitrary code execution or denial of service for the target service...

8.8CVSS7.8AI score0.02728EPSS
Exploits1References2
vulnersOsv
vulnersOsv
added 2026/06/04 3:23 p.m.7 views

31g-form-parser (=1.0.107), @0xmike/web-kit (>=0.0.6 <=0.1.1) +450 more potentially affected by CVE-2026-34077 via turbo-stream (>=1.2.1 <=2.4.1)

turbo-stream NPM version =1.2.1, =0.0.6, =4.0.0, =4.15.0, =0.0.3, =1.4.0, =0.0.1, =1.2.0, =1.2.0, =0.1.0, =1.0.10, =0.0.2, =1.0.0, =0.0.2, =0.0.13 and more Source cves: CVE-2026-34077 Source advisory: OSV:GHSA-RXV8-25V2-QMQ8...

7.5CVSS5.7AI score0.00294EPSS
Exploits0
OSV
OSV
added 2026/06/03 9:3 p.m.11 views

GHSA-49RJ-9FVP-4H2H React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in...

8.1CVSS5.9AI score0.00416EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/03 9:3 p.m.15 views

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in...

8.1CVSS5.9AI score0.00416EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/06/02 10:22 p.m.10 views

Allocation of Resources Without Limits or Throttling

Overview turbo-stream is an A streaming data transport format that aims to support built-in features such as Promises, Dates, RegExps, Maps, Sets and more. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the serialization algorithm in th...

8.7CVSS5.5AI score0.00294EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/06/02 10:22 p.m.7 views

@0xmike/web-kit (>=0.0.6 <=0.1.1), @abundiko/expo-template (=1.0.0) +316 more potentially affected by CVE-2026-34077 via turbo-stream (=2.4.1)

turbo-stream NPM version =2.4.1 is affected by a known vulnerability. The following packages have a transitive dependency on turbo-stream and may be impacted: - @0xmike/web-kit =0.0.6, =4.0.0, =4.15.0, =1.4.0, =0.0.1, =1.2.0, =1.2.0, =0.1.0, =1.0.10, =1.0.0, =0.0.2, =0.0.1, =1.0.6, =2.1.0 -...

7.5CVSS5.7AI score0.00294EPSS
Exploits0
Snyk
Snyk
added 2026/06/02 10:22 p.m.8 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the turbo-stream component in in Framework Mode. An attacker can execute arbitrary code on the remote server by sending specially crafted external requests that exploit an existing prototype polluti...

9.2CVSS6.1AI score0.00416EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/02 6:18 p.m.36 views

CVE-2026-42211 React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution RCE through external requests. This attack requires the application code to have an existing prototype pollution...

8.1CVSS0.00416EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/02 6:18 p.m.8 views

CVE-2026-42211 React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution RCE through external requests. This attack requires the application code to have an existing prototype pollution...

8.1CVSS6.5AI score0.00416EPSS
Exploits0References1
CVE
CVE
added 2026/06/02 6:18 p.m.147 views

CVE-2026-42211

CVE-2026-42211 affects React Router versions 7.0.0–7.14.1 when used in Framework Mode. A combination of steps could enable a prototype pollution condition that an attacker could leverage in a two-step process to trigger unauthorized remote code execution on the remote server. The issue does not i...

8.1CVSS6.5AI score0.00416EPSS
Exploits0References1Affected Software1
Snyk
Snyk
added 2026/06/01 9:0 p.m.9 views

Malicious Package

Overview turbo-axios is a malicious package. This package contains malicious code associated with the Epsilon Stealer malware campaign. While this package attempts to impersonate a legitimate performance-enhanced version of the axios HTTP client, there is no connection between the axios project o...

9.8CVSS5.9AI score
Exploits0References2
OSV
OSV
added 2026/05/23 3:53 p.m.8 views

MAL-2026-4695 Malicious code in turbo-axios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324 turbo-axios is a typosquat of the popular axios HTTP client it re-exports the full axios API and reuses axios's repository/homepage metadata in...

6.6AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/23 3:53 p.m.12 views

Malicious code in turbo-axios (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 62503451ade68043379968f3dc4784fdb66424d55422854514e3ba1b10058324 turbo-axios is a typosquat of the popular axios HTTP client it re-exports the full axios API and reuses axios's repository/homepage metadata in...

6.6AI score
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability in libjpeg-turbo

Libjpeg-turbo 1.5.2 has a NULL Pointer Dereference issue in files jdpostct.c and jquant1.c, due to a malicious JPEG file...

6.5CVSS6.4AI score0.02365EPSS
Exploits1References2
Rows per page
Query Builder