Lucene search
K

1445 matches found

CNNVD
CNNVD
added 2026/05/28 12:0 a.m.11 views

Universal Tool Calling Protocol 代码问题漏洞

Universal Tool Calling Protocol is an official Python implementation of the UTCP open-source protocol. Versions of Universal Tool Calling Protocol prior to 1.1.2 had code vulnerabilities. These vulnerabilities stemmed from the @utcp/http package’s blind SRFI vulnerability. The registerManual...

4.7CVSS5.9AI score0.00122EPSS
Exploits0References1
NVD
NVD
added 2026/05/27 6:16 p.m.18 views

CVE-2026-45061

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint POST /api/plugin validates the submitted URL with a single substring check: url.includes".tar.gz". Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes thi...

7.7CVSS0.00263EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 4:52 p.m.11 views

CVE-2026-48153

Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no...

8.5CVSS5.8AI score0.00174EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/26 8:14 p.m.8 views

CVE-2026-45412

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via workflowtemplate Import. Authenticated users can supply arbitrary URLs in workflowtemplate.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in...

6.3CVSS5.9AI score0.00207EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/26 8:14 p.m.10 views

CVE-2026-45412 MaxKB: Unauthenticated SSRF via Workflow Template Import

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via workflowtemplate Import. Authenticated users can supply arbitrary URLs in workflowtemplate.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in...

6.3CVSS5.9AI score0.00207EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/26 4:13 p.m.17 views

EUVD-2026-31855

Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be partially bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For...

4.3CVSS5.8AI score0.00286EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.12 views

MaxKB 代码问题漏洞

MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Versions of MaxKB prior to 2.9.1 contained code vulnerabilities. These vulnerabilities stemmed from the work-flowtemplate import feature, where authenticated users could provide...

6.3CVSS6AI score0.00207EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/26 12:0 a.m.15 views

TencentOS Server 3: grafana-pcp (TSSA-2026:0383)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2026:0383 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...

7.5CVSS5.9AI score0.00728EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2026/05/25 4:43 p.m.118 views

Exploit for CVE-2026-33712

CVE-2026-33712 - Typebot Unauthenticated SSRF Description...

10CVSS5.8AI score0.00347EPSS
Exploits1
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/21 3:32 p.m.18 views

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to insufficient validation in url.Parse [CVE-2026-25679]

Summary IBM Watson Speech Services Cartridge is vulnerable to insufficient validation in url.Parse, which may cause acceptance of some invalid URLs CVE-2026-25679. url.Parse is used in our speech utilities. This vulnerabilitiy has been addressed. Please read the details for remediation below...

7.5CVSS7.1AI score0.00728EPSS
Exploits0Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.11 views

PT-2026-42686

Impact Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks. Patches The issue is resolved in versions...

5.4CVSS5.7AI score0.0018EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/20 10:54 p.m.32 views

CVE-2026-47782

Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web page is given through an intent, RoboForm may silently download files without user confirmation nor...

4.6CVSS0.00132EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/20 10:54 p.m.15 views

CVE-2026-47782

Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web page is given through an intent, RoboForm may silently download files without user confirmation nor...

4.6CVSS5.8AI score0.00132EPSS
Exploits0References4Affected Software1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.9 views

Astra Linux – Vulnerability in PHP 7.3

In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14, and 8.0.0, when validating URLs using functions like filtervar$url, FILTERVALIDATEURL, PHP will accept a URL with an invalid password as a valid URL. This may cause functions that rely on the validity of URLs to misinterpret the URL and...

5.3CVSS6.7AI score0.02983EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.4 views

Astra Linux – Vulnerability in PHP 7.3

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21, and 8.0.x below 8.0.8, when using URL validation functionality via the filterVar function with the FILTERVALIDATEURL parameter, a URL with an invalid password field can be accepted as valid. This can cause the code to incorrectly parse the...

5.3CVSS6.8AI score0.01945EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.8 views

Astra Linux – Vulnerability in Python-Django

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are vulnerable to a ReDoS regular expression denial of service attack due to a very large number of domain name labels for emails and URLs...

7.5CVSS7.4AI score0.02978EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.7 views

Astra Linux – Vulnerability in PHP 8.1, PHP 7.3

In PHP versions 8.1. before 8.1.29, and 8.2. before 8.2.20, and 8.3. before 8.3.8, due to a code logic error, filtering functions such as filterVar when validating URLs using FILTERVALIDATEURL will result in invalid user information such as username and password parts of URLs being treated as val...

5.3CVSS6.7AI score0.12117EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/05/20 12:0 a.m.11 views

Siber Systems RoboForm Password Manager 安全漏洞

Siber Systems RoboForm Password Manager is a password manager offered by Siber Systems. There is a security vulnerability in Siber Systems RoboForm Password Manager. This vulnerability arises from insufficient URL validation, user confirmation, or notification when processing Android intentions. ...

4.6CVSS5.8AI score0.00132EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.21 views

Keycloak: Open redirect when using wildcard valid redirect URIs in Keycloak

A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further...

8.1CVSS5.7AI score0.005EPSS
Exploits0References11Affected Software1
OSV
OSV
added 2026/05/18 3:32 p.m.5 views

GHSA-PF9C-CH8R-2958 Statamic CMS: Server-Side Request Forgery via Glide

Impact The Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata...

5.4CVSS5.8AI score0.00151EPSS
Exploits0References3
Rows per page
Query Builder