Lucene search
K

314 matches found

Cvelist
Cvelist
added 5 days ago41 views

CVE-2026-59703 repomix - Local File Inclusion via file:// URL Scheme in Git Clone Endpoint

repomix contains a local file inclusion vulnerability in the git clone endpoint that allows unauthenticated attackers to read arbitrary local git repositories. The isValidRemoteValue function in src/core/git/gitRemoteParse.ts fails to block file:// URLs, permitting attackers to supply file://...

8.7CVSS0.00386EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago36 views

CVE-2026-55431 Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, coder open app opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the $SESSIONTOKEN placeholder the...

7.7CVSS0.00336EPSS
Exploits0References6
OSV
OSV
added 2026/06/29 7:10 p.m.4 views

EEF-CVE-2026-54889 Unsanitized URL schemes in MDEx Quill Delta output allow javascript: injection (XSS)

Summary Improper Neutralization of Input During Web Page Generation XSS vulnerability in leandrocp mdex allows cross-site scripting via unsanitized URL schemes in Quill Delta output. 'Elixir.MDEx':to\delta/2 converts Markdown into a Quill Delta. 'Elixir.MDEx.DeltaConverter':default\convert\node/3...

5.1CVSS5.7AI score0.0031EPSS
Exploits0References4
NVD
NVD
added 2026/06/23 9:17 p.m.9 views

CVE-2026-53930

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse file:, ftp:, etc. and probing of internal HTTP...

5.1CVSS0.00288EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 7:42 p.m.26 views

CVE-2026-53930 NocoDB: Server-Side Request Forgery via Base Migration URL

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the base-migration endpoint accepted a caller-supplied URL that the migration worker dereferenced without enforcing protocol or destination, allowing scheme abuse file:, ftp:, etc. and probing of internal HTTP...

5.1CVSS0.00288EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.23 views

PT-2026-51122

Name of the Vulnerable Software and Affected Versions Symfony UX Icons affected versions not specified Description The ux icon Twig function is marked as safe for HTML, which prevents Twig from escaping its output. The Icon::toHtml function inlines SVG source code directly into the page. Because...

6.1CVSS5.5AI score0.00194EPSS
Exploits0References15
Veracode
Veracode
added 2026/06/15 11:24 a.m.11 views

Cross-site Scripting

Nuxt is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient validation of URL schemes in the component, where attacker-controlled values supplied to the to or href props can contain javascript: or vbscript: URLs that are rendered directly into the underlying element,...

5.4CVSS5.6AI score0.00198EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/06/14 11:16 p.m.12 views

CVE-2026-12190

A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme. The attack can only be performed from a local environment...

5.3CVSS0.00105EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/14 10:45 p.m.35 views

CVE-2026-12190 Genspark AI Workspace App ai.mainfunc.genspark improper authorization in handler for custom url scheme

A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme. The attack can only be performed from a local environment...

5.3CVSS0.00105EPSS
Exploits0References5
CVE
CVE
added 2026/06/14 10:45 p.m.28 views

CVE-2026-12190

The CVE-2026-12190 entry concerns Genspark AI Workspace App version 2.8.4 on Android, affecting the ai.mainfunc.genspark component. The issue is described as improper authorization in the handler for a custom URL scheme, with exploitation limited to a local environment. The provided documents do ...

5.3CVSS5.5AI score0.00105EPSS
Exploits0References5
NVD
NVD
added 2026/06/12 7:16 p.m.21 views

CVE-2026-53407

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access...

9.8CVSS0.00231EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 5:57 p.m.39 views

CVE-2026-53408

The CVE-2026-53408 vulnerability affects Zoom Workplace: Android before 7.0.4 and iOS before 7.0.3. It is due to Improper Authorization in the Handler for a Custom URL Scheme, enabling an unauthenticated privilege escalation via network access. The CVSSv3.1 base score is 8.1 (High) with Network a...

8.1CVSS5.3AI score0.00211EPSS
Exploits0References1Affected Software2
EUVD
EUVD
added 2026/06/12 5:57 p.m.9 views

EUVD-2026-36523

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access...

8.1CVSS5.3AI score0.00211EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 5:56 p.m.12 views

CVE-2026-53407

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access...

8.1CVSS5.3AI score0.00231EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 5:56 p.m.33 views

CVE-2026-53407

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access...

8.1CVSS0.00231EPSS
Exploits0References1
NVD
NVD
added 2026/06/12 3:16 p.m.15 views

CVE-2026-53722

Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying element. When an application binds attacker-controlled input a...

5.4CVSS0.00198EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 12:30 p.m.20 views

CVE-2026-12065

Groww Android app (Groww Stock, Mutual Fund, Gold App) up to 20260805 is affected due to improper authorization in the WebView URL Handler for a custom URL scheme. The issue is located in an unknown part of the WebView URL handling logic and can be triggered on a physical device. Exploitation sta...

1.8CVSS3.8AI score0.00106EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/06/12 12:30 p.m.8 views

CVE-2026-12065 Groww Stock, Mutual Fund, Gold App WebView URL improper authorization in handler for custom url scheme

A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical...

1.8CVSS3.5AI score0.00106EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/12 12:30 p.m.28 views

CVE-2026-12065 Groww Stock, Mutual Fund, Gold App WebView URL improper authorization in handler for custom url scheme

A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical...

1.8CVSS0.00106EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/06/08 11:0 p.m.44 views

PHPSpreadsheet has a patch bypass for CVE-2026-34084

Summary CVE-2026-34084 was patched by the helper File::prohibitWrappers. The helper calls parseurl$filename, PHPURLSCHEME and then checks isstring$scheme && strlen$scheme 1 to reject stream wrappers such as phar://, php://, data:// or expect://. The check is not equivalent to "does the path conta...

9.8CVSS5.7AI score0.00712EPSS
Exploits3References3Affected Software1
Rows per page
Query Builder