Lucene search
K

13117 matches found

CVE
CVE
added 2026/06/12 8:54 p.m.15 views

CVE-2026-53607

Technical details are not publicly available in the provided documents. Monitor for updates and confirm when patched versions or advisories are published.

3.7CVSS5.4AI score0.00226EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 8:54 p.m.33 views

CVE-2026-53607 @apostrophecms/file pretty-URL Vulnerable to Unauthenticated SSRF via Host header

ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when prettyUrls: true is enabled on @apostrophecms/file a documented SEO feature for serving uploaded files at clean URLs, the public pretty-URL handler builds the upstream URL using the raw...

3.7CVSS0.00226EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 8:54 p.m.6 views

CVE-2026-53607 @apostrophecms/file pretty-URL Vulnerable to Unauthenticated SSRF via Host header

ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when prettyUrls: true is enabled on @apostrophecms/file a documented SEO feature for serving uploaded files at clean URLs, the public pretty-URL handler builds the upstream URL using the raw...

3.7CVSS5.3AI score0.00226EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 1:44 p.m.27 views

CVE-2026-53722 Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL

Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying element. When an application binds attacker-controlled input a...

5.1CVSS0.00198EPSS
Exploits0References3
Circl
Circl
added 2026/06/12 5:0 a.m.10 views

CVE-2026-48612

creationtimestamp| type| source ---|---|--- 2026-06-12 05:00:18+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mo2xh6tipn24 2026-06-12 05:19:31+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mo2yjlei6u2g...

8CVSS7.8AI score0.0012EPSS
Exploits0References2
Veracode
Veracode
added 2026/06/12 3:22 a.m.14 views

Information Exposure

Element Call is vulnerable to Information Exposure. The vulnerability is due to analytics data including full page URLs and URL fragments being sent to a configured PostHog server, which allows an attacker with access to the analytics data to obtain sensitive information such as call encryption...

5.2AI score0.00023EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.10 views

PT-2026-49031

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.2 Description An issue in message.action forwarding allows model-controlled metadata to forward action payloads containing Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept...

6.5CVSS5.2AI score0.00254EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.15 views

PT-2026-48991

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.31.0 Description When the prettyUrls: true setting is enabled on the @apostrophecms/file module, the public pretty-URL handler constructs an upstream URL using the raw Host HTTP request header. This URL is the...

3.7CVSS5.3AI score0.00226EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/11 2:59 p.m.11 views

CVE-2026-52750

Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click...

8.4CVSS5.9AI score0.00503EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/06/11 1:53 p.m.9 views

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

7.5CVSS7.8AI score0.00728EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2026/06/11 1:40 p.m.9 views

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

7.5CVSS7.7AI score0.00728EPSS
Exploits0References8
OSV
OSV
added 2026/06/11 1:26 p.m.7 views

GHSA-6VHH-4XW6-H2H2 Element Call reports full URLs of visited pages to analytics server

Impact Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a posthog key in config.json or by the posthogApiHost and posthogApiKey URL parameters. Several fields of this data $initialpersoninfo, $sessionentryurl, and $currenturl were found ...

8.6CVSS5.5AI score0.00023EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/11 12:38 p.m.16 views

EUVD-2026-36240

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to...

5.3CVSS5.5AI score0.00189EPSS
Exploits0References1
NVD
NVD
added 2026/06/11 10:16 a.m.11 views

CVE-2026-5497

vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory OOM Denial of Service DoS attack due to unbounded frame count processing in the VideoMediaIO.loadbase64 method. When processing video/jpeg data URLs, the method splits the base64 data string on commas to extract individual JPEG fram...

7.5CVSS0.00597EPSS
Exploits1References5
CVE
CVE
added 2026/06/11 8:31 a.m.64 views

CVE-2026-5497

CVE-2026-5497 affects vLLM 0.8.0 and later, where VideoMediaIO.load_base64() can perform unbounded frame processing for video/jpeg data URLs, leading to an Out-of-Memory DoS. An attacker can craft a single API request with thousands of comma-separated base64 JPEG frames, causing the server to dec...

7.5CVSS5.5AI score0.00597EPSS
Exploits1References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.16 views

PT-2026-48683

Impact Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, when configured to by a posthog key in config.json or by the posthogApiHost and posthogApiKey URL parameters. Several fields of this data $initial person info, $session entry url, and $current url were...

8.6CVSS5.5AI score0.00023EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.14 views

ClipBucket V5 操作系统命令注入漏洞

ClipBucket V5 is a video hosting platform developed by MacWarrior’s individual developers. Versions of ClipBucket V5 prior to 5.5.3 – including version 140 – contained an operating system command injection vulnerability. This vulnerability stemmed from the remote playback feature allowing direct...

9.8CVSS5.6AI score0.00603EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/10 5:38 p.m.9 views

EUVD-2026-36075

FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead...

8.1CVSS6.2AI score0.00568EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/10 5:15 p.m.11 views

EUVD-2026-36080

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic...

5.7CVSS5.4AI score0.00252EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/10 3:51 p.m.8 views

EUVD-2026-36067

Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This issue has been patched in version 1.7.0...

2.3CVSS5.4AI score0.00286EPSS
Exploits0References2
Rows per page
Query Builder