Lucene search
K

1383 matches found

RedhatCVE
RedhatCVE
added 2026/03/27 2:23 p.m.9 views

CVE-2021-27931

LumisXP aka Lumis Experience Platform before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service...

9.1CVSS6.8AI score0.18607EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/27 12:38 a.m.26 views

CVE-2026-33890 MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without...

9.3CVSS0.00492EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:9 p.m.5 views

CVE-2026-33281

Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing NGAP messages with invalid PDU Session IDs outside of 1-15. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected...

7.5CVSS5.8AI score0.00393EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 2:59 p.m.5 views

CVE-2026-28253

A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition...

8.7CVSS5.8AI score0.00307EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/25 4:24 p.m.27 views

CVE-2026-26233 Denial of Service via HTTP/2 single packet attack on login endpoint

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service server crash and restart via HTTP/2 single packet attack with 100+ parallel login requests...

4.3CVSS0.00305EPSS
Exploits0References1
CVE
CVE
added 2026/03/25 4:24 p.m.21 views

CVE-2026-26233

CVE-2026-26233 affects Mattermost releases 10.11.x to 11.4.x, where login requests are not rate-limited, enabling unauthenticated remote attackers to cause denial of service via an HTTP/2 single-packet attack with 100+ parallel login requests. No patch/version details are provided in the document...

6.5CVSS5.8AI score0.00305EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/25 12:0 a.m.3 views

CVE-2024-51348

A stack-based buffer overflow vulnerability in the P2P API service in BS Producten Petcam with firmware 33.1.0.0818 allows unauthenticated attackers within network range to overwrite the instruction pointer and achieve Remote Code Execution RCE by sending a specially crafted HTTP request...

6.3AI score0.00408EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/24 6:31 a.m.3 views

EUVD-2026-14735

The WP DSGVO Tools GDPR plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the super-unsubscribe AJAX action accepting a processnow parameter from unauthenticated users, which bypasses the intended email-confirmation...

9.1CVSS5.8AI score0.00431EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/03/23 11:49 p.m.4 views

CVE-2026-33283

Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing malformed UL NAS Transport NAS messages without a Request Type. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all connected...

6.5CVSS5.8AI score0.00365EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/03/20 10:37 p.m.12 views

CVE-2026-33204

CVE-2026-33204 affects the PHP library SimpleJWT prior to v1.1.1. An unauthenticated attacker can trigger a Denial of Service by tampering JWE headers when PBES2 algorithms are used, causing excessive PBKDF2 iterations during JWE::decrypt() on attacker-controlled JWEs. The issue is fixed in v1.1....

7.5CVSS5.7AI score0.00481EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/03/20 9:47 p.m.5 views

GHSA-HV36-P4W4-6VMJ AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload

Summary The objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting session.cookiesamesite = 'None' for HTTPS connections, an unauthenticated...

8.8CVSS6.2AI score0.00367EPSS
Exploits1References4
OSV
OSV
added 2026/03/20 11:37 a.m.4 views

BIT-PARSE-2026-32944 Parse Server crash via deeply nested query condition operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server an...

8.7CVSS5.7AI score0.00483EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/18 9:50 p.m.19 views

CVE-2026-32944 Parse Server crash via deeply nested query condition operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the...

8.7CVSS0.00483EPSS
Exploits0References3
OSV
OSV
added 2026/03/18 8:19 p.m.2 views

GHSA-HWQM-QVJ9-4JR2 gosaml2 CBC Padding Panic — Unauthenticated Process Crash

Summary The AES-CBC decryption path in DecryptBytes panics on crafted ciphertext whose plaintext is all zero bytes. After decryption, bytes.TrimRightdata, "\x00" empties the slice, then datalendata-1 panics with index out of range -1. There is no recover in the library. The panic propagates throu...

8.7CVSS5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.8 views

PT-2026-26181

Name of the Vulnerable Software and Affected Versions libp2p-rust versions prior to 0.49.3 Description The libp2p-rust Gossipsub implementation is susceptible to a remote, unauthenticated denial-of-service condition. The implementation accepts attacker-controlled PRUNE backoff values and performs...

8.7CVSS5.8AI score0.00473EPSS
Exploits0References10
UbuntuCve
UbuntuCve
added 2026/03/13 7:54 p.m.3 views

CVE-2026-23943

Improper Handling of Highly Compressed Data Compression Bomb vulnerability in Erlang OTP ssh sshtransport modules allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication...

6.9CVSS5.9AI score0.00644EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/03/13 6:57 p.m.16 views

Yamux vulnerable to remote Panic via malformed WindowUpdate credit

Sumary The Rust implementation of Yamux accepts WindowUpdate credit values from the remote peer and applies them to per-stream send-window state. A specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This ...

8.7CVSS6AI score0.00462EPSS
Exploits1References6Affected Software1
EUVD
EUVD
added 2026/03/12 6:30 p.m.6 views

EUVD-2019-19825

202CMS v10 beta contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the loguser parameter. Attackers can send crafted requests with malicious SQL statements in the loguser field to extract sensitive database...

8.8CVSS5.9AI score0.00365EPSS
Exploits1References4
NVD
NVD
added 2026/03/10 8:16 p.m.9 views

CVE-2026-29792

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

9.8CVSS0.00519EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/10 8:6 p.m.3 views

CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

9.3CVSS5.8AI score0.00519EPSS
Exploits0References1
Rows per page
Query Builder