Lucene search
K

1393 matches found

OSV
OSV
added 2026/03/20 9:47 p.m.5 views

GHSA-HV36-P4W4-6VMJ AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload

Summary The objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting session.cookiesamesite = 'None' for HTTPS connections, an unauthenticated...

8.8CVSS6.2AI score0.00367EPSS
Exploits1References4
OSV
OSV
added 2026/03/20 11:37 a.m.4 views

BIT-PARSE-2026-32944 Parse Server crash via deeply nested query condition operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server an...

8.7CVSS5.7AI score0.00483EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/18 9:50 p.m.20 views

CVE-2026-32944 Parse Server crash via deeply nested query condition operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the...

8.7CVSS0.00483EPSS
Exploits0References3
OSV
OSV
added 2026/03/18 8:19 p.m.2 views

GHSA-HWQM-QVJ9-4JR2 gosaml2 CBC Padding Panic — Unauthenticated Process Crash

Summary The AES-CBC decryption path in DecryptBytes panics on crafted ciphertext whose plaintext is all zero bytes. After decryption, bytes.TrimRightdata, "\x00" empties the slice, then datalendata-1 panics with index out of range -1. There is no recover in the library. The panic propagates throu...

8.7CVSS5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.8 views

PT-2026-26181

Name of the Vulnerable Software and Affected Versions libp2p-rust versions prior to 0.49.3 Description The libp2p-rust Gossipsub implementation is susceptible to a remote, unauthenticated denial-of-service condition. The implementation accepts attacker-controlled PRUNE backoff values and performs...

8.7CVSS5.8AI score0.00473EPSS
Exploits0References10
UbuntuCve
UbuntuCve
added 2026/03/13 7:54 p.m.3 views

CVE-2026-23943

Improper Handling of Highly Compressed Data Compression Bomb vulnerability in Erlang OTP ssh sshtransport modules allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication...

6.9CVSS5.9AI score0.00644EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/03/13 6:57 p.m.16 views

Yamux vulnerable to remote Panic via malformed WindowUpdate credit

Sumary The Rust implementation of Yamux accepts WindowUpdate credit values from the remote peer and applies them to per-stream send-window state. A specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This ...

8.7CVSS6AI score0.00462EPSS
Exploits1References6Affected Software1
EUVD
EUVD
added 2026/03/12 6:30 p.m.6 views

EUVD-2019-19825

202CMS v10 beta contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the loguser parameter. Attackers can send crafted requests with malicious SQL statements in the loguser field to extract sensitive database...

8.8CVSS5.9AI score0.00365EPSS
Exploits1References4
NVD
NVD
added 2026/03/10 8:16 p.m.9 views

CVE-2026-29792

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

9.8CVSS0.00519EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/10 8:6 p.m.3 views

CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

9.3CVSS5.8AI score0.00519EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/03/10 12:0 a.m.4 views

Fortinet FortiAnalyzer Lack of TLS Certificate Validation during initial SSO Authentication (FG-IR-26-078)

The version of FortiAnalyzer installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-26-078 advisory. - A improper certificate validation vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0...

6.9CVSS5.9AI score0.00185EPSS
Exploits0References2
NVD
NVD
added 2026/03/07 5:15 p.m.5 views

CVE-2026-30860

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a remote code execution RCE vulnerability exists in the application's database query functionality. The validation system fails to recursively inspect child nodes within...

9.9CVSS0.00539EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/07 9:30 a.m.6 views

EUVD-2026-10128

The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings,...

4.3CVSS5.6AI score0.00126EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/06 3:4 p.m.30 views

CVE-2026-2752

Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and...

5.3CVSS0.00261EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/05 7:31 p.m.6 views

CVE-2026-20149

A vulnerability in Cisco Webex could have allowed an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack. Cisco has addressed this vulnerability, and no customer action is needed. This vulnerability was due to improper filtering of user-supplied input. Prior to this...

6.1CVSS5.8AI score0.00235EPSS
Exploits0References1
OSV
OSV
added 2026/03/04 10:53 p.m.3 views

GHSA-6RX5-M2RC-HMF7 ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover

Summary A vulnerability in Zitadel's login V2 interface was discovered, allowing for possible account takeover. Impact Zitadel allows organization administrators to change the default redirect URI for their organization. This setting enables them to redirect users to an arbitrary location after...

7.7CVSS6.2AI score0.00318EPSS
Exploits0References4
NVD
NVD
added 2026/03/04 7:16 p.m.6 views

CVE-2026-20022

A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition when OSPF canonicalization debug is enabled by using the...

6.5CVSS0.00194EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/04 6:35 p.m.34 views

CVE-2026-20022

A vulnerability in the OSPF protocol of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition when OSPF canonicalization debug is enabled by using the...

6.1CVSS0.00194EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/04 5:15 p.m.4 views

CVE-2019-25504 NCrypted Jobgator Lastest SQL Injection via agents Find-Jobs

NCrypted Jobgator contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the experience parameter. Attackers can send POST requests to the agents Find-Jobs endpoint with malicious experience values to extract...

8.8CVSS6.1AI score0.00237EPSS
Exploits0References2
CVE
CVE
added 2026/03/04 5:15 p.m.9 views

CVE-2019-25500

Simple Job Script is affected by an SQL injection in the employerid parameter of the register-recruiters endpoint. Attackers can send unauthenticated POST requests to manipulate queries, potentially exposing sensitive data (C: HIGH) and altering data (I: LOW). Affected vector is network with low ...

8.8CVSS6.1AI score0.00294EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder