CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 3 days ago•27 views

CVE-2026-56282 Capgo - Information Disclosure via Unauthenticated /replication Endpoint

6.9CVSS

NVD•added 4 days ago•7 views

CVE-2026-49357

Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. line-desktop-mcp supports a --http-mode Streamable HTTP transport for use with clients such as n8n. In this mode t...

8.8CVSS

EUVD•added 4 days ago•7 views

EUVD-2026-37960

PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: headers, combined with Starlette's...

8.6CVSS5.8AI score

Exploits0References3

NVD•added 6 days ago•7 views

CVE-2026-48783

Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The...

4.8CVSS0.0017EPSS

Exploits0References4

NVD•added 6 days ago•4 views

CVE-2026-47277

Runtipi is a personal homeserver orchestrator. In versions 4.9.1 through 4.9.3, Runtipi serves marketplace app logos from files inside cloned app-store repositories through an unauthenticated endpoint, which leads to arbitrary file read through app-store logo symlinks. The path guard checks only...

6.5CVSS0.00399EPSS

Cvelist•added last week•21 views

CVE-2026-48783 Postiz has an unauthenticated billing-enforcement bypass via /public/modify-subscription

4.8CVSS0.0017EPSS

Exploits0References4

CVE•added last week•12 views

CVE-2026-48783

CVE-2026-48783 affects Postiz prior to version 2.21.8. An unauthenticated endpoint (/public/modify-subscription) accepted a signed token and applied subscription-enforcement side effects to the organization in the token’s claims without verifying the token’s intended purpose. The endpoint could n...

4.8CVSS5.3AI score0.0017EPSS

Exploits0References4

Positive Technologies•added 2026/06/16 12:0 a.m.•12 views

PT-2026-50122

4.8CVSS5.4AI score0.0017EPSS

Exploits0References5

Positive Technologies•added 2026/06/16 12:0 a.m.•12 views

PT-2026-50119

6.5CVSS5.4AI score0.00399EPSS

Exploits0References3

EUVD•added 2026/06/12 6:44 p.m.•6 views

EUVD-2026-36544

AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCPHTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can...

8.7CVSS5.3AI score0.00359EPSS

Exploits0References1

Github Security Blog•added 2026/06/11 5:10 p.m.•7 views

Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset

Summary Several Kolibri API endpoints accept an unvalidated baseurl parameter and fetch attacker-controlled URLs from the Kolibri server, reflecting the response body back to the caller. The original report identified two endpoints on the RemoteFacilityUser viewsets; remediation review found two...

5.8AI score0.00047EPSS

Exploits0References3Affected Software1

NVD•added 2026/06/05 7:16 p.m.•10 views

CVE-2026-46395

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the hmacBase64 function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing ke...

9.3CVSS0.00189EPSS

EUVD•added 2026/06/05 6:27 p.m.•8 views

EUVD-2026-34886

ATTACKERKB•added 2026/06/05 6:27 p.m.•7 views

CVE-2026-46395

Exploits1References2Affected Software1

Vulnrichment•added 2026/06/05 6:27 p.m.•7 views

CVE-2026-46395 HAX CMS Vulnerable to Private Key Disclosure via Broken HMAC Implementation

CVE•added 2026/06/05 6:27 p.m.•20 views

CVE-2026-46395

HAX CMS Node.js backend (before 26.0.0) exposes a critical cryptographic flaw in the hmacBase64() function. It uses a hardcoded signing key of the string "0" and then appends the real key (this.privateKey + this.salt) to the output, producing tokens that reveal the private key when decoded. An un...