Lucene search
K

590 matches found

EUVD
EUVD
added 1 hour ago9 views

EUVD-2026-37811

Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords...

7.5CVSS5.3AI score0.00185EPSS
Exploits0References4
EUVD
EUVD
added 1 hour ago8 views

EUVD-2026-37806

Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch...

7.5CVSS5.4AI score0.00339EPSS
Exploits0References4
Debian CVE
Debian CVE
added 3 days ago4 views

CVE-2026-13676

fast-uri versions 2.3.1 through 3.1.2 and 4.0.0 fail to canonicalize Unicode IDN hostnames for HTTP-family URLs. The IDN conversion path calls a helper that does not exist on the global URL constructor, silently leaving the host in its original Unicode form while normalize and equal still return...

7.5CVSS5.8AI score0.00278EPSS
Exploits0
Github Security Blog
Github Security Blog
added 6 days ago7 views

semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin

Impact semantic-router versions 0.1.8 through 0.1.14 declare litellm=1.61.3 with no upper bound. During the window in which litellm==1.82.8 was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel. The malicious litellm==1.82....

9.8CVSS6.2AI score0.84518EPSS
Exploits7References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/24 8:21 p.m.5 views

CVE-2023-54365

A flaw was found in Traefik's HTTP/2 request handling. A remote attacker can exploit this vulnerability by rapidly creating and canceling HTTP/2 streams. This can exhaust server resources, leading to a denial of service DoS and making the service unavailable to legitimate users. This issue is...

8.7CVSS5.9AI score0.00562EPSS
Exploits0References5
CVE
CVE
added 2026/06/19 8:23 p.m.32 views

CVE-2026-48794

CVE-2026-48794 affects Authelia (versions 4.36.0–4.39.19). A domain canonicalization edge case can cause an access control rule to be skipped when it should match a request, under very specific conditions involving forwarded authorization, multi-segment subdomains (e.g., a.b.example.com vs exampl...

2.3CVSS5.8AI score0.00283EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/19 2:34 p.m.9 views

EUVD-2026-37758

undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching...

3.7CVSS5.8AI score0.00248EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/19 2:20 p.m.9 views

undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse

Impact When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination. This cause...

8.8CVSS6.4AI score0.00277EPSS
Exploits0References5Affected Software1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in node-moment

moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Versions of moment that were affected use an inefficient parsing algorithm. Specifically, the string-to-date parsing method used by moment more precisely, the rfc2822 parsing method, which is used by...

7.5CVSS6.4AI score0.03949EPSS
Exploits1References1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.5 views

Astra Linux – Vulnerability in net-snmp

Net-SNMP provides various tools related to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials could use a malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable to cause a NULL pointer dereference. Version 5.9.2 includes a patch to address...

6.5CVSS6.8AI score0.01131EPSS
Exploits0References2
OSV
OSV
added 2026/06/18 2:28 p.m.7 views

GHSA-PR7R-676H-XCF6 undici vulnerable to cross-user information disclosure via shared cache whitespace bypass

Impact Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding...

5.9CVSS5.3AI score0.00374EPSS
Exploits0References4
CVE
CVE
added 2026/06/17 9:46 p.m.20 views

CVE-2026-50201

CVE-2026-50201: Steeltoe's sensitive actuators (heapdump, environment, thread dump) default to EndpointPermissions.Restricted in Steeltoe.Management.Endpoint (pre-4.2.0) and Steeltoe.Management.EndpointCore (pre-3.4.0), mapping to CF read_basic_data. Sensitive endpoints are not upgraded to Endpoi...

6.5CVSS5.2AI score0.00231EPSS
Exploits0References3
NVD
NVD
added 2026/06/17 6:18 p.m.14 views

CVE-2026-9697

Impact: undici's ProxyAgent silently drops the requestTls option when configured with a SOCKS5 proxy URI socks5:// or socks://. The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured ca, cert, key, rejectUnauthorized, and servernam...

7.4CVSS0.00375EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/06/17 4:36 p.m.21 views

CVE-2026-6734 undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse

Impact: When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination. This caus...

7.5CVSS0.00277EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.12 views

PT-2026-50515

Name of the Vulnerable Software and Affected Versions undici versions prior to 7.28.0 undici versions prior to 8.5.0 Description The cache interceptor incorrectly classifies certain responses as cacheable when the upstream Cache-Control header contains whitespace-padded qualified private or...

5.9CVSS7AI score0.00374EPSS
Exploits0References55
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.14 views

PT-2026-50565

Name of the Vulnerable Software and Affected Versions Steeltoe.Management.Endpoint versions prior to 4.2.0 Steeltoe.Management.EndpointCore versions prior to 3.4.0 Description Steeltoe actuator endpoints default to EndpointPermissions.Restricted, which maps to Cloud Foundry's read basic data...

6.5CVSS5.8AI score0.00231EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.16 views

PT-2026-50176

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.25.7 n8n versions prior to 2.26.2 Description An authenticated user with permissions to create or modify workflows can provide crafted parameters to the TimescaleDB and legacy Postgres v1 nodes. This allows arbitrary SQ...

9.9CVSS6.2AI score0.00394EPSS
Exploits0References6
OSV
OSV
added 2026/06/15 5:14 p.m.36 views

GHSA-4X5R-PXFX-6JF8 @babel/core: Arbitrary File Read via sourceMappingURL Comment

Impact Using @babel/core to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the...

3.2CVSS5.4AI score0.00116EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/11 8:26 p.m.8 views

DevGuard has improper authorization on public assets

Impact On a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create, update, reapply, and delete VEX rules on those public assets. The same flaw affects the oth...

7.1CVSS5.5AI score0.00235EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/11 1:28 p.m.8 views

python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood

Impact AsyncListener.handlequeryordefer retained every truncated TC-bit incoming query in self.deferredaddr and armed a per-addr timer in self.timersaddr that flushed the reassembled query within 500 ms RFC 6762 §18.5. Neither the per-addr list nor the number of distinct addr keys was capped, and...

5.7AI score0.00018EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder