Lucene search
+L

607 matches found

Github Security Blog
Github Security Blog
added 2026/05/06 11:14 p.m.8 views

axonflow-sdk-python: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification

Summary The AxonFlow SDK's WebhookSubscription or equivalent type did not expose the HMAC-SHA256 signing key returned by the platform's CreateWebhook endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the X-AxonFlow-Signature header on incoming webhook...

5.8AI score
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.11 views

PT-2026-37244

Name of the Vulnerable Software and Affected Versions JupyterHub versions 4.1.0 through 5.4.4 Description XSRF protection inappropriately treated requests containing the Sec-Fetch-Mode: no-cors header as same-origin requests, allowing the bypass of XSRF checks. This affects HTTP form endpoints,...

5.4CVSS5.8AI score0.00159EPSS
Exploits1References15
OSV
OSV
added 2026/04/29 7:0 p.m.2 views

CVE-2026-7400 geekgod382 filesystem-mcp-server read_file_tool/write_file_tool server.py is_path_allowed path traversal

A security vulnerability has been detected in geekgod382 filesystem-mcp-server 1.0.0. This issue affects the function ispathallowed of the file server.py of the component readfiletool/writefiletool. Such manipulation leads to path traversal. The attack can be launched remotely. The exploit has be...

6.9CVSS6.5AI score0.0043EPSS
Exploits0References9
CVE
CVE
added 2026/04/27 3:15 p.m.23 views

CVE-2026-7135

GPAC MP4Box contains a local-out-of-bounds read in the function elng_box_read (src/isomedia/box_code_base.c). Affected version range is GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. The vulnerability is triggered by manipulating the elng argument and may enable an attacker to leverage a local ex...

5.3CVSS5.3AI score0.00113EPSS
Exploits0References7
OSV
OSV
added 2026/04/27 3:15 p.m.2 views

CVE-2026-7135 GPAC MP4Box box_code_base.c elng_box_read out-of-bounds

A security flaw has been discovered in GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. Affected by this vulnerability is the function elngboxread of the file src/isomedia/boxcodebase.c of the component MP4Box. Performing a manipulation of the argument elng results in out-of-bounds read. The attack...

4.8CVSS5.4AI score0.00113EPSS
Exploits0References9
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/23 6:51 a.m.4 views

Security Bulletin: Due to use of spring-security-web-6.5.8.jar, IBM Sterling Connect:Direct Web Services is affected by missing HTTP header in response issue.

Summary spring-security-web-6.5.8.jar is used by IBM Sterling Connect:Direct Web Services CVE-2026-22732. Vulnerability Details CVEID:CVE-2026-22732 DESCRIPTION: When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP...

9.1CVSS5.7AI score0.0048EPSS
Exploits2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/18 1:14 a.m.11 views

Zebra has rk Identity Point Panic in Transaction Verification

rk Identity Point Panic in Transaction Verification Summary Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity a "zero" value, however, the orchard crate which is used to verify...

9.2CVSS5.7AI score0.00268EPSS
Exploits0References3Affected Software2
EUVD
EUVD
added 2026/04/16 1:3 a.m.5 views

EUVD-2026-22881

@fastify/express has a middleware authentication bypass via URL normalization gaps duplicate slashes and semicolons...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/15 9:29 a.m.33 views

CVE-2026-33808 @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

9.1CVSS0.00483EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.5 views

PT-2026-32055

Name of the Vulnerable Software and Affected Versions pypdf versions prior to 6.10.0 Description Manipulated XMP metadata entity declarations can exhaust RAM. An attacker can craft a PDF that leads to large memory usage when the XMP metadata is parsed. Recommendations Update to version 6.10.0. As...

6.9CVSS5.7AI score0.00423EPSS
Exploits0References25
NVD
NVD
added 2026/04/06 10:16 p.m.8 views

CVE-2026-5708

Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio RES prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with...

8.8CVSS0.00841EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.7 views

PT-2026-30761

Name of the Vulnerable Software and Affected Versions Strawberry GraphQL versions through 0.312.3 Description Strawberry GraphQL is susceptible to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify completion of a connection ini...

7.5CVSS5.2AI score0.00424EPSS
Exploits0References11
Github Security Blog
Github Security Blog
added 2026/04/03 9:35 p.m.10 views

Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims

Summary An authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrnameclaim, this gives users control over their username and the possibility of account takeover. Impact This...

8.8CVSS5.9AI score0.00438EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/01 9:25 p.m.8 views

Payload has Authenticated SSRF via Upload Functionality

Impact An authenticated Server-Side Request Forgery SSRF vulnerability existed in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. Consumers are affected if ALL of...

7.7CVSS5.9AI score0.00296EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/04/01 9:24 p.m.3 views

GHSA-MMXC-95CH-2J7C @payloadcms/next has Stored XSS in Admin Panel

Impact A stored Cross-site Scripting XSS vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. Consumers are affected if ALL of these are true: - Payload version v3.78...

8.7CVSS5.9AI score0.00286EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/30 5:17 p.m.24 views

go-git: Maliciously crafted idx file can cause asymmetric memory consumption

Impact A vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service DoS condition. Exploitation requires write access to the local repository's .git directory, it...

5CVSS5.8AI score0.00147EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/30 12:0 a.m.7 views

PT-2026-29159

Name of the Vulnerable Software and Affected Versions go-git versions 5.0.0 through 5.17.0 Description A crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service DoS condition. Exploitation requires write access to the...

5CVSS5.9AI score0.00201EPSS
Exploits0References184
Positive Technologies
Positive Technologies
added 2026/03/29 12:0 a.m.10 views

PT-2026-28753

Name of the Vulnerable Software and Affected Versions Tenda FH1201 version 1.2.0.14408 Description A flaw exists in the Tenda FH1201 router that allows remote attackers to trigger a stack-based buffer overflow. The issue is located within the WrlclientSet function of the /goform/WrlclientSet file...

9CVSS6.4AI score0.00655EPSS
Exploits1References8
EUVD
EUVD
added 2026/03/27 8:25 p.m.7 views

EUVD-2026-16817

Gematik Authenticator securely authenticates users for login to digital health applications. Versions prior to 4.16.0 are vulnerable to authentication flow hijacking, potentially allowing attackers to authenticate with the identities of victim users who click on a malicious deep link. Update...

9.3CVSS5.9AI score0.00265EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/03/26 6:28 p.m.6 views

n8n Vulnerable to XSS via Binary Data Inline HTML Rendering

Impact An authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The /rest/binary-data endpoint served such responses inline on the n8n origin without Content-Disposition or Content-Security-Policy...

9CVSS5.9AI score0.00249EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder