Lucene search
K

623 matches found

Snyk
Snyk
added 2026/03/30 5:40 p.m.4 views

Race Condition

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Race Condition in the handling of concurrent LiveQuery subscribers due to shared mutable state. An attacker can access...

8.2CVSS5.9AI score0.00367EPSS
Exploits0References2
NVD
NVD
added 2026/03/25 7:16 p.m.5 views

CVE-2026-33720

n8n is an open source workflow automation platform. Prior to version 2.8.0, when the N8NSKIPAUTHONOAUTHCALLBACK environment variable is set to true, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an...

6.3CVSS0.0018EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/25 6:6 p.m.7 views

CVE-2026-33720

n8n is an open source workflow automation platform. Prior to version 2.8.0, when the N8NSKIPAUTHONOAUTHCALLBACK environment variable is set to true, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an...

6.3CVSS5.8AI score0.0018EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/03/20 8:45 p.m.12 views

Information Exposure

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure via the watch parameter in LiveQuery subscriptions targeting protected fields. An attacker can infer...

6.3CVSS5.8AI score0.00316EPSS
Exploits0References2
OSV
OSV
added 2026/03/18 5:26 p.m.6 views

GHSA-46FP-8F5P-PF2M Improper detection of disallowed URIs by Loofah `allowed_uri?`

Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...

6.9CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/03/18 4:41 a.m.4 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the proxy module due to blindly trusting ExternalIPs/LoadBalancer IPs. An attacker can redirect cluster-wide network traffic or disrupt DNS services by assigning arbitrary external IPs or loadBalancer IPs withou...

7.1CVSS6AI score0.00297EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/16 4:7 p.m.24 views

CVE-2026-4270 AWS API MCP File Access Restriction Bypass

Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions = 0.2.14 and 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To...

6.8CVSS0.00131EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/13 3:47 p.m.5 views

OpenClaw: Channel commands could bypass account-scoped `configWrites` restrictions

Summary In affected versions of openclaw, channel-initiated config mutations were authorized against the originating account's configWrites policy but did not consistently re-check the targeted account scope. An authorized sender on one account could mutate protected sibling-account configuration...

5.9AI score
Exploits0References3Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/03/10 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-24308

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information...

7.5CVSS7.1AI score0.01177EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/05 9:24 p.m.2 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the dashboard and API endpoints. An attacker can access sensitive action metadata, including titles, IDs, icons, and argument details, by sending crafted requests as an authenticated user with restricted view...

6.5CVSS5.8AI score0.00417EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/05 8:42 p.m.3 views

Improper Handling of Insufficient Permissions or Privileges

Overview Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges incomplete revocation of API key permissions during the user demotion process. An attacker can maintain unauthorized access to upload-request management and log viewing endpoin...

5.4CVSS5.8AI score0.00116EPSS
Exploits0References2
OSV
OSV
added 2026/03/05 12:20 a.m.6 views

GHSA-95V5-PRP4-5GV5 Backstage vulnerable to potential reading of SCM URLs using built in token

Impact A vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that construct API URLs, the traversal segments could redirect requests to unintended...

2.7CVSS5.9AI score0.00348EPSS
Exploits0References3
IBM Security Bulletins
IBM Security Bulletins
added 2026/03/02 12:21 p.m.6 views

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that report metrics are vulnerable to loss of confidentiality (CVE-2025-13490)

Summary When an IBM App Connect Enterprise Certified Container IntegrationRuntime or IntegrationServer is configured to report metrics to a Prometheus instance in the OpenShift cluster, the metrics are sent over an unencrypted channel. This bulletin provides patch information to address the...

5.9CVSS5.9AI score0.00186EPSS
Exploits0Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/26 10:34 p.m.6 views

CVE-2026-27497

n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server. The issues...

9.4CVSS6.3AI score0.00765EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/02/24 7:15 p.m.6 views

Security Bulletin: Vulnerabilities in netty-codec-4.1.124.Final.jar, netty-codec-http-4.1.108.Final.jar, netty-codec-http2-4.1.124.Final.jar affecting MongoDB Enterprised Advanced (CVE-2025-58057)

Summary There are vulnerabilities in netty-codec-4.1.124.Final.jar, netty-codec-http-4.1.108.Final.jar, netty-codec-http2-4.1.124.Final.jar used in MongoDB Enterprised Advanced for IBM, involving CVE-2025-58057. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-58057...

7.5CVSS5.4AI score0.00561EPSS
Exploits1Affected Software1
Snyk
Snyk
added 2026/02/24 3:36 p.m.4 views

NULL Pointer Dereference

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

7.5CVSS6AI score0.00429EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/24 1:43 a.m.6 views

Allocation of Resources Without Limits or Throttling

Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

8.7CVSS6AI score0.00501EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/17 9:27 p.m.2 views

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in which maps from multiple components may be accessed without synchronization. When under heavy concurrent activity, either spontaneous or attacker-generated, the process can be caused to panic and crash with fatal error...

7.5CVSS5.5AI score0.00291EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/02/11 12:0 a.m.8 views

PT-2026-7719

Name of the Vulnerable Software and Affected Versions Pion DTLS versions 1.0.0 through 3.1.0 Description Pion DTLS, a Go implementation of Datagram Transport Layer Security, is susceptible to an issue where the use of random nonce generation with AES GCM ciphers allows remote attackers to...

9.1CVSS5.5AI score0.00654EPSS
Exploits2References132
Positive Technologies
Positive Technologies
added 2026/02/06 12:0 a.m.7 views

PT-2026-6751

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.13.4 Gogs versions 0.14.0+dev Description Gogs, an open source self-hosted Git service, has a flaw in its Two-Factor Authentication 2FA recovery code validation process. The validation does not verify that the recovery...

9.9CVSS5.5AI score0.34346EPSS
Exploits45References122
Rows per page
Query Builder