Lucene search
K

27 matches found

Cvelist
Cvelist
added 2026/06/30 7:55 p.m.32 views

CVE-2026-10140 Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials,...

9.6CVSS0.00201EPSS
Exploits0References1
CVE
CVE
added 2026/06/17 7:1 p.m.18 views

CVE-2026-10741

Sonatype Nexus Repository Manager prior to 3.93.0 contains an authorization flaw in the proxy repository configuration that lets a delegated repository administrator disclose stored upstream proxy credentials. This affects confidentiality (credentials exposure) with a CVSS base score of 5.9 (MEDI...

5.9CVSS5.3AI score0.0026EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.20 views

PT-2026-50525

Name of the Vulnerable Software and Affected Versions Sonatype Nexus Repository Manager versions prior to 3.93.0 Description An authorization bypass exists in the proxy repository configuration. This issue allows a delegated repository administrator to disclose stored upstream proxy credentials...

5.9CVSS5.2AI score0.0026EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/04/09 11:26 p.m.9 views

SUSE CVE-2026-33540

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used...

3.1CVSS5.8AI score0.00274EPSS
Exploits1References5
Tenable Nessus
Tenable Nessus
added 2026/04/08 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-33540

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull- through cache mode, distribution discovers token auth...

7.5CVSS7.1AI score0.00274EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/04/06 6:33 p.m.4 views

CVE-2026-33540

A flaw was found in Distribution, a toolkit for managing container content. When operating in pull-through cache mode, Distribution incorrectly processes authentication challenges from an upstream registry. An attacker controlling the upstream registry, or positioned as a Man-in-the-Middle MitM,...

7.5CVSS5.8AI score0.00274EPSS
Exploits1References4
OSV
OSV
added 2026/04/06 5:52 p.m.2 views

GHSA-3P65-76G6-3W7R Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm

hi guys, commit: 40594bd98e6d6ed993b5c6021c93fdf96d2e5851 as-of 2026-01-31 contact: GitHub Security Advisory https://github.com/distribution/distribution/security/advisories/new summary in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges...

7.5CVSS5.9AI score0.00274EPSS
Exploits1References4
EUVD
EUVD
added 2026/04/06 5:52 p.m.3 views

EUVD-2026-19289

Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm...

7.5CVSS5.9AI score0.00274EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/06 5:52 p.m.15 views

Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm

hi guys, commit: 40594bd98e6d6ed993b5c6021c93fdf96d2e5851 as-of 2026-01-31 contact: GitHub Security Advisory https://github.com/distribution/distribution/security/advisories/new summary in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges...

7.5CVSS7.1AI score0.00274EPSS
Exploits1References4Affected Software2
Snyk
Snyk
added 2026/04/06 4:9 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the process that parses WWW-Authenticate challenges from an upstream registry. An attacker can obtain upstream credentials by manipulating the bearer realm URL to redirect authentication requests to a...

8.7CVSS5.9AI score0.00274EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/06 4:9 p.m.6 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the process that parses WWW-Authenticate challenges from an upstream registry. An attacker can obtain upstream credentials by manipulating the bearer realm URL to redirect authentication requests to a...

8.7CVSS5.9AI score0.00274EPSS
Exploits1References2
NVD
NVD
added 2026/04/06 3:17 p.m.4 views

CVE-2026-33540

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used...

7.5CVSS0.00274EPSS
Exploits1References1
OSV
OSV
added 2026/04/06 3:17 p.m.2 views

UBUNTU-CVE-2026-33540

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used...

7.5CVSS5.8AI score0.00274EPSS
Exploits1References3
Debian CVE
Debian CVE
added 2026/04/06 2:55 p.m.5 views

CVE-2026-33540

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used...

7.5CVSS5.3AI score0.00274EPSS
Exploits1
Vulnrichment
Vulnrichment
added 2026/04/06 2:55 p.m.3 views

CVE-2026-33540 Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used...

7.5CVSS5.9AI score0.00274EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.13 views

PT-2026-30630

Distribution versions prior to 3.1.0 are affected by an issue where the software incorrectly handles token authentication endpoints. Specifically, when operating in pull-through cache mode, the software parses WWW-Authenticate challenges from the upstream registry without validating the realm URL...

9.8CVSS8.2AI score0.00276EPSS
Exploits1References79
RedhatCVE
RedhatCVE
added 2026/03/26 3:12 p.m.6 views

CVE-2026-30886

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

6.5CVSS5.8AI score0.00274EPSS
Exploits1References1
NVD
NVD
added 2026/03/23 8:16 p.m.7 views

CVE-2026-30886

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

6.5CVSS0.00274EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/23 7:18 p.m.11 views

CVE-2026-30886 New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

6.5CVSS5.8AI score0.00274EPSS
Exploits1References2
CVE
CVE
added 2026/03/23 7:18 p.m.38 views

CVE-2026-30886

The CVE-2026-30886 entry describes an Insecure Direct Object Reference (IDOR) in the video proxy endpoint GET /v1/videos/:task_id/content of the New API LLM gateway/AI asset manager. Before version 0.11.4-alpha.2, any authenticated user could access video content owned by others due to a missing ...

6.5CVSS5.8AI score0.00274EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder