Lucene search
K

1038 matches found

NVD
NVD
added yesterday3 views

CVE-2026-55438

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

6.8CVSS0.00216EPSS
Exploits0References7
EUVD
EUVD
added yesterday4 views

EUVD-2026-42151

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the...

6.8CVSS6AI score0.00216EPSS
Exploits0References7
CVE
CVE
added yesterday11 views

CVE-2026-55438

Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, subdomain-based proxy would bypass the same-owner CORS check when a workspace-name segment parsed as a UUID. The workspace could be resolved by ID with...

6.8CVSS6AI score0.00216EPSS
Exploits0References7Affected Software1
ATTACKERKB
ATTACKERKB
added 2 days ago3 views

CVE-2026-46354

Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature...

9.1CVSS6.1AI score0.00262EPSS
Exploits0References9Affected Software1
OSV
OSV
added 2 days ago6 views

GO-2026-5918 Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder

Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing in github.com/coder/coder...

5.8CVSS5.9AI score0.00216EPSS
Exploits0References3
NVD
NVD
added 2 days ago7 views

CVE-2026-34044

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by...

7.7CVSS0.00244EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 3 days ago6 views

Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing

Summary Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the...

6.8CVSS5.9AI score0.00216EPSS
Exploits0References4Affected Software1
OSV
OSV
added 3 days ago3 views

GHSA-WRQ8-FCV5-8HVP Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator

Summary The tailnet coordinator validates that an agent's Addresses derive from its authenticated UUID but applies no equivalent check to AllowedIPs. The coordinator forwards agent-supplied AllowedIPs verbatim to tunnel peers which install them into the WireGuard peer configuration. Impact A...

8.2CVSS6AI score0.00408EPSS
Exploits0References3
IBM Security Bulletins
IBM Security Bulletins
added 3 days ago3 views

Security Bulletin: IBM Quantum Safe Remediator is affected by mutiple vulnerabilities

Summary The vulnerabilities are found in the dependent open source libraries used in IBM Quantum Safe Remediator code base. IBM Quantum Safe Remediator has addressed these vulnerabilities by updating the versions of the affected libraries. Vulnerability Details CVEID:CVE-2026-39824 DESCRIPTION:...

9.3CVSS6.4AI score0.00492EPSS
Exploits2Affected Software1
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-56082

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.17 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2 Description The subdomain-based workspace app proxy allows a bypass of the same-owner Cross-Origin Resource Sharing CO...

5.8CVSS6AI score0.00216EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-56072

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.34.2 Coder versions prior to 2.33.8 Coder versions prior to 2.32.7 Coder versions prior to 2.29.17 Description The tailnet coordinator fails to validate that an agent's AllowedIPs derive from its authenticated UUID,...

8.2CVSS6AI score0.00408EPSS
Exploits0References10
OSV
OSV
added last week7 views

ROOT-APP-NPM-CVE-2026-41907 CVE-2026-41907 in @rootio/uuid - Patched by Root

Root has patched CVE-2026-41907 in the @rootio/uuid package for Root:npm. Multiple fixed versions available...

7.5CVSS5.8AI score0.00337EPSS
Exploits1
Cvelist
Cvelist
added 2026/06/30 2:28 p.m.33 views

CVE-2026-27881 Coolify: Cross-team deployment information disclosure via GET /api/v1/deployments/{uuid} (IDOR)

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, GET /api/v1/deployments/uuid in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any...

5CVSS0.00162EPSS
Exploits0References1
CVE
CVE
added 2026/06/29 5:21 p.m.19 views

CVE-2026-57952

Mythic before 3.4.0.60 contains an authorization bypass in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sample_message_webhook) that fail to verify payload ownership. An operator in one operation can invoke these endpo...

6.5CVSS5.8AI score0.00171EPSS
Exploits0References4Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/26 5:3 p.m.3 views

Security Bulletin: Vulnerabilities in jackson-core and UUID might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in jackson-core and UUID. Vulnerabilities include jackson-core will throw a StreamConstraintsException if the limit is reached, vulnerable to a Denial of Service DoS attack and making unexpected writes when...

8.7CVSS5.8AI score0.00634EPSS
Exploits1Affected Software1
NVD
NVD
added 2026/06/23 9:16 p.m.8 views

CVE-2026-47279

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on t...

6.9CVSS0.00239EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 12:13 p.m.21 views

CVE-2026-56315

CVE-2026-56315 affects the Python tool picklescan until version 1.0.4, which fails to block imports from at least seven standard library modules (e.g., uuid, _osx_support, _aix_support, _pyrepl.pager, imaplib). This allows adversaries to craft pickle files that import these unblocked modules to t...

9.8CVSS6.7AI score0.00757EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/22 11:59 p.m.8 views

Gogs Missing Authorization in Attachment Download

Summary In Gogs 0.14.1, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRESIGNINVIEW = false, we confirmed that an unauthenticated user ca...

7.5CVSS5.8AI score0.00422EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.12 views

PT-2026-51457

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description Gogs is an open source self-hosted Git service. The endpoint '/attachments/:uuid' retrieves attachment records using the uuid variable provided in the URL and returns the corresponding local file witho...

7.5CVSS5.9AI score0.00422EPSS
Exploits0References10
OSV
OSV
added 2026/06/13 12:54 p.m.6 views

ROOT-APP-NPM-GHSA-W5HQ-G745-H8PQ GHSA-w5hq-g745-h8pq in @rootio/uuid - Patched by Root

Root has patched GHSA-w5hq-g745-h8pq in the @rootio/uuid package for Root:npm. Multiple fixed versions available...

5.3AI score
Exploits0
Rows per page
Query Builder