Lucene search
+L

1327 matches found

RedhatCVE
RedhatCVE
added 2026/05/26 9:0 a.m.17 views

CVE-2026-42586

A flaw was found in Netty, an asynchronous, event-driven network application framework. The Netty Redis codec encoder RedisEncoder does not properly validate or sanitize user-controlled string content for CRLF Carriage Return Line Feed characters. A remote attacker, by controlling the content of ...

7.1CVSS6.7AI score0.00198EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/05/22 10:25 a.m.12 views

CVE-2026-4646

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID:...

4.3CVSS5.8AI score0.0025EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/21 9:17 a.m.14 views

EUVD-2026-31257

ptracePTSCREMOTE failed to properly validate parameters for the syscall2 and syscall2 meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges. The missing validation allows ...

8.4CVSS6.3AI score0.00196EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/20 7:57 p.m.9 views

CVE-2026-31070

The LalanaChami Pharmacy Management System commit 5c3d028 allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body...

9.8CVSS5.8AI score0.00476EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.4 views

Astra Linux – Vulnerability in glib2.0

A flaw was discovered in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, resulting in a denial of service...

7.5CVSS6.8AI score0.00768EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/20 1:25 a.m.9 views

CVE-2026-6391 Sentence To SEO (keywords, description and tags) <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page Parameters

The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the createadminpage function. This makes it possible for unauthenticated attackers...

6.1CVSS5.7AI score0.00174EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/05/19 6:4 a.m.55 views

CVE-2026-8830 Keycloak: org.keycloak/keycloak-services: keycloak: policy bypass during webauthn credential registration via client-side javascript manipulation

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction fails to validate that the newly created credential's parameters, such as public key...

4.3CVSS0.00392EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/19 12:0 a.m.48 views

CVE-2026-31070

The LalanaChami Pharmacy Management System commit 5c3d028 allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body...

0.00476EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/19 12:0 a.m.12 views

EUVD-2026-30945

The LalanaChami Pharmacy Management System commit 5c3d028 allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body...

5.8AI score0.00476EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.18 views

PT-2026-41943

Name of the Vulnerable Software and Affected Versions LalanaChami Pharmacy Management System version 5c3d028 Description Unauthenticated remote attackers can escalate privileges by self-assigning an administrative role during the registration process. This occurs because the '/api/user/signup'...

9.8CVSS5.8AI score0.00476EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/18 9:31 a.m.13 views

Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a craft...

4.3CVSS5.8AI score0.00142EPSS
Exploits0References4Affected Software2
Cvelist
Cvelist
added 2026/05/18 8:7 a.m.45 views

CVE-2026-4286 Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of member access via playbook update

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...

3.1CVSS0.00143EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/18 8:7 a.m.9 views

CVE-2026-4286 Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of member access via playbook update

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...

3.1CVSS5.8AI score0.00143EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/18 7:8 a.m.12 views

EUVD-2026-30744

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder...

4.3CVSS5.8AI score0.0024EPSS
Exploits0References1
Veracode
Veracode
added 2026/05/16 5:23 a.m.7 views

Improper Input Validation

github.com/free5gc/udm is vulnerable to improper input validation. The vulnerability is due to the UDM component failing to validate the SUPI path parameter in multiple nudm-sdm GET handlers, which allows an unauthenticated attacker to inject control characters, forward malformed requests to the...

8.7CVSS5.8AI score0.00324EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/05/15 6:32 p.m.3 views

CVE-2026-4054 SVG content served through Mattermost image proxy despite Content-Type restrictions causes client-side denial of service

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header e.g. image/png...

4.3CVSS6AI score0.00242EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/14 8:55 p.m.22 views

@utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

Summary The @utcp/http package is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual validates the discovery URL against an HTTPS / loopback allowlist, but callTool reuses the resolved...

4.7CVSS6AI score0.00122EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/14 4:24 p.m.6 views

GHSA-MGQ6-4X29-88R3 Portainer's Kubernetes middleware continues after token validation failure, bypassing endpoint authorization

Summary Portainer proxies requests to Kubernetes clusters through a middleware layer kubeClientMiddleware that validates the requesting user's token before forwarding traffic to the cluster. When security.RetrieveTokenData returned an error, the middleware wrote an HTTP 403 response but was missi...

8.1CVSS5.9AI score0.00335EPSS
Exploits1References4
Snyk
Snyk
added 2026/05/13 3:29 p.m.9 views

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop through insufficient validation and missing safety mechanisms during symlink resolution. An attacker can cause infinite loops and resource exhaustion by providing crafted or malformed input that triggers uncontrolled...

7.5CVSS5.8AI score0.00295EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/08 6:51 p.m.6 views

CVE-2026-29201

Insufficient input validation of the feature file name in feature::LOADFEATUREFILE adminbin call can cause arbitrary file read when a relative file path is passed...

8.6CVSS5.9AI score0.00435EPSS
Exploits0References1
Rows per page
Query Builder