Lucene search
K

265 matches found

OSV
OSV
added 2026/04/09 8:28 p.m.1 views

GHSA-HC36-C89J-5F4J bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)

Unverified certifier signatures persisted by acquirecertificate Affected packages Both bsv-sdk and bsv-wallet are published from the sgbett/bsv-ruby-sdk repository. The vulnerable code lives in lib/bsv/walletinterface/walletclient.rb, which is physically shipped inside both gems the...

8.1CVSS5.9AI score0.00135EPSS
Exploits1References9
CVE
CVE
added 2026/04/09 7:0 p.m.10 views

CVE-2026-35063

CVE-2026-35063 concerns OpenPLC_V3 REST API: an endpoint checks for JWT but does not verify the caller’s role. This allows any authenticated user with role=user to delete other users (including admins) by specifying a user_id, or to create new accounts with role=admin, effectively escalating to f...

8.8CVSS5.9AI score0.0024EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/04/09 6:17 p.m.5 views

CVE-2026-40070

BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClientacquirecertificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisitionprotocol: 'direct', the caller supplies all...

8.1CVSS0.00135EPSS
Exploits1References5
CNNVD
CNNVD
added 2026/04/09 12:0 a.m.6 views

BSV Ruby SDK 数据伪造问题漏洞

BSV Ruby SDK is a Ruby development toolkit developed by Simon Bettison for BSV blockchain. Versions of the BSV Ruby SDK from 0.3.1 to 0.8.2 had a data manipulation vulnerability. This vulnerability stemmed from the lack of signature verification when storing certificate records, which could allow...

8.1CVSS5.7AI score0.00135EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.5 views

PT-2026-31672

Name of the Vulnerable Software and Affected Versions BSV Ruby SDK versions 0.3.1 through 0.8.1 BSV Ruby Wallet versions 0.1.2 through 0.3.3 Description The BSV Ruby SDK and Wallet contain a flaw in the acquire certificate function, which does not verify the certifier's signature over the...

8.1CVSS5.9AI score0.00135EPSS
Exploits1References9
NVD
NVD
added 2026/04/08 7:16 a.m.4 views

CVE-2026-3480

The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an adminpost action hook 'wp-blockade-shortcode-render' that maps to the rendershortcodepreview function. This function lacks any capability check...

6.5CVSS0.00342EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.7 views

WordPress plugin BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

4.3CVSS5.7AI score0.00128EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/04/07 6:35 p.m.3 views

CVE-2026-32144

A flaw was found in Erlang OTP publickey. This improper certificate validation vulnerability allows a remote attacker to bypass Online Certificate Status Protocol OCSP designated-responder authorization. The vulnerability stems from missing signature verification during OCSP response validation,...

7.6CVSS5.8AI score0.002EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2026/04/07 12:28 p.m.2 views

CVE-2026-32144 OCSP designated-responder authorization bypass via missing signature verification

Improper Certificate Validation vulnerability in Erlang OTP publickey pubkeyocsp module allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in publickey:pkixocspvalidate/5 does not verify that a CA-designated responder certificate...

7.6CVSS5.9AI score0.002EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.6 views

PT-2026-31050

The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the actions handler and bulk actions handler methods in class-dlm-downloads-path.php in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these functions. This makes it...

5.4CVSS5.8AI score0.00161EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.10 views

PT-2026-30715

Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference IDOR vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL b...

7.1CVSS5.9AI score0.00201EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/04/03 4:59 p.m.6 views

CVE-2026-26928

SzafirHost downloads necessary files in the context of the initiating web page. When called, SzafirHost updates its dynamic library. JAR files are correctly verified based on a list of trusted file hashes, and if a file was not on that list, it was checked to see if it had been digitally signed b...

8.7CVSS5.8AI score0.00213EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.13 views

PT-2026-30244

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been...

6.9CVSS5.8AI score0.00211EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/02 3:6 p.m.5 views

EUVD-2026-18354

Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated...

9.8CVSS5.9AI score0.003EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/02 3:6 p.m.1 views

CVE-2026-33746

Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated...

9.8CVSS5.9AI score0.003EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/03/30 9:31 p.m.5 views

EUVD-2026-17162

TrueConf Client downloads application update code and applies it without performing verification. An attacker who is able to influence the update delivery path can substitute a tampered update payload. If the payload is executed or installed by the updater, this may result in arbitrary code...

7.8CVSS6.4AI score0.0575EPSS
Exploits2References2
Cvelist
Cvelist
added 2026/03/27 12:30 a.m.24 views

CVE-2026-33730 Open Source Point of Sale has an IDOR in Password Change (Home)

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. Prior to version 3.4.2, an Insecure Direct Object Reference IDOR vulnerability allows an authenticated low-privileged user to access the password change functionality of...

6.5CVSS0.00277EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/27 12:0 a.m.6 views

PT-2026-28623

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description AVideo is an open source video platform. The get api video file and get api video API endpoints do not verify video passwords for password-protected videos. This allows an unauthenticated...

5.3CVSS5.9AI score0.00376EPSS
Exploits1References8
RedhatCVE
RedhatCVE
added 2026/03/26 2:59 p.m.4 views

CVE-2026-31944

LibreChat is a ChatGPT clone with additional features. From 0.8.2 to 0.8.2-rc3, The MCP Model Context Protocol OAuth callback endpoint accepts the redirect from the identity provider and stores OAuth tokens for the user who initiated the flow, without verifying that the browser hitting the redire...

7.6CVSS5.9AI score0.00244EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/03/26 12:0 a.m.6 views

Linux kernel 安全漏洞

The Linux kernel is the kernel used by the Linux operating system developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the lack of verifying the length of individual options in the fingerprint. This vulnerability may lead ...

7.1CVSS5.8AI score0.00117EPSS
Exploits0References8
Rows per page
Query Builder