Lucene search
K

47819 matches found

OSV
OSV
added last week4 views

UBUNTU-CVE-2026-13758

CryptX versions before 0.088001 for Perl compare AEAD authentication tags in non-constant time in the streaming decryptdone path. The decryptdone$tag form compares it against the computed tag with memNE memcmp != 0, which short-circuits on the first differing byte, so its run time depends on the...

3.7CVSS5.8AI score0.00295EPSS
Exploits0References6
Debian CVE
Debian CVE
added last week4 views

CVE-2026-13758

CryptX versions before 0.088001 for Perl compare AEAD authentication tags in non-constant time in the streaming decryptdone path. The decryptdone$tag form compares it against the computed tag with memNE memcmp != 0, which short-circuits on the first differing byte, so its run time depends on the...

3.7CVSS5.8AI score0.00295EPSS
Exploits0
NVD
NVD
added last week10 views

CVE-2026-13742

Honeywell IQ MultiAccess, all versions prior to and including version 28, contain an improper digital signature verification vulnerability. An attacker could potentially exploit this vulnerability, leading to the replacement of downloaded file with a malicious one. Honeywell also recommends...

5.8CVSS0.00083EPSS
Exploits0References1
EUVD
EUVD
added last week6 views

EUVD-2026-40126

Honeywell IQ MultiAccess, all versions prior to and including version 28, contain an improper digital signature verification vulnerability. An attacker could potentially exploit this vulnerability, leading to the replacement of downloaded file with a malicious one. Honeywell also recommends...

5.8CVSS5.8AI score0.00083EPSS
Exploits0References1
CVE
CVE
added last week10 views

CVE-2026-13742

CVE-2026-13742 affects Honeywell IQ MultiAccess, all versions prior to and including 28. The root cause is improper digital signature verification, enabling an attacker with local access and low privileges (no user interaction) to have a downloaded file replaced with a malicious one. CVSS metrics...

5.8CVSS5.8AI score0.00083EPSS
Exploits0References1
Cvelist
Cvelist
added last week31 views

CVE-2026-13742 Lack of signature verification before execution of downloaded content

Honeywell IQ MultiAccess, all versions prior to and including version 28, contain an improper digital signature verification vulnerability. An attacker could potentially exploit this vulnerability, leading to the replacement of downloaded file with a malicious one. Honeywell also recommends...

5.8CVSS0.00083EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added last week4 views

gnutls: GnuTLS: Denial of Service via excessive resource consumption during certificate verification

A flaw was found in GnuTLS. This vulnerability allows a denial of service DoS by excessive CPU Central Processing Unit and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names SANs...

5.3CVSS6.7AI score0.00638EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added last week4 views

Important: Red Hat Security Advisory: gnutls and libtasn1 security update

An update for multiple packages is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On. Red Hat Product Security has rated this update as having a security impact of Important. A Common...

9.8CVSS7AI score0.01335EPSS
Exploits2References14
NVD
NVD
added last week7 views

CVE-2026-12616

The /v1/upload/sbom endpoint extracts the iss claim from the attacker-supplied JWT with signature verification disabled, then interpolates that string into three log statements before any validation gate. Because the configured log format "%asctimes - %names - %levelnames - %messages" renders...

6.9CVSS0.00308EPSS
Exploits0References1
NVD
NVD
added last week9 views

CVE-2026-13165

SzafirHost verifies the downloaded native library archive with one JarFile parser reading the Central Directory but extracts native libraries with JarInputStream parser reading sequentially from local file headers. An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as...

8.6CVSS0.00418EPSS
Exploits0References2
EUVD
EUVD
added last week8 views

EUVD-2026-40094

The /v1/upload/sbom endpoint extracts the iss claim from the attacker-supplied JWT with signature verification disabled, then interpolates that string into three log statements before any validation gate. Because the configured log format "%asctimes - %names - %levelnames - %messages" renders...

6.9CVSS5.8AI score0.00308EPSS
Exploits0References1
CVE
CVE
added last week11 views

CVE-2026-12616

The CVE describes a vulnerability in the /v1/upload/sbom endpoint where the iss claim from an attacker-supplied JWT is read with signature verification disabled and interpolated into log statements before validation. The log format renders newlines literally, allowing an unauthenticated attacker ...

6.9CVSS5.8AI score0.00308EPSS
Exploits0References1
EUVD
EUVD
added last week6 views

EUVD-2026-40078

SzafirHost verifies the downloaded native library archive with one JarFile parser reading the Central Directory but extracts native libraries with JarInputStream parser reading sequentially from local file headers. An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as...

8.6CVSS6AI score0.00418EPSS
Exploits0References2
CVE
CVE
added last week15 views

CVE-2026-13165

SzafirHost is affected by a remote code execution vulnerability (CVE-2026-13165) in the way it validates versus extracts native libraries from archives. The application verifies the downloaded native library archive using JarFile (Central Directory) but extracts libraries with JarInputStream (seq...

8.6CVSS6AI score0.00418EPSS
Exploits0References2
OSV
OSV
added last week5 views

PYSEC-2026-326 dcap-qvl has Missing Verification for QE Identity

Impact This vulnerability involves a critical gap in the cryptographic verification process within the dcap-qvl. The library fetches QE Identity collateral including qeidentity, qeidentitysignature, and qeidentityissuerchain from the PCCS. However, it skips to verify the QE Identity signature...

9.3CVSS5.9AI score0.00208EPSS
Exploits0References5
OSV
OSV
added last week4 views

PYSEC-2026-482 PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation

Summary The Platform server exposes resources under /api/v1/workspaces/workspaceid/... and protects them with a requireworkspacememberworkspaceid FastAPI dependency. The dependency only checks that the caller is a member of the workspaceid in the URL prefix. The route handlers then look up the...

9.4CVSS5.8AI score0.00043EPSS
Exploits0References5
OSV
OSV
added last week5 views

PYSEC-2026-476 PraisonAI Vulnerable Untrusted Remote Template Code Execution

PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. --- Description When a user installs a template from a remote source e.g., GitHub,...

9.3CVSS6.3AI score0.00304EPSS
Exploits1References6
OSV
OSV
added last week5 views

PYSEC-2026-391 LiteLLM has SQL Injection in Proxy API key verification

Impact A database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route for example POST /chat/completions a...

9.8CVSS6.1AI score0.86607EPSS
Exploits7References7
OSV
OSV
added last week5 views

PYSEC-2026-287 Authlib JWS JWK Header Injection: Signature Verification Bypass

Description Summary A JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic...

9.1CVSS7.4AI score0.00548EPSS
Exploits1References7
OSV
OSV
added last week6 views

PYSEC-2026-284 Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC

Impact When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs LDP-VCs, the result of verifying the presentation document.proof was not factored into the final verified value true/false on the presentation record. Below is an example result from verifying a JSON-LD...

9.9CVSS5.8AI score0.00627EPSS
Exploits1References9
Rows per page
Query Builder