Lucene search
+L

34 matches found

NVD
NVD
added 5 hours ago5 views

CVE-2026-14871

osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization BOLA leading to Insecure Direct Object Reference IDOR in the AJAX ticket-management subsystem...

7.1CVSS
Exploits0References5
CVE
CVE
added 6 hours ago9 views

CVE-2026-14871

This CVE affects osTicket versions 1.18.3 and 1.17.7, where a Broken Object Level Authorization (BOLA) leads to an Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem. The issue enables cross-department data disclosure due to improper access controls on object referenc...

7.1CVSS5.3AI score
Exploits0References5
EUVD
EUVD
added 6 hours ago5 views

EUVD-2026-45186

osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization BOLA leading to Insecure Direct Object Reference IDOR in the AJAX ticket-management subsystem...

7.1CVSS5.3AI score
Exploits0References5
EUVD
EUVD
added 2026/06/26 2:53 p.m.5 views

EUVD-2026-39733

Contributor Arbitrary File Deletion in H5P = 1.17.7 versions...

7.1CVSS5.8AI score0.00294EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:29 p.m.17 views

CVE-2026-46431

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...

4.3CVSS5.4AI score0.00219EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 5:16 p.m.14 views

CVE-2026-46430

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...

4.3CVSS0.00197EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 5:16 p.m.20 views

CVE-2026-45721

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute a...

9CVSS0.00437EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/26 4:42 p.m.41 views

CVE-2026-46431 Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...

4.3CVSS0.00219EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/26 4:42 p.m.10 views

EUVD-2026-31870

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...

4.3CVSS5.8AI score0.00219EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/26 4:42 p.m.7 views

CVE-2026-46431 Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...

4.3CVSS5.8AI score0.00219EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/26 4:42 p.m.14 views

CVE-2026-46431

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...

4.3CVSS5.8AI score0.00219EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/05/26 4:41 p.m.33 views

CVE-2026-46430 Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...

4.3CVSS0.00197EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/26 4:41 p.m.8 views

CVE-2026-46430

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...

4.3CVSS5.8AI score0.00197EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/26 4:41 p.m.19 views

CVE-2026-46430

CVE-2026-46430 affects Algernon (SSE event server). Before 1.17.7, the SSE event server bound to 0.0.0.0:5553 by default on Linux/macOS due to host default logic, enabling LAN-wide access. The issue arises from platform-dependent default host handling (empty on non-Windows), resulting in an effec...

4.3CVSS5.8AI score0.00197EPSS
Exploits0References1
OSV
OSV
added 2026/05/26 4:41 p.m.2 views

CVE-2026-46430 Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...

4.3CVSS6AI score0.00197EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/26 4:38 p.m.40 views

CVE-2026-45728 Algernon: Single-file mode unconditionally enables debug mode

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error respon...

7.5CVSS0.00303EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/26 4:38 p.m.14 views

EUVD-2026-31868

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error respon...

7.5CVSS5.8AI score0.00303EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/26 4:38 p.m.10 views

CVE-2026-45728 Algernon: Single-file mode unconditionally enables debug mode

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error respon...

7.5CVSS5.8AI score0.00303EPSS
Exploits0References1
OSV
OSV
added 2026/05/26 4:38 p.m.4 views

CVE-2026-45728 Algernon: Single-file mode unconditionally enables debug mode

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error respon...

7.5CVSS6AI score0.00303EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/26 4:34 p.m.47 views

CVE-2026-45721 Algernon: handler.lua discovery walks parent directories above the server root

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute a...

9CVSS0.00437EPSS
Exploits0References1
Rows per page
Query Builder