Lucene search
+L

1999 matches found

Vulnrichment
Vulnrichment
added 2026/06/12 2:22 p.m.10 views

CVE-2026-47739 Frappe: Stored XSS in Note

Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, stored XSS in Note was possible due to lack of sanitization. This issue has been patched in versions 15.106.0 and 16.16.0...

6.9CVSS5.1AI score0.00258EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 12:58 p.m.34 views

CVE-2026-47200 Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`

Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled default in Nuxt 4, any...

6.3CVSS0.0023EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.23 views

PT-2026-48962

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.80 Parse Server versions prior to 9.9.1-alpha.6 Description A relation query using the $relatedTo operator allows an unauthenticated client to read the membership of a Relation field. This occurs even if the...

6.9CVSS5.2AI score0.00276EPSS
Exploits0References7
OSV
OSV
added 2026/06/11 5:16 p.m.7 views

UBUNTU-CVE-2026-44486

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axi...

7.5CVSS5.3AI score0.00532EPSS
Exploits1References3
Debian CVE
Debian CVE
added 2026/06/11 3:39 p.m.11 views

CVE-2026-44486

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axi...

7.5CVSS5.3AI score0.00532EPSS
Exploits1
Vulnrichment
Vulnrichment
added 2026/06/11 3:33 p.m.10 views

CVE-2026-44495 Axios: Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge

Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse,...

7CVSS5.3AI score0.00495EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/06/11 11:14 a.m.15 views

SUSE CVE-2026-46693

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can hijack a file descriptor in the server process when a race condition is met. This issue ha...

4.1CVSS5.2AI score0.00077EPSS
Exploits0References8
AlpineLinux
AlpineLinux
added 2026/06/10 9:30 p.m.11 views

CVE-2026-45664

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use...

7.5CVSS5.3AI score0.00441EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/06/10 8:24 p.m.12 views

CVE-2026-48108 Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input

Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing...

5.3CVSS5.5AI score0.00277EPSS
Exploits0References1
CVE
CVE
added 2026/06/10 5:2 a.m.54 views

CVE-2026-26241

CVE-2026-26241 affects File Station 5; a buffered overflow in a component of File Station 5. Exploitation could crash or modify memory, with impact described as high on integrity and availability (per CVSS data). A fix is available in File Station 5 5.5.6.5243 and later. Public details across con...

9.1CVSS5.8AI score0.00318EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/06/10 4:17 a.m.12 views

CVE-2025-62851

A path traversal vulnerability has been reported to affect License Center. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: License...

6.9CVSS0.00259EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/10 3:15 a.m.43 views

CVE-2026-24724 File Station 5

An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.52...

8.6CVSS0.00259EPSS
Exploits0References1
CVE
CVE
added 2026/06/10 3:14 a.m.42 views

CVE-2026-24717

CVE-2026-24717 describes a path traversal vulnerability affecting several QNAP operating system versions. The issue allows an administrator (needs admin privileges) to read unexpected files or system data through a path traversal flaw. Affected products include QTS and QuTS hero lines, with fixed...

6.5CVSS5.5AI score0.00392EPSS
Exploits0References1Affected Software2
Cvelist
Cvelist
added 2026/06/10 12:26 a.m.42 views

CVE-2026-45160 ESF-IDF: Out-of-bounds Read in lwIP DHCP Server Option Parser

ESF-IDF is the Espressif Internet of Things IOT Development Framework. In versions 5.2.7, 5.3.5, 5.4.4, 5.5.4, and 6.0.1, an out-of-bounds read flaw exists in the DHCP server option parser parseoptions in components/lwip/apps/dhcpserver/dhcpserver.c shipped with ESP-IDF's lwIP component. The pars...

6.5CVSS0.00246EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/06/09 2:50 p.m.37 views

CVE-2026-24065 Local Privilege Escalation via Insecure XPC Client Validation in Waves Central for macOS

Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service. The helper validates connecting XPC clients using the client process identifier PID to verify code-signing identity. Because process identifiers can be reuse...

0.00323EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/06/07 2:15 a.m.7 views

CVE-2026-11449 GL.iNet GL-MT3000 LuCI JSON-RPC rpc rpc_sys command injection

A security vulnerability has been detected in GL.iNet GL-MT3000 4.4.5. The impacted element is the function rpcsys of the file /cgi-bin/luci/rpc of the component LuCI JSON-RPC Interface. Such manipulation leads to command injection. The attack may be performed from remote. Upgrading to version...

6.5CVSS6.2AI score0.01102EPSS
Exploits0References6
CVE
CVE
added 2026/06/05 9:8 p.m.30 views

CVE-2026-11431

CVE-2026-11431 describes a path traversal in Altium’s Projects Service download endpoint used by Altium Enterprise Server and Altium 365. An authenticated user can supply a crafted path that bypasses validation, enabling reading arbitrary files (including entire directories returned as archives) ...

8.3CVSS5.5AI score0.00517EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:46 p.m.11 views

CVE-2026-28860

The issue was addressed with improved input validation. This issue is fixed in iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4, tvOS 26.4, visionOS 26.4, watchOS 26.4. A local attacker may be able to modify the state of the...

7.5CVSS5.4AI score0.0038EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:32 p.m.13 views

CVE-2026-45412

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via workflowtemplate Import. Authenticated users can supply arbitrary URLs in workflowtemplate.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in...

6.3CVSS5.6AI score0.00207EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:30 p.m.14 views

CVE-2026-42866

Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's writetxt, writecsv, writejson, and commented-but-shipping scanfile helpers open their output as openf"user.", where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A userna...

6.7CVSS5.6AI score0.00145EPSS
Exploits0References1
Rows per page
Query Builder