Lucene search
+L

1403 matches found

Cvelist
Cvelist
added 2 days ago36 views

CVE-2026-53447 Wekan: `cloneBoard` Meteor method has no authorization check — any user can clone (read) any private board by ID

Wekan is open source kanban built with Meteor. Prior to 9.35, the Wekan cloneBoard Meteor method in models/import.js uses caller-supplied sourceBoardId to build a board export through models/exporter.js without invoking canExport or checking source-board membership. Any authenticated user who kno...

6.5CVSS0.00231EPSS
Exploits0References3
CVE
CVE
added 2 days ago11 views

CVE-2026-53444

Wekan (open-source Kanban, Meteor-based) prior to v9.32 had missing authorization on OIDC-related Meteor methods (e.g., setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, groupRoutineOnLogin) in packages/wekan-oidc/oidc_server.js a...

7.6CVSS6.1AI score0.00238EPSS
Exploits0References3
CVE
CVE
added 2 days ago10 views

CVE-2026-52891

Wekan prior to v9.07 is vulnerable to command execution via avatar upload. The avatar filename is embedded in shell commands in models/avatars.js and models/fileValidation.js, allowing shell metacharacters (e.g., ` and $( ) to run commands on the server through child_process.exec(). Impact: high ...

9.9CVSS6.2AI score0.00403EPSS
Exploits0References3
EUVD
EUVD
added 2 days ago10 views

EUVD-2026-36546

Koel: Server-Side Request Forgery SSRF in radio station creation due to missing validation bail...

6.3CVSS6.1AI score0.0016EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2 days ago9 views

PT-2026-60317

Name of the Vulnerable Software and Affected Versions Wekan versions prior to 9.07 Description The avatar upload functionality allows the embedding of user-supplied filenames into paths that are subsequently passed to the child process.exec function for MIME-type detection. Specifically, the...

9.9CVSS6.3AI score0.00403EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-60322

Name of the Vulnerable Software and Affected Versions Wekan versions prior to 9.32 Description A Server-Side Request Forgery SSRF exists where webhook integration URLs in models/integrations.js are stored from user input and subsequently fetched by server/notifications/outgoing.js. The process...

6.2CVSS6.1AI score0.00286EPSS
Exploits0References5
Microsoft Security Update
Microsoft Security Update
added 3 days ago4 views

2026-07 .NET 9.0.18 Security Update for ARM64 Client (KB5104033)

2026-07 .NET 9.0.18 Security Update for ARM64 Client KB5104033...

6.1AI score
Exploits0
Microsoft KB
Microsoft KB
added 3 days ago6 views

.NET 9.0 Update - July 14, 2026

None None...

8.8CVSS6.1AI score0.01579EPSS
Exploits0
CVE
CVE
added 2026/07/10 3:0 p.m.6 views

CVE-2026-15374

Technical details beyond the initial description are not publicly available in the provided documents. Monitor for updates on CVE-2026-15374 affecting Eleveo Call Recording Software 9.7.0, specifically the /callrec/roleAddAction.do improper authorization vulnerability.

6.5CVSS6.3AI score0.00256EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/09 10:37 p.m.51 views

CVE-2026-59858 Vim: Arbitrary Code Execution via C Omni-Completion

Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honor...

8.4CVSS0.00137EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/09 10:34 p.m.53 views

CVE-2026-59857 Vim: Out-of-bounds Write in SAL Soundfolding

Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spellsoundfoldsal in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen MAXWLEN, allowing reslen...

5.6CVSS0.00107EPSS
Exploits0References2
OSV
OSV
added 2026/07/09 6:28 p.m.4 views

CVE-2026-59149 Mockoon: Path traversal in templated `filePath` lets a request escape the served directory (prefix-only base check)

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, a FILE response whose filePath embeds request data is confined by getSafeFilePath in packages/commons-server/src/libs/server/server.ts with resolvedPath.startsWithstaticBaseDir. That prefix test has no path-separator boundary, so a...

6.5CVSS6.1AI score0.0033EPSS
Exploits0References7
EUVD
EUVD
added 2026/07/08 8:24 p.m.12 views

EUVD-2026-36117

Sharp Missing Authorization Check in Quick Creation Command Endpoints...

4.3CVSS5.9AI score0.00213EPSS
Exploits0References5
CVE
CVE
added 2026/07/01 9:32 a.m.22 views

CVE-2026-12142

CVE-2026-12142 affects the NEX-Forms – Ultimate Forms Plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) via the internal parameter named '_name[]' , present in all versions up to and including 9.2.2 . Root cause: insufficient input sanitization and output escaping, co...

7.2CVSS5.9AI score0.00304EPSS
Exploits0References14
CVE
CVE
added 2026/06/30 7:50 p.m.16 views

CVE-2026-11595

CVE-2026-11595 affects IBM WebSphere Application Server 9.0 and 8.5. The IBM Security Bulletin describes a path traversal vulnerability in the administrative console’s integrated help system that could allow a remote attacker to obtain sensitive information. Affected products/versions include Web...

7.5CVSS5.8AI score0.00474EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/30 7:47 p.m.7 views

EUVD-2026-40397

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console's integrated help system...

9.3CVSS5.6AI score0.00217EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/30 7:45 p.m.39 views

CVE-2026-11712 IBM WebSphere Application Server is affected by a cross-site scripting vulnerability

IBM WebSphere Application Server 9.0, and 8.5 is affected by a cross-site scripting vulnerability in the administrative console help system...

9.3CVSS0.00217EPSS
Exploits0References1
OSV
OSV
added 2026/06/29 9:45 a.m.3 views

SUSE-SU-2026:2675-1 Security update for tomcat

This update for tomcat fixes the following issues Update to Tomcat 9.0.118: - CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling bsc1265162. - CVE-2026-41293: HTTP/2 request headers not validated bsc1265163. - CVE-2026-42498: WebSocket authentication header exposure bsc1265165. -...

9.8CVSS5.9AI score0.01339EPSS
Exploits2References15
Fedora
Fedora
added 2026/06/28 12:58 a.m.8 views

[SECURITY] Fedora 44 Update: pgadmin4-9.16-1.fc44

pgAdmin is the most popular and feature rich Open Source administration and d evelopment platform for PostgreSQL, the most advanced Open Source database in the world...

9.5CVSS5.8AI score0.0071EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/06/28 12:0 a.m.7 views

Fedora 44 : pgadmin4 (2026-c248414214)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-c248414214 advisory. Update to pgadmin-9.16. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

9.5CVSS5.8AI score0.0071EPSS
Exploits0References8
Rows per page
Query Builder