Lucene search
K

1637 matches found

NVD
NVD
added 4 hours ago4 views

CVE-2026-53516

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, Better Auth's OAuth callback auto-link gate in handleOAuthUserInfo accepts implicit account linking when the OAuth provider asserts emailverified: true without requiring the local user row's emailVerified...

8.3CVSS0.00019EPSS
Exploits0References4
Nuclei
Nuclei
added 17 hours ago45 views

Purchase Order Management v1.0 - Cross Site Scripting (Reflected)

Purchase Order Management v1.0 was discovered to contain a reflected cross-site scripting XSS vulnerability via the password parameter at /purchaseorder/classes/login.php. id: CVE-2023-29623 info: name: Purchase Order Management v1.0 - Cross Site Scripting Reflected author: theamanrawat severity:...

6.1CVSS6.4AI score0.0125EPSS
Exploits1References4
NVD
NVD
added yesterday5 views

CVE-2026-48353

CAI Content Credentials is affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user...

5.5CVSS
Exploits0References1
NVD
NVD
added 2 days ago6 views

CVE-2026-58489

HedgeDoc is an open source, real-time collaborative markdown notes application. Prior to 1.11.0, the GitHub Gist export flow created an OAuth2 state value but only checked that it was present rather than validating it against the value expected for the user's session. Because the state was not...

6.8CVSS0.00126EPSS
Exploits0References2
Nuclei
Nuclei
added 2 days ago73 views

Jenkins build-metrics 1.3 - Cross-Site Scripting

Jenkins build-metrics 1.3 is vulnerable to a reflected cross-site scripting vulnerability that allows attackers to inject arbitrary HTML and JavaScript into the web pages the plugin provides. id: CVE-2019-10475 info: name: Jenkins build-metrics 1.3 - Cross-Site Scripting author: madrobot severity...

6.1CVSS6.5AI score0.57735EPSS
Exploits5References5
OSV
OSV
added 2 days ago5 views

MAL-2026-10232 Malicious code in salesforce-vscode-slds (npm)

The salesforce-vscode-slds package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a...

6.1AI score
Exploits0References3
CVE
CVE
added 5 days ago9 views

CVE-2026-56666

ZITADEL before v4.15.3 permits auto-linking by email without confirming IdP ownership of the email. The external IdP handler validates the local email but not that the IdP confirms ownership, enabling linking a permissive provider account to a victim’s local account. This vulnerability is address...

4.8CVSS6.1AI score0.00189EPSS
Exploits0References3
Cvelist
Cvelist
added 6 days ago30 views

CVE-2026-55604 @arikusi/deepseek-mcp-server has an Authorization Bypass Through User-Controlled Key

DeepSeek MCP Server is an MCP server for DeepSeek V4. Starting in version 1.4.2 and prior to version 1.7.0, the process-global SessionStore accepts caller-supplied sessionid values without binding them to any authenticated principal or transport session. An attacker can enumerate active session I...

8.6CVSS0.00225EPSS
Exploits0References2
CVE
CVE
added 6 days ago10 views

CVE-2026-55604

DeepSeek MCP Server (DeepSeek V4) is vulnerable from v1.4.2 up to, but not including, v1.7.0. The issue stems from a process-global SessionStore that accepts caller-supplied session_id values without binding them to any authenticated principal or transport session. An attacker can enumerate activ...

8.6CVSS6AI score0.00225EPSS
Exploits0References2
NVD
NVD
added last week6 views

CVE-2026-54783

CoreWCF is a port of the service side of Windows Communication Foundation WCF to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF WS-Security endorsing and supporting signature verification does not ensure the selected ds:Signature covers the expected Security header target, allowing an attacker with...

7.4CVSS0.00143EPSS
Exploits0References6
CVE
CVE
added 2026/07/08 7:34 p.m.20 views

CVE-2026-60104

Bitwarden Server before 2026.6.0 is vulnerable to an authorization bypass in the admin/auth request flow. A low-privileged organization member can exploit a mismatch in the POST /auth-requests/admin-request handling to bind a Trusted Device Encryption request to an attacker-controlled public key,...

9.3CVSS6AI score0.00186EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/08 7:34 p.m.36 views

CVE-2026-60104 Bitwarden Server < 2026.6.0 Authorization Bypass via Admin Auth Request

Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryptio...

9.3CVSS0.00186EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/07/08 7:34 p.m.6 views

CVE-2026-60104 Bitwarden Server < 2026.6.0 Authorization Bypass via Admin Auth Request

Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryptio...

9.3CVSS6AI score0.00186EPSS
Exploits0References5
EUVD
EUVD
added 2026/07/08 1:49 p.m.5 views

EUVD-2026-42257

n8n before 2.8.0 contains a cross-site scripting vulnerability in the credential management flow where authenticated users can inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields. Attackers can craft malicious credentials and trick victims into clicking the OAuth...

5.4CVSS5.9AI score0.00141EPSS
Exploits0References2
CVE
CVE
added 2026/07/08 12:31 a.m.14 views

CVE-2026-55438

Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, subdomain-based proxy would bypass the same-owner CORS check when a workspace-name segment parsed as a UUID. The workspace could be resolved by ID with...

6.8CVSS6AI score0.00222EPSS
Exploits0References7Affected Software1
CISA KEV Catalog
CISA KEV Catalog
added 2026/07/07 12:0 a.m.4 views

Langflow Authorization Bypass Through User-Controlled Key Vulnerability

Langflow contains an authorization bypass through user-controlled key vulnerability which allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request...

8.4CVSS6AI score0.0056EPSS
In wildExploits2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.3 views

Malicious code in enbd-react-lib (npm)

The enbd-react-lib package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization an 'enbd' interna...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.3 views

Malicious code in @flex-ng/filter-pipe (npm)

The @flex-ng/filter-pipe package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @flex-n...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.7 views

Malicious code in box-react-uix (npm)

The box-react-uix package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a 'box' internal...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.5 views

Malicious code in @flex-ng/header-component (npm)

The @flex-ng/header-component package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the...

6.1AI score
Exploits0References3
Rows per page
Query Builder