2156 matches found
EUVD-2026-41099
URL redirection to untrusted site 'open redirect' vulnerability in The Wikimedia Foundation Mediawiki - UrlShortener Extension allows Cross-Site Flashing. This issue affects Mediawiki - UrlShortener Extension: from before 1.43.9, 1.44.6, 1.45.4...
CVE-2026-34098
CVE-2026-34098: Guardian Language-System contains an XSS in media.php via unsanitized id parameter (GET). The id value is inserted into HTML source and form actions (lines 119, 129), enabling script injection in a victim’s browser session. Affected: Guardian Language-System; vulnerability manifes...
CVE-2026-58029
creationtimestamp| type| source ---|---|--- 2026-07-01 15:54:31+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mpluujzji72j 2026-07-02 02:51:36+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mpmzlikquv2y 2026-07-02 04:28:51+00:00| seen|...
CVE-2026-10562
CVE-2026-10562 affects TP-Link Archer AX20 V2.0–V2.1.9 Build 20230829. The flaw is an unauthenticated URL redirection caused by improper validation of user-supplied URL input in the device’s web interface. An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences;...
CVE-2026-12076
creationtimestamp| type| source ---|---|--- 2026-06-30 10:00:46+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mpiqn3brkz2v 2026-07-01 02:36:28+00:00| seen| https://cert.pl/en/posts/2026/06/CVE-2026-12076...
CVE-2026-36848
creationtimestamp| type| source ---|---|--- 2026-06-29 18:45:05+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mph5hp43mm2w 2026-06-29 21:59:37+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mphidk7hpb2d...
CVE-2026-13751
CVE-2026-13751 concerns Snowflake CLI prior to v3.19, where the SQL reader’s !source/!load directives could reference remote URLs retrieved at runtime. The root cause is improper handling of untrusted remote references, enabling server-side request forgery within the vulnerable command path. Impa...
PYSEC-2026-444 Code Injection in paddlepaddle
The vulnerability arises from the way the url parameter is incorporated into the command string without proper validation or sanitization. If the url is constructed from untrusted sources, an attacker could potentially inject malicious commands...
Malicious code in rebrandly-domains-search-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d4464320c8530d582d35f85ce95045182d82e1dd63a830644bcb68f05bdf10e Package [email protected] is an empty module index.js exports an empty object whose package.json preinstall hook runs node...
CVE-2026-47214
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0...
CVE-2026-50742
creationtimestamp| type| source ---|---|--- 2026-06-26 03:01:09+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mp5xd2fdsk2b 2026-06-29 21:52:56+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mphhxli3am2b...
CVE-2026-55487 pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator...
net/url: Incorrect parsing of IPv6 host literals in net/url
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...
CVE-2026-12635
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with maintainer-role permissions to make requests to internal network resources through...
EUVD-2026-39168
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with maintainer-role permissions to make requests to internal network resources through...
net/url: Incorrect parsing of IPv6 host literals in net/url
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...
CVE-2026-57304
A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password...
CVE-2026-57305
A cross-site request forgery CSRF vulnerability in Jenkins Assembla Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified username and password...
CVE-2026-56270
creationtimestamp| type| source ---|---|--- 2026-06-24 13:55:31+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mp22xcos3g2f...
CVE-2026-57304
CVE-2026-57304 affects the Jenkins Assembla Plugin (versions ≤ 1.4). The root cause is a missing permission check, allowing attackers who have Overall/Read permission to instruct the plugin to connect to an attacker-specified URL using attacker-specified credentials. The description in connected ...