Lucene search
K

16933 matches found

Debian CVE
Debian CVE
added 2026/05/11 9:14 p.m.9 views

CVE-2026-7010

HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the Host: header, and HTTP/1.1 control data field values. An attacker who controls one ...

6.5CVSS5.8AI score0.00227EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/05/11 8:36 p.m.7 views

CVE-2026-43879 WWBN AVideo: Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses. Wh...

5.4CVSS5.8AI score0.00165EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/11 8:34 p.m.32 views

CVE-2026-43877 WWBN AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Any Logged-in User's Profile Photo with Arbitrary Bytes

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo.png. Its only access control is User::isLogged. It does not...

5.4CVSS0.00121EPSS
Exploits0References2
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/11 6:26 p.m.22 views

Security Bulletin: MongoDB Enterprised Advanced affected by: Missing Authorization and Other Issues (CVE-2026-34766 + 13 more)

Summary There are vulnerabilities in electron-37.8.0.tgz used in MongoDB Enterprised Advanced for IBM, involving 14 CVEs. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-34766 DESCRIPTION: Electron is a framework for writing cross-platform desktop applications using...

8.8CVSS6AI score0.00295EPSS
Exploits0Affected Software1
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.11 views

WSO2多款产品 注入漏洞

WSO2 API Manager, among others, are products of the American company WSO2. The WSO2 API Manager is a suite of API lifecycle management solutions. The WSO2 API Control Plane is a control panel. The WSO2 Traffic Manager is a component designed to regulate and manage API traffic. Several WSO2 produc...

7.5CVSS6AI score0.00186EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.17 views

PT-2026-39602

A reflected cross-site scripted XSS vulnerability in the dfm-menu firmware.php component of GmbH Mecury Managed Print Services docuForm v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value...

6AI score0.00236EPSS
Exploits0References4
OSV
OSV
added 2026/05/08 11:25 p.m.11 views

GHSA-MGHP-5CQ4-V6MG Snipe-IT has an open redirect vulnerability

Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. Impact - Phishing: Redirect users to fake login pages to steal credentials - Session Hijacking: Redirect to attacker site that captures...

5.9CVSS5.8AI score0.00163EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/08 6:31 p.m.9 views

EUVD-2026-28799

Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...

2.3CVSS5.8AI score0.00282EPSS
Exploits0References5
OSV
OSV
added 2026/05/08 4:53 p.m.9 views

GHSA-2H64-C999-C9R6 SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE

Summary The kernel stores Attribute View AV / database names without any HTML escape, then a render template uses raw strings.ReplaceAlltpl, "$avName", nodeAvName to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths render.ts:120 → outerHTML,...

9.4CVSS5.9AI score0.00509EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/08 3:27 p.m.7 views

CVE-2026-41683 HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...

8.6CVSS5.7AI score0.00327EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/06 10:10 p.m.12 views

Daptin fuzzy search injects unvalidated column name into raw SQL

Summary processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no column whitelist check. The entry point is GET /api/ with...

7.1CVSS6.1AI score0.00305EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/05/06 6:13 p.m.37 views

CVE-2026-8021

CVE-2026-8021 is a UI-based script injection (UXSS) in Google Chrome. Multiple connected sources (OSV/DEBIAN-CVE-2026-8021, PT-2026-38214, PTSecurity) confirm: affecting Google Chrome versions prior to 148.0.7778.96, caused by a vulnerability in the browser UI that could execute arbitrary scripts...

4.2CVSS6AI score0.00155EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/05/05 12:0 a.m.12 views

FluentCMS 安全漏洞

FluentCMS is a .NET-based content management system CMS that is primarily used to quickly build websites and manage web content. A cross-site scripting vulnerability exists in the FluentCMS TextHTML plugin. The vulnerability stems from insufficient validation of user input and failure to properly...

6.1CVSS5.7AI score0.00194EPSS
Exploits0References2
Packet Storm
Packet Storm
added 2026/05/04 12:0 a.m.73 views

📄 cPanel Authentication Manipulation / Session Injection

This Python script attempts to an authentication bypass against a cPanel login endpoint by crafting a modified login request and manipulating session-related data. Versions after 11.40 are affected...

9.8CVSS6AI score0.981EPSS
Exploits64
ATTACKERKB
ATTACKERKB
added 2026/05/01 8:34 p.m.2 views

CVE-2026-39807

Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections. 'Elixir.Bandit.Pipeline':determinescheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the...

6.3CVSS5.8AI score0.00454EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/04/30 6:16 p.m.6 views

CVE-2026-36761

A stored cross-site scripting XSS vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter...

6.1CVSS0.00155EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/29 12:33 p.m.19 views

ai.ancf.lmos:lmos-operator (>=0.5.0 <=0.6.0), ai.telosforge:kimaira-starter-dms (>=1.2.4 <=1.2.6) +5116 more potentially affected by CVE-2026-22741 via org.springframework:spring-webmvc (>=6.2.0 <=6.2.17)

org.springframework:spring-webmvc MAVEN version =6.2.0, =0.5.0, =1.2.4, =1.2.4, =1.17.0, =0.3.0, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =8.6.0, =8.6.0, =8.6.0, =8.6.0, =8.6.0, =8.8.1 and more Source cves: CVE-2026-22741 Source advisory: OSV:GHSA-WG35-8JPF-2XV3...

3.1CVSS5.7AI score0.00236EPSS
Exploits0
Veracode
Veracode
added 2026/04/29 10:41 a.m.9 views

Default Security Bypass

Spring Boot is vulnerable to Default Security Bypass. The vulnerability is due to Spring Boot's default web security being ineffective, where an application with no Spring Security configuration and relying on the default web security filter chain can allow unauthorized access to all endpoints, a...

9.1CVSS5.3AI score0.00489EPSS
Exploits0References5Affected Software2
NVD
NVD
added 2026/04/28 12:16 a.m.6 views

CVE-2026-40976

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...

9.1CVSS0.00489EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/28 12:0 a.m.10 views

VMware Spring Boot 安全漏洞

VMware Spring Boot is an open-source framework developed by the American company VMware. Versions of VMware Spring Boot 4.0.0 to 4.0.5 have security vulnerabilities. These vulnerabilities stem from the default web security being ineffective, which may allow unauthorized access to all endpoints...

9.1CVSS5.8AI score0.00489EPSS
Exploits0References1
Rows per page
Query Builder