Lucene search
K

320 matches found

Cvelist
Cvelist
added 2026/04/10 1:30 a.m.33 views

CVE-2026-5998 zhayujie chatgpt-on-wechat CowAgent API Memory Content Endpoint service.py dispatch path traversal

A flaw has been found in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects the function dispatch of the file agent/memory/service.py of the component API Memory Content Endpoint. This manipulation of the argument filename causes path traversal. The attack can be initiated remotely. Th...

6.9CVSS0.00632EPSS
Exploits0References7
CVE
CVE
added 2026/04/10 1:30 a.m.9 views

CVE-2026-5998

The CVE-2026-5998 vulnerability affects zhayujie chatgpt-on-wechat CowAgent (up to 2.0.4) in the API Memory Content Endpoint’s dispatch function (service.py). An attacker can manipulate the filename argument, enabling path traversal and remote exploitation. The issue has been publicly reported wi...

6.9CVSS5.6AI score0.00632EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.5 views

PT-2026-31854

Name of the Vulnerable Software and Affected Versions zahayujie chatgpt-on-wechat CowAgent versions up to 2.0.4 Description A flaw exists in the function dispatch of the file agent/memory/service.py within the API Memory Content Endpoint component. Manipulation of the filename argument can lead t...

6.9CVSS5.8AI score0.00632EPSS
Exploits0References11
Vulnrichment
Vulnrichment
added 2026/04/08 7:58 p.m.5 views

CVE-2026-39864 Kamailio Auth: Processing Vulnerability For Additional Authenticated User Identity Checks

Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.0.5 and 5.8.7, an out-of-bounds read in the auth module of Kamailio formerly OpenSER and SER allows remote attackers to cause a denial of service process crash via a specially crafted SIP packet if a successful user...

4.4CVSS6AI score0.00301EPSS
Exploits0References1
CVE
CVE
added 2026/04/08 8:30 a.m.21 views

CVE-2026-39704

CVE-2026-39704 concerns a missing authorization (broken access control) vulnerability in the WordPress plugin Precious Metals Automated Product Pricing – Pro (nfusionsolutions). Affected versions are through 4.0.5, where improperly configured access control security levels can be exploited. The P...

5.3CVSS5.1AI score0.0016EPSS
Exploits0References1
CVE
CVE
added 2026/04/08 8:30 a.m.12 views

CVE-2026-39665

The CVE describes a DOM-Based XSS vulnerability in the WordPress plugin SEO Friendly Images (seo-image) by Vladimir Prelovac, affecting versions from n/a up to 3.0.5. Root cause: Improper neutralization of input during web page generation. Impact stated across sources as cross-site scripting acce...

6.5CVSS5.9AI score0.00161EPSS
Exploits0References1
NVD
NVD
added 2026/04/07 8:16 p.m.22 views

CVE-2026-39365

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the...

6.3CVSS0.00914EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/07 7:13 p.m.5 views

EUVD-2026-19875

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the...

6.3CVSS5.9AI score0.00914EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/07 7:12 p.m.6 views

EUVD-2026-19873

Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny e.g., .env, .crt can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are...

8.2CVSS5.9AI score0.02095EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/07 5:12 a.m.5 views

CVE-2026-5615

A weakness has been identified in givanz Vvvebjs up to 2.0.5. The affected element is an unknown function of the file upload.php of the component File Upload Endpoint. This manipulation of the argument uploadAllowExtensions causes cross site scripting. Remote exploitation of the attack is possibl...

5.3CVSS4.6AI score0.00773EPSS
Exploits1References1
OSV
OSV
added 2026/04/06 5:17 p.m.3 views

UBUNTU-CVE-2026-34986

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption JWE object will panic if t...

7.5CVSS5.9AI score0.00651EPSS
Exploits0References4
CVE
CVE
added 2026/04/06 2:33 p.m.26 views

CVE-2026-26026

GLPI versions 11.0.0–11.0.5 are affected by a template-injection path in the admin-created template mechanism that can lead to Remote Code Execution (RCE). The issue is fixed in 11.0.6. A related PoC exists on GitHub, but the exploit details are not provided in the document set. Mitigation: upgra...

9.1CVSS5.9AI score0.0037EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/03 8:13 p.m.3 views

CVE-2026-5485 OS command injection in Amazon Athena ODBC driver on Linux

OS command injection in the browser-based authentication component in Amazon Athena ODBC driver before 2.0.5.1 on Linux might allow a threat actor to execute arbitrary code by using specially crafted connection parameters that are loaded by the driver during a local user-initiated connection. To...

7.8CVSS6.3AI score0.00727EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.3 views

PT-2026-30223

OS command injection in the browser-based authentication component in Amazon Athena ODBC driver before 2.0.5.1 on Linux might allow a threat actor to execute arbitrary code by using specially crafted connection parameters that are loaded by the driver during a local user-initiated connection. To...

7.8CVSS6.3AI score0.00727EPSS
Exploits0References8
NVD
NVD
added 2026/04/02 3:16 p.m.6 views

CVE-2026-33544

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations GenericOAuthService, GithubOAuthService, GoogleOAuthService store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent...

7.7CVSS0.00338EPSS
Exploits1References3
GithubExploit
GithubExploit
added 2026/03/31 6:56 a.m.120 views

ha-ps4-jb

🎮 PS4 JB Web Server — Home Assistant Add-on A Home Assistant...

5.8AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.8 views

PT-2026-26167

Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch server-side, and returns the...

8.6CVSS5.8AI score0.10069EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.9 views

PT-2026-26022

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpgmza custom js’ parameter in all versions up to, and including, 10.0.05 due to insufficient input sanitization and output escaping and missing capability check in the 'admin post...

6.4CVSS6AI score0.00156EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/03/17 7:41 p.m.2 views

CVE-2026-25936 GLPI Vulnerable to Authenticated SQL Injection

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, an authenticated user can perfom a SQL injection. Version 11.0.6 fixes the issue...

6.5CVSS5.8AI score0.00339EPSS
Exploits0References1
NVD
NVD
added 2026/03/16 2:20 p.m.7 views

CVE-2026-4255

A DLL search order hijacking vulnerability in Thermalright TR-VISION HOME on Windows 64-bit allows a local attacker to escalate privileges via DLL side-loading. The application loads certain dynamic-link library DLL dependencies using the default Windows search order, which includes directories...

8.4CVSS0.00191EPSS
Exploits0References1
Rows per page
Query Builder