Lucene search
K

261 matches found

NVD
NVD
added 4 days ago6 views

CVE-2026-55370

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's existing TOTP verification accepted a successfully used TOTP code again while the code remained inside the RFC 6238 acceptance window because the verifier used otplib's stateless check with window ...

6.4CVSS0.00199EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago30 views

CVE-2026-55515 Snipe-IT: Cross-company deletion of pending checkout acceptances via unscoped report endpoint

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending-find$acceptanceId by global ID without checking access to the related checkoutable asset, allowing a reports user in...

5CVSS0.00248EPSS
Exploits1References3
CVE
CVE
added 5 days ago11 views

CVE-2026-9021

The CVE concerns the WordPress plugin Easy Invoice (WordPress plugin) with vulnerability in versions up to 2.1.19. The root cause is Missing Authorization via AJAX actions easy_invoice_accept_quote and easy_invoice_decline_quote , registered with wp_ajax_nopriv_ hooks and relying on a quote-scope...

5.3CVSS6AI score0.00297EPSS
Exploits0References10
Cvelist
Cvelist
added 5 days ago29 views

CVE-2026-9021 Easy Invoice <= 2.1.19 - Unauthenticated Arbitrary Quote Accept/Decline and Invoice Creation via easy_invoice_accept_quote / easy_invoice_decline_quote AJAX Actions

The Easy Invoice plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.19. This is due to the plugin registering the easyinvoiceacceptquote and easyinvoicedeclinequote AJAX actions via wpajaxnopriv hooks and relying solely on a quote-scoped nonce that i...

5.3CVSS0.00297EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 5 days ago6 views

CVE-2026-9021

The Easy Invoice plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.19. This is due to the plugin registering the easyinvoiceacceptquote and easyinvoicedeclinequote AJAX actions via wpajaxnopriv hooks and relying solely on a quote-scoped nonce that i...

5.3CVSS6AI score0.00297EPSS
Exploits0References11
NVD
NVD
added 2026/06/25 8:17 p.m.8 views

CVE-2026-10592

Certificates with wildcard DNS SANs e.g. .example.com bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted...

6.3CVSS0.00124EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/06/25 8:8 p.m.7 views

CVE-2026-6731

X.509 name constraint bypass via the Subject Common Name when treated as a DNS-type name. A certificate whose Subject CN violates an issuing CA's DNS name constraints could be accepted...

7.5CVSS5.8AI score0.00124EPSS
Exploits0
CVE
CVE
added 2026/06/25 7:40 p.m.32 views

CVE-2026-10592

CVE-2026-10592 concerns certificates with wildcard DNS SANs (e.g., *.example.com) bypassing CA name-constraint checks. A wildcard SAN that should be rejected by the issuing CA’s permitted/excluded DNS name constraints could be accepted, enabling potential mis-issuance. The provided documents refe...

6.3CVSS5.8AI score0.00124EPSS
Exploits0References2Affected Software1
AlpineLinux
AlpineLinux
added 2026/06/25 7:40 p.m.6 views

CVE-2026-10592

Certificates with wildcard DNS SANs e.g. .example.com bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted...

6.3CVSS5.8AI score0.00124EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/23 6:11 p.m.37 views

CVE-2026-54320 Daytona: Cross-tenant organization takeover via invitation acceptance with an unverified email

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted and declined by a user whose email matched the invitation but had not been verified. Daytona authenticates users via OIDC and...

8.4CVSS0.00215EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 6:11 p.m.19 views

CVE-2026-54320

CVE-2026-54320 refers to Daytona’s cross-tenant takeover vulnerability prior to version 0.184.0. The issue allowed an unverified email that matched an invitation’s target to accept it (or decline) and join the target organization, since invitation acceptance/declination did not require email veri...

8.4CVSS6.2AI score0.00215EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/06/20 2:29 a.m.11 views

SUSE CVE-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

5.3CVSS6AI score0.00445EPSS
Exploits0References7
NVD
NVD
added 2026/06/18 7:16 p.m.13 views

CVE-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

5.3CVSS0.00445EPSS
Exploits0References2
OSV
OSV
added 2026/06/18 7:16 p.m.5 views

ALPINE-CVE-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

5.3CVSS6.1AI score0.00445EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/06/18 6:1 p.m.5 views

CVE-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

5.3CVSS5.8AI score0.00445EPSS
Exploits0
GithubExploit
GithubExploit
added 2026/06/13 7:11 a.m.124 views

Exploit for Cross-Site Request Forgery (CSRF) in Jupyter Jupyterhub

CVE-2026-40864 — JupyterHub XSRF bypass via cross-origin form...

5.4CVSS5.5AI score0.00159EPSS
Exploits1
NVD
NVD
added 2026/06/08 3:16 a.m.12 views

CVE-2026-11479

A vulnerability has been found in yoanbernabeu grepai 0.35.0. This issue affects some unknown processing of the file indexer/chunker.go of the component Qdrant Backend. Such manipulation leads to use of weak hash. The attack may be performed from remote. Attacks of this nature are highly complex...

4.2CVSS0.0016EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/06/05 7:33 p.m.10 views

CVE-2026-45026

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, a Stored Cross-Site Scripting XSS vulnerability allows an authenticated user to inject malicious JavaScript into the Processo de Aceitação html/atendido/processoaceitacao.php page, which is executed when user access t...

6.8CVSS5.4AI score0.0023EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/02 12:31 a.m.14 views

EUVD-2026-33786

In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

5.9AI score0.00073EPSS
Exploits0References2
Ubuntu
Ubuntu
added 2026/05/28 12:47 p.m.21 views

USN-8335-1: pyOpenSSL vulnerability

It was discovered that pyOpenSSL incorrectly handled exceptions in the tlsextservername callback. This could result in connections being accepted after an exception, contrary to expectations...

6.3CVSS5.8AI score0.00241EPSS
Exploits0
Rows per page
Query Builder