Lucene search
K

109 matches found

NVD
NVD
added 2026/06/29 2:16 p.m.10 views

CVE-2026-13568

A weakness has been identified in SourceCodester Inventory Management System 1.0. This vulnerability affects unknown code of the file /api/usershandler.php of the component User Registration Endpoint. This manipulation of the argument role causes improper access controls. Remote exploitation of t...

7.5CVSS0.00278EPSS
Exploits0References5
CVE
CVE
added 2026/06/22 2:22 p.m.10 views

CVE-2026-9610

IBM Datacap (including Datacap Navigator) 9.1.7–9.1.9 exposes resources or functionality not linked in the UI but accessible via direct URL requests, bypassing access controls (CWE-425: Direct Request). Affected: IBM Datacap 9.1.7, 9.1.8, 9.1.9 and Datacap Navigator 9.1.7, 9.1.8, 9.1.9. IBM’s bul...

5.3CVSS5.8AI score0.00189EPSS
Exploits0References1Affected Software2
CVE
CVE
added 2026/05/15 8:35 p.m.43 views

CVE-2026-45398

Summary (concrete details from provided docs): Open WebUI before 0.9.5 exposes an IDOR vulnerability in the retrieval API where knowledge base collections (UUID-named) are not checked by _validate_collection_access. This allows any authenticated user who knows a private knowledge base UUID to rea...

7.5CVSS5.8AI score0.00331EPSS
Exploits1References3Affected Software1
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.9 views

Palo Alto Networks Trust Protection Foundation 代码问题漏洞

Palo Alto Networks Trust Protection Foundation is a machine identity and certificate security management platform provided by Palo Alto Networks. There is a code vulnerability in Palo Alto Networks Trust Protection Foundation, which stems from incorrect authorization. This vulnerability could all...

7.2CVSS5.9AI score0.00277EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/28 6:10 p.m.2 views

CVE-2026-41403 OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification

OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic,...

6.3CVSS5.2AI score0.00259EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/24 2:36 a.m.11 views

Origin Validation Error

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Origin Validation Error via the Slack thread context. An attacker can inject unauthorized messages into the agent context by replying to allowlisted users in Slack threads, thereby...

5.4CVSS5.4AI score0.0014EPSS
Exploits0References2
NVD
NVD
added 2026/04/21 9:16 p.m.5 views

CVE-2026-6823

HKUDS OpenHarness prior to PR 147 remediation contains an insecure default configuration vulnerability where remote channels inherit allowfrom = "" permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach...

8.3CVSS0.00341EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/04/21 8:36 p.m.39 views

CVE-2026-6823 HKUDS OpenHarness Insecure Default Remote Channel Allowlist

HKUDS OpenHarness prior to PR 147 remediation contains an insecure default configuration vulnerability where remote channels inherit allowfrom = "" permitting arbitrary remote senders to pass admission checks. Attackers who can reach the configured channel can bypass access controls and reach...

8.3CVSS0.00341EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/04/13 6:57 a.m.4 views

CVE-2026-5936 Server-Side Request Forgery (SSRF) via URL Parameter in Foxit PDF Services API

An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints e.g., cloud metadata services, or bypass...

8.5CVSS5.8AI score0.00195EPSS
Exploits0References1
Snyk
Snyk
added 2026/03/25 7:54 p.m.2 views

Use of Less Trusted Source

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Use of Less Trusted Source via the getRealIpAddr function. An attacker can bypass IP-based access controls, rate limiting, or forge audit log entries by sending...

6.9CVSS5.8AI score0.00175EPSS
Exploits1References2
OSV
OSV
added 2026/03/23 6:45 p.m.6 views

CVE-2026-33690 AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the getRealIpAddr function in objects/functions.php trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-base...

5.3CVSS5.8AI score0.00175EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/03/21 10:32 a.m.4 views

CVE-2026-4514

A flaw has been found in PbootCMS up to 3.2.12. Affected by this issue is some unknown functionality of the file apps/admin/controller/system/UserController.php of the component Backend. Executing a manipulation of the argument Field can lead to improper access controls. The attack may be perform...

6.5CVSS5.3AI score0.00201EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/03/20 5:50 p.m.6 views

CVE-2026-31836

Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows any...

8.1CVSS5.8AI score0.00295EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/15 1:35 p.m.2 views

CVE-2016-20029 ZKTeco ZKBioSecurity 3.0 File Path Manipulation Vulnerability

ZKTeco ZKBioSecurity 3.0 contains a file path manipulation vulnerability that allows attackers to access arbitrary files by modifying file paths used to retrieve local resources. Attackers can manipulate path parameters to bypass access controls and retrieve sensitive information including...

6.9CVSS5.8AI score0.00206EPSS
Exploits1References6
OSV
OSV
added 2026/03/13 12:28 p.m.2 views

BIT-PARSE-2026-31856 Parse Server has a SQL injection via `Increment` operation on nested object field in PostgreSQL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation e.g., stats.counter. The amount value is...

9.8CVSS5.9AI score0.00418EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/03/09 12:0 a.m.7 views

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. Prior to Apache Airflow 9.22.0, there were security...

5.4CVSS5.8AI score0.00359EPSS
Exploits1References4
SUSE CVE
SUSE CVE
added 2026/03/07 12:25 a.m.5 views

SUSE CVE-2026-26017

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check...

6.3CVSS5.8AI score0.00376EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.12 views

PT-2026-23721

Name of the Vulnerable Software and Affected Versions CoreDNS versions prior to 1.14.2 Description CoreDNS is a DNS server that utilizes a chain of plugins. A flaw in the default plugin execution order allows bypassing of DNS access controls. Specifically, security plugins like acl are evaluated...

9.8CVSS5.9AI score0.22162EPSS
Exploits72References150
Vulnrichment
Vulnrichment
added 2026/02/27 7:28 a.m.6 views

CVE-2025-9572 Foreman: satellite: graphql api permission bypass leads to information disclosure

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass...

5CVSS5.9AI score0.00348EPSS
Exploits0References7
NVD
NVD
added 2026/02/20 10:16 p.m.10 views

CVE-2026-27022

@langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implementation for LangGraph. A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package's filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directl...

6.5CVSS0.03722EPSS
Exploits0References4
Rows per page
Query Builder