1960 matches found
EUVD-2026-44638
PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks when an API key is configured. When an operator runs 'praisonai mcp serve --transport http-stream'...
Linux Distros Unpatched Vulnerability : CVE-2026-57216
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, AMQP 0-9-1, AMQP 1.0, and Stream Protocol authentication can allow a...
EUVD-2026-42874
Dell Unisphere for PowerMax, versions 10.3.0.5 and prior, contains a Deserialization of Untrusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges...
CVE-2026-59819
A flaw was found in LiteLLM, a proxy server for Large Language Model LLM APIs. A privileged caller, such as a proxy administrator, with permissions to test model connections, could exploit the /health/testconnection endpoint. By supplying specific environment or OIDC OpenID Connect file reference...
Origin Validation Error
Overview Affected versions of this package are vulnerable to Origin Validation Error via the CookieJar process. An attacker can access or manipulate cookies belonging to other hosts by exploiting improper domain matching for IP-address or bare-numeric domains. Remediation Upgrade guzzlehttp/guzzl...
CVE-2026-14373
HashiCorp Nomad and Nomad Enterprise are affected by CVE-2026-14373 where the Docker task driver did not enforce allow_privileged for host namespace mode options (process, IPC, user, UTS). This can allow an authenticated job submitter to place a container in the host namespace on Linux clients an...
CVE-2026-56293 Capgo - Stale Cross-Organization Authorization via Incomplete deploy_history Update in transfer_app()
Capgo before 12.128.2 contains an authorization flaw in transferapp that fails to update deployhistory.ownerorg when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cause...
EUVD-2026-42254
Capgo before 12.128.2 contains an authorization flaw in transferapp that fails to update deployhistory.ownerorg when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cause...
CVE-2026-14474
A flaw was found in SSSD's LDAP sudo provider. When the ldapsudosearchbase option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo...
EUVD-2026-41822
Prog Management System developed by PROG MIS has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents...
PT-2026-56051
Name of the Vulnerable Software and Affected Versions Cilium versions 1.19.0 through 1.19.1 Cilium versions 1.18.0 through 1.18.7 Cilium versions prior to 1.17.14 Description When L7 functionality is enabled, the Envoy instance creates a world-accessible socket on cluster nodes. A local attacker...
CVE-2026-12195
myVesta is affected by an authenticated remote code execution vulnerability. Low privileged users can insert arbitrary commands as a part of the vftpuser parameter when deleting FTP usernames. This could result in the execution of commands as the admin user or takevoer of the admin user in myVest...
GHSA-G6G7-PVMX-M74P 9router: Missing Authorization and OS Command Injection
Unauthenticated RCE via /api/tunnel/tailscale-install Affected: 9router npm package — current master v0.4.39. Summary POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawn...
CVE-2026-55111
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi Protect Floodlight devices to access files on the UniFi Protect Floodlight...
CVE-2026-13905
Race in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a local attacker to obtain potentially sensitive information from process memory via physical access to the device. Chromium security severity: Medium...
EUVD-2026-40374
Nightingale n9e before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege Standard role user through POST /api/n9e/datasource/list. The route is...
CVE-2026-56457
The CVE concerns HCL DevOps Deploy / HCL Launch with a vulnerability that allows exposure of sensitive information via output logs. The description notes that an attacker with access to the logs could potentially obtain sensitive values associated with a step. The Connected CVE lists confirm the ...
EUVD-2026-40091
HCL DevOps Deploy / HCL Launch is susceptible to an exposure of sensitive information vulnerability in output logs. This exposure could allow an attacker with access to the logs to potentially obtain sensitive values related to that step...
PYSEC-2026-358 InvokeAI Arbitrary File Deletion vulnerability
In invoke-ai/invokeai version v5.0.2, the web API POST /api/v1/images/delete is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite...
Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`
The outhttp output plugin allows the use of placeholders such as $tag in the endpoint configuration parameter. It was discovered that if the placeholder value is derived from untrusted user input, an attacker can maliciously control the destination hostname of the outbound HTTP requests made by...