Lucene search
K

9803 matches found

AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux - уязвимость в rails

There is a code injection vulnerability in Active Storage version 5.2.0 and later, which could allow an attacker to execute code through imageprocessing arguments...

9.8CVSS6.9AI score0.02742EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.7 views

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: smb: server: Fixed a leak in activenumconn when there is a failure in transport allocation. The commit 77ffbcac4e56 “smb: server: fixed the leak of activenumconn in ksmbdtcpnewconnection” addresses the failure path in kthreadrun...

7.5CVSS5.3AI score0.00549EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux - уязвимость в samba

Kerberos acceptors need easy access to stable AD identifiers e.g., objectSid. Samba, as an AD DC, now provides a way for Linux applications to obtain a reliable SID and samAccountName from the issued tickets...

8.8CVSS7AI score0.01984EPSS
Exploits0References2
NVD
NVD
added 2026/05/20 2:16 a.m.16 views

CVE-2026-8423

The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the options page. This makes it possible for unauthenticated attackers to change the site's active...

4.3CVSS0.00179EPSS
Exploits0References7
CVE
CVE
added 2026/05/20 12:0 a.m.16 views

CVE-2026-44925

CVE-2026-44925 describes a Cross-Site Request Forgery (CSRF) in InfoScale v.9.1.3 Operations Manager (VIOM). The vulnerability arises from an ability for an attacker to coerce an active VIOM session user into clicking a crafted HTML link, resulting in unintended modifications within the VIOM web ...

8.8CVSS5.8AI score0.00198EPSS
Exploits0References2Affected Software1
Patchstack
Patchstack
added 2026/05/19 3:10 a.m.9 views

WordPress Active Products Tables for WooCommerce plugin <= 1.0.8 - SQL Injection vulnerability

SQL Injection vulnerability discovered by endy in WordPress Plugin Active Products Tables for WooCommerce versions = 1.0.8...

9.3CVSS5.9AI score0.00283EPSS
Exploits0Affected Software1
VulnCheck KEV
VulnCheck KEV
added 2026/05/19 12:0 a.m.20 views

VulnCheck KEV: CVE-2024-12802

SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN User Principal Name and SAM Security Account Manager account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and...

9.1CVSS6.6AI score0.00459EPSS
In wildExploits0References3
RedhatCVE
RedhatCVE
added 2026/05/16 1:56 a.m.19 views

CVE-2026-24899

Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not...

8.2CVSS5.8AI score0.00381EPSS
Exploits0References1
OSV
OSV
added 2026/05/15 9:31 p.m.6 views

GHSA-P9WC-4PJV-RG82 Duplicate Advisory: phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pm8c-3qq3-72w7. This link is maintained to preserve external references. Original Description phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated...

7.7CVSS6AI score0.00212EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/15 7:34 p.m.15 views

EUVD-2026-30619

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the isuserchannelmember function checks whether a ChannelMember row exists but does not check the isactive field. When a user is deactivated from a group or DM channel removed by the...

5.4CVSS5.8AI score0.00178EPSS
Exploits1References1
CVE
CVE
added 2026/05/15 7:34 p.m.21 views

CVE-2026-44561

CVE-2026-44561 affects Open WebUI. The vulnerability arises in the is_user_channel_member check: before 0.9.0, the code verifies ChannelMember existence but ignores is_active, so deactivated members (status 'left', is_active=False) retain full read/write access to group/DM channels via direct API...

5.4CVSS5.8AI score0.00178EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/15 7:34 p.m.7 views

CVE-2026-44561

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the isuserchannelmember function checks whether a ChannelMember row exists but does not check the isactive field. When a user is deactivated from a group or DM channel removed by the...

5.4CVSS5.8AI score0.00178EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/15 7:34 p.m.8 views

CVE-2026-44561 Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the isuserchannelmember function checks whether a ChannelMember row exists but does not check the isactive field. When a user is deactivated from a group or DM channel removed by the...

5.4CVSS5.8AI score0.00178EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/15 6:36 p.m.45 views

CVE-2026-46359 phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Unescaped OAuth Token Fields

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break...

7.7CVSS0.00212EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/15 6:36 p.m.11 views

EUVD-2026-30594

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break...

7.5CVSS6.1AI score0.00212EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/15 6:36 p.m.7 views

CVE-2026-46359

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break...

7.5CVSS6.1AI score0.00212EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/15 6:36 p.m.8 views

CVE-2026-46359 phpMyFAQ - SQL Injection in CurrentUser::setTokenData via Unescaped OAuth Token Fields

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break...

7.7CVSS6.1AI score0.00212EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.13 views

PT-2026-41361

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break...

7.5CVSS6.1AI score0.00212EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/14 9:25 p.m.8 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation due to improper validation of JWT aud and iss claims in the Windows MDM authentication flow. An attacker can enroll unauthorized devices by presenting a valid Microsoft-signed Azure AD token from any tenant. This is...

8.2CVSS5.5AI score0.00381EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 9:25 p.m.5 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation due to improper validation of JWT aud and iss claims in the Windows MDM authentication flow. An attacker can enroll unauthorized devices by presenting a valid Microsoft-signed Azure AD token from any tenant. This is...

8.2CVSS5.5AI score0.00381EPSS
Exploits0References2
Rows per page
Query Builder