Lucene search
K

1281 matches found

OSV
OSV
added 2026/07/06 5:55 a.m.3 views

BIT-MASTODON-2026-48028 Mastodon: Removal of integrity-protected JSON entries from signed activities

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors...

6.5CVSS6AI score0.00124EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 7:43 p.m.18 views

CVE-2026-48028 Mastodon: Removal of integrity-protected JSON entries from signed activities

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, Mastodon's normalization of incoming activities signed with Linked-Data Signatures does not sufficiently protect the activities from a certain class of spoofing, allowing threat actors...

6.5CVSS0.00124EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 7:43 p.m.14 views

CVE-2026-48028

Mastodon (open-source social network server) versions prior to 4.5.10, 4.4.17, and 4.3.23 are affected. The vulnerability arises from how incoming activities signed with Linked-Data Signatures are normalized, failing to adequately protect against a class of spoofing that lets an attacker remove J...

6.5CVSS5.9AI score0.00124EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.32 views

PT-2026-52078

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.5.10 Mastodon versions prior to 4.4.17 Mastodon versions prior to 4.3.23 Description Mastodon is a free, open-source social network server based on ActivityPub. The normalization of incoming activities signed with...

5.3CVSS5.9AI score0.00162EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/15 9:30 p.m.8 views

EUVD-2026-36958

Unauthenticated Broken Access Control in Booking Activities = 1.16.48.1 versions...

6.5CVSS5.1AI score0.00242EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 9:16 p.m.7 views

CVE-2026-39525

Unauthenticated Broken Access Control in Booking Activities = 1.16.48.1 versions...

6.5CVSS0.00242EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/15 8:18 p.m.27 views

CVE-2026-39525 WordPress Booking Activities plugin <= 1.16.48.1 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Booking Activities = 1.16.48.1 versions...

6.5CVSS0.00242EPSS
Exploits0References1
CVE
CVE
added 2026/06/15 8:18 p.m.10 views

CVE-2026-39525

The CVE-2026-39525 entry documents an unauthenticated broken access control in the WordPress Booking Activities plugin, affected versions ≤ 1.16.48.1. The vulnerability allows unauthenticated actors to access or modify data via the plugin’s functionality (impact per CVSS: Confidentiality: None, I...

6.5CVSS5.1AI score0.00242EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.20 views

Fedify 安全漏洞

Fedify is a TypeScript library developed by Hong Minhee. It is used to build federated server applications that support ActivityPub and other standards. Versions of Fedify prior to 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 have security vulnerabilities. These vulnerabilities stem from attackers...

7CVSS5.4AI score0.00171EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/06 12:43 p.m.15 views

CVE-2026-21037

Improper input validation in Samsung Members prior to version 5.8.01.5 allows local attackers to access arbitrary URL and launch arbitrary activity with Samsung Members privilege...

7.1CVSS5.6AI score0.00105EPSS
Exploits0References1
NVD
NVD
added 2026/06/05 11:16 a.m.18 views

CVE-2026-21037

Improper input validation in Samsung Members prior to version 5.8.01.5 allows local attackers to access arbitrary URL and launch arbitrary activity with Samsung Members privilege...

7.1CVSS0.00105EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/05 10:15 a.m.8 views

CVE-2026-21037

Improper input validation in Samsung Members prior to version 5.8.01.5 allows local attackers to access arbitrary URL and launch arbitrary activity with Samsung Members privilege...

6.9CVSS5.6AI score0.00105EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/05 10:15 a.m.46 views

CVE-2026-21037

Improper input validation in Samsung Members prior to version 5.8.01.5 allows local attackers to access arbitrary URL and launch arbitrary activity with Samsung Members privilege...

6.9CVSS0.00105EPSS
Exploits0References1
CVE
CVE
added 2026/06/05 10:15 a.m.20 views

CVE-2026-21031

Technical details about CVE-2026-21031 are not publicly available in the provided documents. Monitor for updates from vendor advisories and NVD.

7.8CVSS5.5AI score0.00093EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/03 10:1 a.m.12 views

CVE-2025-48570

In multiple functions of PipTaskOrganizer.java, there is a possible way to launch an activity from the background due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

7.8CVSS5.9AI score0.00072EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/26 11:38 p.m.13 views

Incorrect Behavior Order: Validate Before Canonicalize

Overview @fedify/fedify is an An ActivityPub server framework Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through manipulation of JSON-LD document structure using keywords such as @graph, @included, and @reverse. An attacker can alter...

8.3CVSS5.9AI score0.00171EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/08 9:26 a.m.12 views

CVE-2026-5341 NMR Strava activities <= 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stravanmrconnect shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS6AI score0.00269EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/08 9:26 a.m.37 views

CVE-2026-5341 NMR Strava activities <= 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stravanmrconnect shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS0.00269EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.9 views

WordPress plugin NMR Strava activities 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

6.4CVSS5.8AI score0.00269EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/05/07 9:24 p.m.11 views

WordPress NMR Strava activities plugin <= 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin NMR Strava activities versions = 1.0.14...

6.4CVSS5.8AI score0.00269EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder