Lucene search
+L

32101 matches found

cve
cve
added last week15 views

CVE-2026-53450

The CVE-2026-53450 entry affects Coturn (TURN/STUN server). A defect in prior releases (

7.4CVSS6.1AI score0.00287EPSS
Exploits0References2Affected Software1
osv
osv
added last week3 views

CVE-2026-53450 Coturn: IPv4-mapped 127.0.0.1 bypasses default loopback peer protection

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, but the default loopback guard can be bypassed by using the IPv4-mapped IPv6 peer address ::ffff:127.0.0.1 in a TURN...

7.4CVSS6.1AI score0.00287EPSS
Exploits0References4
circl
circl
added last week8 views

CVE-2026-49866

creationtimestamp| type| source ---|---|--- 2026-07-10 16:41:48+00:00| seen| https://gist.github.com/alon710/9eaabfe8d7f17c883b344ecc760d4947 2026-07-10 18:35:05+00:00| published-proof-of-concept| https://github.com/libp2p/js-libp2p/security/advisories/GHSA-cwc9-cp4j-mcvv...

7.5CVSS6.1AI score0.00446EPSS
Exploits0References2
ossf
ossf
added last week10 views

Malicious code in stella-ai-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 936d3c8bc6611b58f5321ba5aab651bb3d2db821d172816283ca04633be00863 The stella CLI shipped in bin/stella.js prompts users for their phone number and the WhatsApp verification code and POSTs both to a hardcoded bare-IP...

6.2AI score
Exploits0References9
osv
osv
added last week3 views

MAL-2026-10133 Malicious code in stella-ai-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 936d3c8bc6611b58f5321ba5aab651bb3d2db821d172816283ca04633be00863 The stella CLI shipped in bin/stella.js prompts users for their phone number and the WhatsApp verification code and POSTs both to a hardcoded bare-IP...

6.2AI score
Exploits0References9
nvd
nvd
added last week8 views

CVE-2026-38059

The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID DID, Terminal Private Key identifier TPK, MAC address, and exact firmwa...

8.7CVSS0.00592EPSS
Exploits0References3
euvd
euvd
added last week8 views

EUVD-2026-42908

The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID DID, Terminal Private Key identifier TPK, MAC address, and exact firmwa...

8.7CVSS6.1AI score0.00592EPSS
Exploits0References3
cve
cve
added last week11 views

CVE-2026-38059

The CVE-2026-38059 entry concerns iDirect iQ200 devices where the /api/identity and /api/ REST endpoints are exposed without authentication. An unauthenticated attacker with network access can retrieve sensitive device data including serial number, Device ID (DID), Terminal Private Key (TPK) iden...

8.7CVSS6.1AI score0.00592EPSS
Exploits0References3
osv
osv
added last week3 views

CVE-2026-29519 Lucee CFML Server Reflected XSS via URL Path Parsing

Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads...

6.2CVSS6.3AI score0.00386EPSS
Exploits1References5
cvelist
cvelist
added last week28 views

CVE-2026-60091 PraisonAI before 4.6.78 Unauthenticated SSRF via webhook_url

PraisonAI before 4.6.78 contains an unauthenticated server-side request forgery vulnerability in the Jobs API /api/v1/runs endpoint. The webhookurl parameter is validated at request time but re-resolved at connection time, allowing attackers to use DNS rebinding to reach internal services with a...

7.2CVSS0.0018EPSS
Exploits0References2
veracode
veracode
added last week6 views

Improper Input Validation

github.com/coder/coder is vulnerable to Improper Input Validation. The vulnerability is due to insufficient validation of the scheme and host in external workspace application URLs before substituting the $SESSIONTOKEN placeholder, which allows an attacker controlling a malicious workspace templa...

7.7CVSS6.1AI score0.00336EPSS
Exploits0References9Affected Software2
euvd
euvd
added last week6 views

EUVD-2026-42830

The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator emai...

7.5CVSS6AI score0.00222EPSS
Exploits0References1
cve
cve
added last week12 views

CVE-2026-12685

The CVE describes a backdoor in the EscortWP escortwp WordPress theme up to version 3.6.2. The backdoor is vendor-authored and obfuscated, allowing an unauthenticated attacker who supplies a hard-coded per-build key to permanently delete all site content. It also covertly transmits the site URL, ...

7.5CVSS5.8AI score0.00222EPSS
Exploits0References1
cvelist
cvelist
added last week32 views

CVE-2026-12685 EscortWP <= 3.6.2 - Content Deletion via Vendor-Authored Backdoor

The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator emai...

0.00222EPSS
Exploits0References1
euvd
euvd
added 2026/07/10 12:3 a.m.16 views

EUVD-2026-34013

Tesla vulnerable to atom exhaustion via untrusted URL scheme...

8.2CVSS5.9AI score0.00301EPSS
Exploits0References5
nvd
nvd
added 2026/07/09 11:17 p.m.5 views

CVE-2026-59831

GitHub CLI gh is GitHub’s official command line tool. From 2.10.0 through 2.95.0, connecting to a malicious Codespace with gh codespace jupyter can allow command execution because the command opens a JupyterLab URL supplied by a process inside the Codespace without validating that it is a loopbac...

4.4CVSS0.00198EPSS
Exploits0References3
nvd
nvd
added 2026/07/09 11:17 p.m.7 views

CVE-2026-33655

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/blo...

7.7CVSS0.00437EPSS
Exploits0References3
osv
osv
added 2026/07/09 11:8 p.m.2 views

MAL-2026-10104 Malicious code in px8my (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c972c885927d861e92a964b7ab752e5e91ae2731092a51b08a64fbf97f015cdf The package's main entry px.js is a browser-only script that creates a full-viewport iframe pointing at the hardcoded external URL...

6AI score
Exploits0References7
cve
cve
added 2026/07/09 10:28 p.m.24 views

CVE-2026-33655

The CVE-2026-33655 issue affects New API prior to version 0.12.0-alpha.1 where SSRF protection did not apply IP filtering to hostnames by default due to ApplyIPFilterForDomain being disabled. Authenticated users could configure notification URLs (Webhook, Bark, Gotify) that resolve to internal or...

7.7CVSS5.9AI score0.00437EPSS
Exploits0References3Affected Software1
cvelist
cvelist
added 2026/07/09 10:11 p.m.45 views

CVE-2026-59831 GitHub CLI `gh codespace jupyter` could allow remote code execution when connecting to a malicious Codespace

GitHub CLI gh is GitHub’s official command line tool. From 2.10.0 through 2.95.0, connecting to a malicious Codespace with gh codespace jupyter can allow command execution because the command opens a JupyterLab URL supplied by a process inside the Codespace without validating that it is a loopbac...

4.4CVSS0.00198EPSS
Exploits0References3
Rows per page
Query Builder