Lucene search
+L

32094 matches found

redhat
redhat
added yesterday5 views

ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input

A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting XSS by providing untrusted input to the Address6 constructor. When an application renders the output of...

8.1CVSS6.9AI score0.00471EPSS
Exploits1References5
euvd
euvd
added yesterday5 views

EUVD-2026-44648

The Grav API plugin grav-plugin-api before 1.0.4 does not validate the origin of the client-supplied adminbaseurl field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl function only checks that the URL scheme is http/https and never verifies the host against the server's ow...

9.6CVSS6.2AI score
Exploits0References2
cvelist
cvelist
added yesterday28 views

CVE-2026-61451 Grav before 1.0.4 Password Reset Token Poisoning via admin_base_url

The Grav API plugin grav-plugin-api before 1.0.4 does not validate the origin of the client-supplied adminbaseurl field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl function only checks that the URL scheme is http/https and never verifies the host against the server's ow...

9.6CVSS
Exploits0References2
ossf
ossf
added yesterday8 views

Malicious code in @leviosa86com/leviosa86-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 96264a8719e17bd8ec21d47213fe31dec87445e01ff312a1e46af5819e028979 Package @leviosa86com/[email protected] ships src/poc/index.js which shells out via childprocess.exec to collect host identifiers hostname, pwd,...

6.1AI score
Exploits0References4
packetstorm
packetstorm
added yesterday15 views

📄 xxl-job Cross Site Scripting

A persistent cross site scripting vulnerability exists in xxl-job-admin JobInfoController.java where the addressList parameter accepts unsanitized URL‑encoded JavaScript. xxl-job versions prior to 3.4.0 are affected. Description Summary A stored Cross‑Site Scripting vulnerability exists in...

6.1CVSS5.7AI score
Exploits1
circl
circl
added 2 days ago6 views

CVE-2026-54684

creationtimestamp| type| source ---|---|--- 2026-07-14 23:58:16+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqnfxhbupl25...

7CVSS6.1AI score0.00133EPSS
Exploits0References1
cvelist
cvelist
added 2 days ago38 views

CVE-2026-15750 mastergo-design mastergo-magic-mcp mcp__getComponentLink get-component-link.ts z.string server-side request forgery

A weakness has been identified in mastergo-design mastergo-magic-mcp up to 0.2.0. Impacted is the function z.string of the file src/tools/get-component-link.ts of the component mcpgetComponentLink. Executing a manipulation of the argument url can lead to server-side request forgery. The attack ma...

7.5CVSS0.00227EPSS
Exploits0References6
nvd
nvd
added 2 days ago4 views

CVE-2026-61520

Simple Machines Forum 2.1 prior to commit 4bf35cf and 3.0 prior to commit b4d23df contains a server-side request forgery vulnerability in the image proxy that allows authenticated attackers to trigger internal HTTP requests by embedding attacker-controlled URLs in BBCode image tags, which the pro...

7.7CVSS0.00251EPSS
Exploits0References3
cvelist
cvelist
added 2 days ago33 views

CVE-2026-61520 Simple Machines Forum SSRF via image proxy

Simple Machines Forum 2.1 prior to commit 4bf35cf and 3.0 prior to commit b4d23df contains a server-side request forgery vulnerability in the image proxy that allows authenticated attackers to trigger internal HTTP requests by embedding attacker-controlled URLs in BBCode image tags, which the pro...

7.7CVSS0.00251EPSS
Exploits0References3
nvd
nvd
added 2 days ago3 views

CVE-2026-47737

Puma is a Ruby/Rack web server built for parallelism. From 5.5.0 until 7.2.1 and 8.0.2, Puma is vulnerable to source IP spoofing when setremoteaddress proxyprotocol: :v1 is enabled and persistent connections are used because Puma incorrectly re-parses PROXY protocol headers after each keep-alive...

7.5CVSS0.00177EPSS
Exploits0References7
cve
cve
added 2 days ago37 views

CVE-2026-47737

CVE-2026-47737 affects the Puma Ruby/Rack web server. From 5.5.0 up to 7.2.1 and 8.0.2, it is vulnerable to source IP spoofing when set_remote_address proxy_protocol: :v1 is enabled and persistent connections are used. Puma re-parses PROXY protocol headers after each keep-alive on the same connec...

7.5CVSS6.1AI score0.00177EPSS
Exploits0References7
cvelist
cvelist
added 2 days ago34 views

CVE-2026-47737 Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

Puma is a Ruby/Rack web server built for parallelism. From 5.5.0 until 7.2.1 and 8.0.2, Puma is vulnerable to source IP spoofing when setremoteaddress proxyprotocol: :v1 is enabled and persistent connections are used because Puma incorrectly re-parses PROXY protocol headers after each keep-alive...

7.5CVSS0.00177EPSS
Exploits0References7
nvd
nvd
added 2 days ago4 views

CVE-2026-45063

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, X509Authenticator extracts the user identifier from $SERVER'SSLCLIENTSDN' with an unanchored regex that matches emailAddress= anywhere in the distinguishe...

9.1CVSS0.00336EPSS
Exploits0References6
osv
osv
added 2 days ago3 views

CVE-2026-45063 Symfony: Identity Spoofing via Unanchored DN Regex in X509Authenticator

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, X509Authenticator extracts the user identifier from $SERVER'SSLCLIENTSDN' with an unanchored regex that matches emailAddress= anywhere in the distinguishe...

9.1CVSS6.1AI score0.00336EPSS
Exploits0References8
euvd
euvd
added 2 days ago11 views

EUVD-2026-36132

Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges...

8.6CVSS6.1AI score0.00269EPSS
Exploits1References2
cve
cve
added 2 days ago93 views

CVE-2026-45067

The CVE affects Symfony MIME Address: the constructor previously accepted local-parts like "x\r\nBcc: attacker@evil" which could be emitted into message headers and SMTP commands (MAIL FROM/RCPT), enabling CRLF injection. The issue’s root cause is acceptance of line breaks in quoted local-parts; ...

6.3CVSS6.1AI score0.00619EPSS
Exploits0References6
osv
osv
added 2 days ago5 views

CVE-2026-45067 Symfony: Email Header / SMTP Command Injection via CRLF in Symfony\Component\Mime\Address

Description Symfony\Component\Mime\Address is the value-object every Symfony Mailer address to/cc/bcc/from/reply-to flows through; its constructor is documented as validating the address and throwing on invalid input, so developers treat it as a security boundary. The constructor accepts email...

6.3CVSS6.1AI score0.00619EPSS
Exploits0References8
cvelist
cvelist
added 2 days ago28 views

CVE-2026-56181 Windows Network Address Translation (NAT) Spoofing Vulnerability

...

8.3CVSS0.00242EPSS
Exploits0References1
cve
cve
added 2 days ago7 views

CVE-2026-56181

CVE-2026-56181 is a Windows Network Address Translation (NAT) spoofing vulnerability caused by an origin-validation error. It enables an adjacent-network attacker to impersonate a user on the NATed network, with high impact (code/privilege implications per report). Microsoft has released updates;...

8.3CVSS6.1AI score0.00242EPSS
Exploits0References1
circl
circl
added 2 days ago4 views

CVE-2026-8590

creationtimestamp| type| source ---|---|--- 2026-07-14 16:00:49+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqmlbredfw2t 2026-07-14 22:50:04+00:00| seen| https://infosec.exchange/users/vuldb/statuses/116920772161948536...

8.7CVSS6.1AI score0.00312EPSS
Exploits0References2
Rows per page
Query Builder