CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

1271 matches found

ProjectSend <= r1605 - Improper Authorization

An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to...

9.8CVSS8.5AI score0.9349EPSS

Exploits4References3

RedhatCVE•added 3 days ago•5 views

CVE-2026-45254

In the case of the capnet service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit...

6.5CVSS5.5AI score0.00049EPSS

Exploits0References1

RedhatCVE•added 3 days ago•5 views

CVE-2026-22707

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions plugin.upload.security.allowedTypes and deniedTypes. The same restrictions were correctly...

5.4CVSS5.5AI score0.00034EPSS

Exploits0References1

RedhatCVE•added 3 days ago•5 views

CVE-2026-42266

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager allowedextensionsuris is not correctly enforced by JupyterLab. The Py...

8.8CVSS5.5AI score0.00029EPSS

Exploits0References1

RedhatCVE•added 3 days ago•7 views

CVE-2026-40900

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement...

8.8CVSS5.9AI score0.00039EPSS

Exploits1References1

RedhatCVE•added 3 days ago•4 views

CVE-2026-40213

OpenStack Cyborg before 16.0.1 uses rule:allow checkstr='@' as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complet...

7.4CVSS5.6AI score0.00038EPSS

Exploits0References1

Cvelist•added 3 days ago•21 views

CVE-2026-5411 WP Captcha PRO <= 5.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload

The WP Captcha PRO the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 5.38. This is due to a capability check in the saveajax function of the licensing module,...

8.8CVSS0.00209EPSS

Exploits0References2

RedhatCVE•added 3 days ago•8 views

CVE-2026-6657

A flaw was found in jupyter-server. A remote attacker can bypass Cross-Origin Resource Sharing CORS origin validation when the alloworiginpat configuration is used. This vulnerability allows malicious domains to pass validation against patterns intended for trusted domains. This could lead to...

6.1CVSS5.7AI score0.00022EPSS

Exploits0References4

SUSE CVE•added 3 days ago•7 views

SUSE CVE-2026-6657

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...

6.1CVSS6AI score0.00022EPSS

Exploits0References3

Positive Technologies•added 3 days ago•6 views

PT-2026-47032

Name of the Vulnerable Software and Affected Versions WP Captcha PRO versions prior to 5.39 Description An arbitrary file upload issue exists in the licensing module of the plugin. The flaw stems from a capability check in the save ajax function and unrestricted file extraction in sync cloud...

8.8CVSS6AI score0.00209EPSS

Exploits0References4

NVD•added 5 days ago•6 views

CVE-2026-6657

6.1CVSS0.00022EPSS

Exploits0References1

Cvelist•added 5 days ago•37 views

CVE-2026-6657 CORS Origin Validation Bypass in jupyter-server

6.1CVSS0.00022EPSS

Exploits0References1

Vulnrichment•added 5 days ago•6 views

CVE-2026-6657 CORS Origin Validation Bypass in jupyter-server

6.1CVSS6AI score0.00022EPSS

Exploits0References1

CVE•added 5 days ago•10 views

CVE-2026-6657

CVE-2026-6657 affects jupyter-server 1.12.0–2.17.0. Root cause: using re.match() to validate the Origin header in allow_origin_pat, causing attacker-controlled domains like trusted.example.com.evil.com to bypass CORS origin checks. Impact stated across CORS headers, WebSocket connections, referer...

6.1CVSS6.6AI score0.00022EPSS

Exploits0References1

NVD•added 5 days ago•3 views

CVE-2026-47065

ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TCPROXYCLASSDESC the marker for a java.lang.reflect.Proxy , JDK’s ObjectInputStream.readProxyDesc is dispatched. JDK then calls...

9.8CVSS0.00046EPSS

Exploits0References1

OSV•added 5 days ago•5 views

DEBIAN-CVE-2026-47065

9.8CVSS5.5AI score0.00046EPSS

Exploits0References1

CVE•added 5 days ago•30 views

CVE-2026-47065

CVE-2026-47065 (Apache MINA context) describes two deserialization bypass issues: first, resolveProxyClass bypasses the accept/allow-list when JDK resolves proxy interfaces from a serialized proxy via ObjectInputStream.readProxyDesc(), and second, readClassDescriptor triggers static initializers ...

9.8CVSS5.8AI score0.00046EPSS

Exploits0References1