Lucene search
K

1341 matches found

Nuclei
Nuclei
added 2 days ago53 views

XStream 1.4.18 - Remote Code Execution

XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the...

8.5CVSS7.5AI score0.98124EPSS
Exploits6References5
ATTACKERKB
ATTACKERKB
added 3 days ago4 views

CVE-2026-22874

Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering...

9.6CVSS5.9AI score0.00464EPSS
Exploits1References6
CVE
CVE
added 3 days ago12 views

CVE-2026-22874

Gitea up to version 1.26.2 has incomplete SSRF protection in webhook and migration allow-list filtering (CVE-2026-22874). Affected: Gitea 1.26.x prior to 1.26.3. The issue exposes SSRF risk due to insufficient filtering in webhook and migration allow-list mechanisms. Patches addressing this belon...

9.6CVSS7.1AI score0.00464EPSS
Exploits1References5
CVE
CVE
added 5 days ago15 views

CVE-2026-12142

CVE-2026-12142 affects the NEX-Forms – Ultimate Forms Plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) via the internal parameter named '_name[]' , present in all versions up to and including 9.2.2 . Root cause: insufficient input sanitization and output escaping, co...

7.2CVSS5.9AI score0.00304EPSS
Exploits0References14
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-40881

UltraVNC repeater through 1.8.2.2 contains a post-authentication out-of-bounds write in the allow/deny rule parser. In repeater/webgui/settings.c:225-272, after strncpys copies a rule token into temp1rule1 25-byte destination or temp2/temp3 16-byte destination, the code unconditionally writes a N...

9.1CVSS6.3AI score0.00504EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago34 views

CVE-2026-58172 Ocelot - IP Allow/Block List Bypass for WebSocket Upgrade Requests

Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs...

9.3CVSS0.00412EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 6 days ago5 views

CVE-2026-58172 Ocelot - IP Allow/Block List Bypass for WebSocket Upgrade Requests

Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs...

9.3CVSS5.8AI score0.00412EPSS
Exploits0References4
CVE
CVE
added 6 days ago10 views

CVE-2026-58172

CVE-2026-58172 affects Ocelot up to version 24.1.0. A security control bypass allows denied clients to bypass IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen omits SecurityMiddleware, causing requests from blocked IP...

9.3CVSS5.8AI score0.00412EPSS
Exploits0References4
OSV
OSV
added last week5 views

PYSEC-2026-376 Langflow has Remote Code Execution in CSV Agent

Summary The CSV Agent node in Langflow hardcodes allowdangerouscode=True, which automatically exposes LangChain’s Python REPL tool pythonreplast. As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution RCE...

9.8CVSS7.7AI score0.33694EPSS
Exploits4References6
RedhatCVE
RedhatCVE
added 2026/06/26 10:31 p.m.8 views

CVE-2026-48936

A flaw was found in Node.js. The Node.js Permission API can allow a local server to be started through a Unix domain socket, even when the --allow-net permission is not explicitly granted. This bypasses intended security restrictions, potentially leading to unintended local network exposure or...

3.3CVSS5.6AI score0.00154EPSS
Exploits0References4
CVE
CVE
added 2026/06/26 1:14 a.m.26 views

CVE-2026-48936

CVE-2026-48936: A flaw in the Node.js Permission API can cause a local server to start via a Unix domain socket without the --allow-net permission, affecting the Node.js 26 release line. Connected sources indicate this has been fixed in the nodejs26-26.3.1-1.1 package (openSUSE Tumbleweed) and re...

3.3CVSS6.6AI score0.00154EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/26 1:14 a.m.37 views

CVE-2026-48936

A flaw in Node.js Permission API can cause a local server to be started via a Unix domain socket, even without the --allow-net permission. This vulnerability affects one supported release line: Node.js 26...

3.3CVSS0.00154EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/26 1:14 a.m.8 views

EUVD-2026-39608

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.3CVSS6.2AI score0.00154EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 1:14 a.m.39 views

CVE-2026-48935

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.3CVSS0.00154EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/06/26 1:14 a.m.8 views

CVE-2026-48936

A flaw in Node.js Permission API can cause a local server to be started via a Unix domain socket, even without the --allow-net permission. This vulnerability affects one supported release line: Node.js 26...

3.3CVSS6.4AI score0.00154EPSS
Exploits0
Debian CVE
Debian CVE
added 2026/06/26 1:14 a.m.8 views

CVE-2026-48935

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.3CVSS6.4AI score0.00154EPSS
Exploits0
AlpineLinux
AlpineLinux
added 2026/06/26 1:14 a.m.7 views

CVE-2026-48935

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.3CVSS6.6AI score0.00154EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/06/26 12:0 a.m.9 views

SUSE SLED15 / SLES15 Security Update : python-PyJWT (SUSE-SU-2026:2627-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2627-1 advisory. This update for python-PyJWT fixes the following issues - CVE-2026-48522: PyJWKClient passes URI arguments...

7.4CVSS5.9AI score0.00394EPSS
Exploits4References13
OSV
OSV
added 2026/06/25 10:34 p.m.5 views

GO-2026-5510 Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo in code.gitea.io/gitea

Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo in code.gitea.io/gitea...

8.5CVSS5.8AI score0.00291EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/25 3:53 p.m.5 views

EUVD-2026-39463

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls throu...

5.4CVSS6AI score0.0014EPSS
Exploits1References1
Rows per page
Query Builder