Lucene search
+L

32 matches found

NVD
NVD
added 2026/07/07 4:17 a.m.10 views

CVE-2026-34170

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp apiurl field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a...

4.3CVSS0.00171EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/07 3:23 a.m.7 views

CVE-2026-34170

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp apiurl field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a...

4.3CVSS6AI score0.00171EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/07/07 3:23 a.m.3 views

CVE-2026-34170 Coolify: Server-Side Request Forgery via attacker-controlled GitHub App API URL

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp apiurl field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a...

4.3CVSS6AI score0.00171EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.12 views

PT-2026-41965

Name of the Vulnerable Software and Affected Versions mailpit versions prior to v1.28.3 mailpit versions v1.28.3 and later Description An incomplete fix for a previous issue allows a Server-Side Request Forgery SSRF via the HTML Check API. While previous updates added size limits and content-type...

5.8CVSS5.8AI score0.00037EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/14 9:30 p.m.11 views

Crabbox: environment variable exposure vulnerability

Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment. Attackers can exploit...

9.3CVSS5.8AI score0.00742EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/05/14 9:30 p.m.8 views

GHSA-FM77-94QM-4894 Crabbox: environment variable exposure vulnerability

Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment. Attackers can exploit...

9.3CVSS5.8AI score0.00742EPSS
Exploits0References6
Snyk
Snyk
added 2026/05/14 9:25 p.m.8 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the process that handles environment variable allowlisting in repository-local configuration. An attacker can access sensitive environment variables, including API tokens and credentials, by forwarding them...

9.3CVSS6AI score0.00742EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/14 7:18 p.m.8 views

CVE-2026-8634 Crabbox < v0.12.0 Environment Variable Information Disclosure

Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment. Attackers can exploit...

9.3CVSS5.8AI score0.00742EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.17 views

PT-2026-41031

Name of the Vulnerable Software and Affected Versions Crabbox versions prior to 0.12.0 Description An environment variable exposure issue allows attackers with access to a malicious or compromised repository to forward local secrets, such as API tokens, cloud credentials, and broker tokens, into...

9.3CVSS5.8AI score0.00742EPSS
Exploits0References12
Github Security Blog
Github Security Blog
added 2026/04/24 7:30 p.m.60 views

Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses

Summary Gemini CLI @google/gemini-cli and the run-gemini-cli GitHub Action are being updated to harden workspace trust and tool allowlisting, in particular when used in untrusted environments like GitHub Actions. This update introduces a breaking change to how non-interactive headless environment...

6.5AI score
Exploits0References2Affected Software2
OSV
OSV
added 2026/04/24 7:30 p.m.5 views

GHSA-WPQR-6V78-JR5G Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses

Summary Gemini CLI @google/gemini-cli and the run-gemini-cli GitHub Action are being updated to harden workspace trust and tool allowlisting, in particular when used in untrusted environments like GitHub Actions. This update introduces a breaking change to how non-interactive headless environment...

10CVSS6.4AI score0.00134EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/23 1:51 p.m.2 views

CVE-2026-33351

WWBN AVideo is an open source video platform. Prior to version 26.0, a Server-Side Request Forgery SSRF vulnerability exists in plugin/Live/standAloneFiles/saveDVR.json.php. When the AVideo Live plugin is deployed in standalone mode the intended configuration for this file, the...

9.1CVSS5.8AI score0.00431EPSS
Exploits1References3Affected Software1
Snyk
Snyk
added 2026/03/16 6:46 p.m.6 views

Cross-site Scripting (XSS)

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the file upload process. An attacker can execute arbitrary scripts in the user's browser by...

8.7CVSS5.8AI score0.00272EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.32 views

PT-2026-25823

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter e.g. ;charset=utf-8 to the Content-Type header...

8.3CVSS5.5AI score0.00272EPSS
Exploits0References12
Microsoft KB
Microsoft KB
added 2026/03/10 2:0 p.m.14 views

March 10, 2026—KB5079466 (OS Build 28000.1719)

None None...

8.8CVSS6.8AI score0.04491EPSS
Exploits11
Github Security Blog
Github Security Blog
added 2026/02/12 10:11 p.m.15 views

MagicLink: Insecure Deserialization of MagicLink Actions Leads to Remote Code Execution

Description MagicLink stores serialized action objects in the magiclinks.action database column and deserializes them without integrity validation or class allowlisting in src/MagicLink.php and src/Actions/ResponseAction.php. An attacker with the ability to manipulate database records e.g., via S...

6.1AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/12 10:11 p.m.7 views

GHSA-R33W-FG8J-9C94 MagicLink: Insecure Deserialization of MagicLink Actions Leads to Remote Code Execution

Description MagicLink stores serialized action objects in the magiclinks.action database column and deserializes them without integrity validation or class allowlisting in src/MagicLink.php and src/Actions/ResponseAction.php. An attacker with the ability to manipulate database records e.g., via S...

8.8CVSS6.1AI score
Exploits0References3
OSV
OSV
added 2026/02/06 8:38 p.m.8 views

CVE-2026-25592 Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK

Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.71.0, an Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in...

9.9CVSS5.4AI score0.0195EPSS
Exploits0References5
hivepro
hivepro
added 2025/11/19 6:23 p.m.11 views

SafePay Ransomware: TTPs and Defense Strategies

When a threat actor disables your security software and starts deleting your backups, you’re already in the middle of a crisis. The operators behind SafePay ransomware are known for these exact tactics, deliberately sabotaging your ability to respond and recover. Catching an attack like this earl...

7.1AI score
Exploits0
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2024-16200

Malicious code in bioql PyPI...

9.1CVSS9.3AI score0.00783EPSS
Exploits1References2
Rows per page
Query Builder