CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added last week•7 views

CVE-2026-53815

OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient validation in the affected feature, potentially exposing...

7.1CVSS0.00215EPSS

EUVD•added last week•6 views

EUVD-2026-36321

7.1CVSS5.5AI score0.00215EPSS

Positive Technologies•added 2026/06/11 12:0 a.m.•6 views

PT-2026-48745

7.1CVSS5.5AI score0.00215EPSS

Exploits0References3

RedhatCVE•added 2026/06/05 7:50 p.m.•7 views

CVE-2026-44843

LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load with...

8.2CVSS5.7AI score0.00406EPSS

Positive Technologies•added 2026/06/05 12:0 a.m.•9 views

PT-2026-46962

sanic-cors version 2.2.0 and prior contains an improper regular expression in the try match function in sanic cors/core.py that uses re.match without end-anchoring. This allows an attacker to bypass CORS origin allowlists by registering a domain that begins with a trusted origin string, to gain...

5.5AI score0.00164EPSS

CVE•added 2026/06/05 12:0 a.m.•6 views

CVE-2026-37737

Sanic-Cors 2.2.0 and earlier versions contain an improper regular expression in the try_match() function of sanic_cors/core.py that uses re.match without end anchoring. This allows bypassing CORS origin allowlists by registering a domain that starts with a trusted origin string, leading to unauth...

6.5CVSS5.5AI score0.00164EPSS

Exploits0References4

OSV•added 2026/06/01 11:42 a.m.•6 views

BIT-KIBANA-2026-42398 Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access

Server-Side Request Forgery CWE-918 in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations...

7.7CVSS5.8AI score0.00272EPSS

NVD•added 2026/05/26 9:16 p.m.•10 views

CVE-2026-44843

8.2CVSS0.00406EPSS

Cvelist•added 2026/05/26 7:47 p.m.•30 views

CVE-2026-44843 LangChain: Unsafe deserialization of attacker-controlled LangChain objects through overly broad `load()` allowlists

8.2CVSS0.00406EPSS

CVE•added 2026/05/26 7:47 p.m.•37 views

CVE-2026-44843

LangChain CVE-2026-44843 affects LangChain-core runtimes prior to 0.3.85 and 1.3.3, which use older code paths with broad object allowlists that can revive trusted LangChain-serializable objects via load()/loads() calls. This may let attacker-controlled serialized constructor dictionaries instant...

Exploits0References1Affected Software1

ATTACKERKB•added 2026/05/26 7:47 p.m.•9 views

CVE-2026-44843

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/26 7:47 p.m.•17 views

CVE-2026-44843 LangChain: Unsafe deserialization of attacker-controlled LangChain objects through overly broad `load()` allowlists

Positive Technologies•added 2026/05/21 12:0 a.m.•6 views

PT-2026-42691

Name of the Vulnerable Software and Affected Versions Twig versions 3.24.0 through 3.24.x Description The object-destructuring assignment syntax generates a call to the getAttribute function within CoreExtension where the $sandboxed argument is hardcoded to false. This occurs regardless of whethe...

8.7CVSS5.8AI score0.00082EPSS

Exploits0References13

Positive Technologies•added 2026/05/21 12:0 a.m.•6 views

PT-2026-42635

Description The object-destructuring assignment syntax introduced in Twig 3.24.0 generates a call to CoreExtension::getAttribute with the $sandboxed argument hardcoded to false, regardless of whether a SandboxExtension is active. This permanently disables the sandbox's property and method policy...

8.7CVSS5.8AI score0.00082EPSS

ATTACKERKB•added 2026/05/19 1:33 p.m.•3 views

CVE-2026-43634

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's...

8.7CVSS6AI score0.00241EPSS

Exploits0References6Affected Software1

Vulnrichment•added 2026/05/19 1:33 p.m.•9 views

CVE-2026-43634 HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header

8.7CVSS6AI score0.00241EPSS

EUVD•added 2026/05/19 1:33 p.m.•12 views

EUVD-2026-30935

10CVSS6AI score0.01072EPSS

CVE•added 2026/05/19 1:33 p.m.•12 views

CVE-2026-43634

CVE-2026-43634 affects HestiaCP versions 1.2.0–1.9.4. The vulnerability is an IP spoofing flaw: unauthenticated attackers can send arbitrary IPs via the CF-Connecting-IP header, bypassing authentication controls and Cloudflare network verification. This can defeat fail2ban brute-force protections...

8.7CVSS6AI score0.00241EPSS

Github Security Blog•added 2026/05/08 11:7 p.m.•7 views

LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists

LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load with allowedobjects="all". This does not enable arbitrary Python object deserialization, but it does allow...