Lucene search
+L

2543 matches found

redhatcve
redhatcve
added 2026/07/06 3:7 p.m.5 views

CVE-2026-50573

A flaw was found in pnpm, a package manager. This vulnerability allows a remote attacker to bypass package integrity checks during the pnpm install process when operating in non-frozen mode. If a malicious package registry serves altered content for a locked package, pnpm may accept this new...

8.1CVSS5.9AI score0.00113EPSS
Exploits1References4
nvd
nvd
added 2026/06/25 6:16 p.m.10 views

CVE-2026-50021

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL...

8.1CVSS0.00126EPSS
Exploits1References1
cvelist
cvelist
added 2026/06/25 4:48 p.m.38 views

CVE-2026-50021 pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL...

6.8CVSS0.00126EPSS
Exploits1References1
attackerkb
attackerkb
added 2026/06/22 3:42 p.m.4 views

CVE-2026-50184

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during...

5.7CVSS5.9AI score0.0015EPSS
Exploits0References3Affected Software1
redhat
redhat
added 2026/06/10 3:39 p.m.8 views

Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison

A flaw was found in Spring Boot. An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about a remote secret. In extreme circumstances, this could allow the attacker to determine the secret and upload changed classes, leading to...

7.5CVSS6.2AI score0.00262EPSS
Exploits0References5
nvd
nvd
added 2026/06/09 6:16 a.m.18 views

CVE-2026-4986

The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions...

5.3CVSS0.00197EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:29 p.m.11 views

CVE-2026-2404

CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could cause log injection and forged log when an attacker alters the POST /jsecurity check request payload...

6.9CVSS5.5AI score0.00186EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:27 p.m.10 views

CVE-2026-40552

mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remot...

4.7CVSS5.8AI score0.00286EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/05/22 3:1 p.m.9 views

CVE-2026-25681 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering...

6AI score0.00178EPSS
Exploits0References4
redhat
redhat
added 2026/05/14 4:55 p.m.10 views

Apache Camel: Camel-Mail: Camel-Mail: Altered application behavior via header injection

A flaw was found in the Camel-Mail component. An attacker can exploit this by sending a specially crafted email to a mailbox monitored by a Camel application. Due to a missing inbound filter, malicious headers within the email are not properly filtered, allowing them to alter the behavior of othe...

9.4CVSS5.7AI score0.00621EPSS
Exploits1References5
osv
osv
added 2026/05/07 7:21 p.m.20 views

GO-2026-4984 Malicious module proxy can bypass checksum database in cmd/go

A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy GOMODPROXY or checksum database GOSUMDB. A malicious module proxy can serve altered versions o...

7.5CVSS5.8AI score0.00231EPSS
Exploits0References3
malwarebytes
malwarebytes
added 2026/04/30 7:29 p.m.11 views

More PayPal emails hijacked to deliver tech support scams

Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services. In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices. In those cases, scammers created a PayPal subscription and then paus...

6AI score
Exploits0
attackerkb
attackerkb
added 2026/04/28 1:13 p.m.6 views

CVE-2026-40552

mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remot...

8.4CVSS5.8AI score0.00286EPSS
Exploits0References3
cvelist
cvelist
added 2026/04/28 1:13 p.m.33 views

CVE-2026-40552 Remote Code Execution in mpGabinet

mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remot...

4.7CVSS0.00286EPSS
Exploits0References2
cvelist
cvelist
added 2026/04/27 10:15 a.m.40 views

CVE-2026-7114 code-projects Employee Management System edit.php sql injection

A vulnerability was determined in code-projects Employee Management System 1.0. This affects an unknown part of the file 370project/edit.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilize...

6.5CVSS0.00192EPSS
Exploits0References5
ossf
ossf
added 2026/04/26 4:29 p.m.9 views

Malicious code in robase-gui-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 6c53f61007a9e23f2c47112de5225aa8e364f5aeb45c99d22084d6fb08b2179e During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

5.7AI score
Exploits0References9
ptsecurity
ptsecurity
added 2026/04/14 12:0 a.m.4 views

PT-2026-32676

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Improper encoding or escaping of output allows an attacker to perform log injection and forge logs by altering the payload of the 'POST /j security check' reques...

6.9CVSS6.2AI score0.00186EPSS
Exploits0References6
alpinelinux
alpinelinux
added 2026/03/27 8:10 a.m.4 views

CVE-2026-27855

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If...

6.8CVSS5.9AI score0.00338EPSS
Exploits1References1
cve
cve
added 2026/03/27 8:10 a.m.25 views

CVE-2026-27855

Dovecot OTP authentication is vulnerable to a replay attack under specific conditions: if auth cache is enabled and the username is altered in passdb, OTP credentials can be cached so that the same OTP response remains valid. An attacker who observes an OTP exchange can log in as the targeted use...

6.8CVSS5.9AI score0.00338EPSS
Exploits1References1Affected Software2
attackerkb
attackerkb
added 2026/03/27 8:10 a.m.8 views

CVE-2026-27855

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If...

6.8CVSS5.9AI score0.00338EPSS
Exploits1References2
Rows per page
Query Builder