Lucene search
+L

1849 matches found

osv
osv
added 2026/05/13 7:28 p.m.1 views

CVE-2026-28374 IDOR in Annotations API allows unprivileged users to DELETE annotation

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations...

4.3CVSS6AI score0.00198EPSS
Exploits0References3
cnnvd
cnnvd
added 2026/05/13 12:0 a.m.11 views

CVAT.ai CVAT 安全漏洞

CVAT.ai CVAT is an open-source data processing tool developed by CVAT.ai. There are security vulnerabilities in the CVAT.ai CVAT versions from 2.5.0 to 2.63.0. These vulnerabilities stem from attacks where attackers can create or edit annotation guides on tasks, and add malicious JavaScript code...

8.5CVSS6.1AI score0.00266EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/05/13 12:0 a.m.15 views

PT-2026-40818

Name of the Vulnerable Software and Affected Versions CVAT versions 2.5.0 through 2.63.0 Description An attacker with permissions to create or edit an annotation guide on a task can inject malicious JavaScript code. This code executes in the browser of any user who opens the affected guide,...

8.5CVSS5.9AI score0.00266EPSS
Exploits0References5
opensuse
opensuse
added 2026/05/13 12:0 a.m.9 views

Security update for tor (critical)

openSUSE Security Update: Security update for tor Announcement ID: openSUSE-SU-2026:0164-1 Rating: critical References: 1264341 1264342 1264343 1264344 1264345 1264346 Cross-References: CVE-2026-44597 CVE-2026-44599 CVE-2026-44600 CVE-2026-44601 CVE-2026-44602 CVE-2026-44603 Affected Products:...

9.1CVSS5.8AI score0.0045EPSS
Exploits0References6
osv
osv
added 2026/05/11 5:36 p.m.9 views

BIT-NIFI-2026-39816 Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Scrip...

8.8CVSS5.9AI score0.0076EPSS
Exploits1References4
redhat
redhat
added 2026/05/09 3:24 p.m.2 views

github.com/containerd/containerd: containerd: Security bypass via Container Device Interface (CDI) annotation smuggling during checkpoint restoration.

A flaw was found in containerd, an open-source container runtime. The Container Runtime Interface CRI implementation, which allows Kubernetes to interact with container runtimes, improperly trusts Container Device Interface CDI annotations found within untrusted checkpoint image metadata during...

9.6CVSS6.1AI score0.00412EPSS
Exploits0References5
osv
osv
added 2026/05/09 8:44 a.m.4 views

OPENSUSE-SU-2026:20709-1 Security update for tor

This update for tor fixes the following issues: Changes in tor: - Update to 0.4.9.8 Fix out-of-bounds read boo1264341, CVE-2026-44597, TROVE-2026-011 Do not attempt or accept BEGINDIR via conflux legs boo1264342, CVE-2026-44599,TROVE-2026-008 Adjust conflux out-of-order queue accounting when...

9.1CVSS5.8AI score0.0045EPSS
Exploits0References12
nessus
nessus
added 2026/05/09 12:0 a.m.12 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-016790)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016790 advisory. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. FilteredRelation is subject to SQL injection in column aliases via control...

8.3CVSS5.9AI score0.00754EPSS
Exploits0References4
snyk
snyk
added 2026/05/08 5:31 p.m.12 views

Directory Traversal

Overview potato-annotation is an A flexible, stand-alone, web-based platform for text annotation tasks Affected versions of this package are vulnerable to Directory Traversal via the validatepathsecurity function. An attacker can gain unauthorized access to files outside the intended project...

5.1CVSS6.3AI score
Exploits0References2
github
github
added 2026/05/08 5:31 p.m.13 views

`potato-annotation` has a Project-Boundary Bypass

Summary validatepathsecurity uses string-prefix containment startswith for boundary checks. This allows paths that are outside the intended project directory but share its prefix string e.g., /tmp/potatoprojdemoevil/... vs /tmp/potatoprojdemo to be accepted. Details Affected source location root...

5.8AI score
Exploits0References2Affected Software1
euvd
euvd
added 2026/05/08 3:31 p.m.13 views

EUVD-2026-28593

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy...

8.8CVSS5.9AI score0.0076EPSS
Exploits1References3
github
github
added 2026/05/08 3:31 p.m.14 views

Apache NiFi is missing the Restricted annotation with the Execute Code Required Permission

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy...

8.8CVSS5.9AI score0.0076EPSS
Exploits1References7Affected Software1
osv
osv
added 2026/05/08 3:31 p.m.6 views

GHSA-2J9M-25XV-MP6R Apache NiFi is missing the Restricted annotation with the Execute Code Required Permission

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy...

8.8CVSS5.9AI score0.0076EPSS
Exploits1References7
nvd
nvd
added 2026/05/08 2:16 p.m.12 views

CVE-2026-39816

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy...

8.8CVSS0.0076EPSS
Exploits1References3
cvelist
cvelist
added 2026/05/08 1:38 p.m.38 views

CVE-2026-39816 Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy...

7.5CVSS0.0076EPSS
Exploits1References1
vulnrichment
vulnrichment
added 2026/05/08 1:38 p.m.10 views

CVE-2026-39816 Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy...

7.5CVSS5.9AI score0.0076EPSS
Exploits1References1
osv
osv
added 2026/05/08 1:38 p.m.2 views

CVE-2026-39816 Apache NiFi: Missing Execute Code Required Permission on TinkerpopClientService

The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy...

7.5CVSS6.1AI score0.0076EPSS
Exploits1References6
cve
cve
added 2026/05/08 1:38 p.m.28 views

CVE-2026-39816

CVE-2026-39816 impacts Apache NiFi 2.0.0-M1 through 2.8.0 where the optional TinkerpopClientService (in the graph bundle, nifi-other-graph-services-nar) lacks the @Restricted annotation for Execute Code permission. This allows a flow designer with restricted privileges to configure ByteCode Submi...

8.8CVSS5.9AI score0.0076EPSS
Exploits1References3Affected Software1
packetstormnews
packetstormnews
added 2026/05/08 12:0 a.m.12 views

ingress-nginx Configuration Injection

A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/rewrite-target Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible t...

8.8CVSS6.3AI score0.06669EPSS
Exploits1
cnnvd
cnnvd
added 2026/05/08 12:0 a.m.9 views

Apache NiFi 安全漏洞

Apache NiFi is a data processing and distribution system developed by the Apache Foundation in the United States. This system is primarily used for data routing, transformation, and intermediate logic within the system. Vulnerabilities exist in versions 2.8.0 of Apache NiFi, as the optional...

8.8CVSS5.9AI score0.0076EPSS
Exploits1References1
Rows per page
Query Builder