Lucene search
K

57979 matches found

Cvelist
Cvelist
added 10 hours ago8 views

CVE-2026-15075

In Eclipse Vert.x versions up to and including 4.5.29 4.x branch and 5.1.4 5.x branch, DefaultRedirectHandler vertx-core propagates all request headers as-is across cross-origin HTTP 30x redirects. Only Content-Length is stripped; no origin comparison scheme, host, port is performed before copyin...

8.2CVSS
Exploits0References1
CVE
CVE
added 10 hours ago14 views

CVE-2026-15075

CVE-2026-15075 affects Eclipse Vert.x up to 4.5.29 (4.x) and 5.1.4 (5.x). The DefaultRedirectHandler in vertx-core forwards all request headers across cross-origin HTTP 30x redirects, stripping only Content-Length. No origin check is performed before copying headers to the redirect target. This a...

8.2CVSS6.2AI score
Exploits0References1
EUVD
EUVD
added 10 hours ago5 views

EUVD-2026-43639

In Eclipse Vert.x versions up to and including 4.5.29 4.x branch and 5.1.4 5.x branch, DefaultRedirectHandler vertx-core propagates all request headers as-is across cross-origin HTTP 30x redirects. Only Content-Length is stripped; no origin comparison scheme, host, port is performed before copyin...

8.2CVSS6.2AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
added 10 hours ago7 views

CVE-2026-57898

In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API. The AAS thumbnail upload path accepted a client-controlled fileName request parameter...

9CVSS6.3AI score
Exploits0References2Affected Software1
Cvelist
Cvelist
added 10 hours ago8 views

CVE-2026-57898

In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API. The AAS thumbnail upload path accepted a client-controlled fileName request parameter...

9CVSS
Exploits0References1
EUVD
EUVD
added 10 hours ago5 views

EUVD-2026-43635

In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API. The AAS thumbnail upload path accepted a client-controlled fileName request parameter...

9CVSS6.3AI score
Exploits0References1
Nuclei
Nuclei
added 11 hours ago40 views

REST API TO MiniProgram <= 4.7.1 - SQL Injection

The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of...

7.5CVSS6.1AI score0.03792EPSS
Exploits1References5
Nuclei
Nuclei
added 11 hours ago41 views

Sensei LMS < 4.24.2 - Email Template Leak

The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates. id: CVE-2024-7786 info: name: Sensei LMS 4.24.2 - Email Template Leak author: s4e-io severity: high description: | The Sensei LMS WordPress...

7.5CVSS6.1AI score0.01635EPSS
Exploits1References3
Nuclei
Nuclei
added 11 hours ago24 views

SRS - Command Injection

SRS's v5.0.137v5.0.156, v6.0.18v6.0.47 api-server server is vulnerable to a drive-by command injection. id: CVE-2023-34105 info: name: SRS - Command Injection author: iamnoooob,rootxharsh,pdresearch severity: high description: | SRS's v5.0.137v5.0.156, v6.0.18v6.0.47 api-server server is vulnerab...

7.5CVSS7AI score0.0876EPSS
Exploits1References2
Nuclei
Nuclei
added 11 hours ago205 views

Chuanhu Chat - Directory Traversal

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the webassets folder. However, the outdated version of gradio it employs is susceptible to pa...

9.8CVSS7AI score0.03757EPSS
Exploits1
Nuclei
Nuclei
added 11 hours ago42 views

NextChat - Server-Side Request Forgery

NextChat v2.12.3 suffers from a Server-Side Request Forgery SSRF and Cross-Site Scripting vulnerability due to a lack of validation of the GET parameter on the WebDav API endpoint. id: CVE-2024-38514 info: name: NextChat - Server-Side Request Forgery author: DhiyaneshDk severity: high description...

7.4CVSS6.1AI score0.02186EPSS
Exploits0References4
Nuclei
Nuclei
added 11 hours ago71 views

LearnPress < 4.2.7.1 - SQL Injection

The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'conlyfields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of...

10CVSS7AI score0.63134EPSS
Exploits6References2
Nuclei
Nuclei
added 11 hours ago52 views

SuperWebMailer 9.31.0.01799 - Cross-Site Scripting

SuperWebMailer v9.31.0.01799 was discovered to contain a reflected cross-site scripting XSS vulenrability via the component api.php. id: CVE-2024-24131 info: name: SuperWebMailer 9.31.0.01799 - Cross-Site Scripting author: DhiyaneshDK severity: medium description: | SuperWebMailer v9.31.0.01799 w...

6.1CVSS6.3AI score0.00924EPSS
Exploits1References2
Nuclei
Nuclei
added 11 hours ago38 views

MLFlow < 2.8.1 - Sensitive Information Disclosure

An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API. id: CVE-2023-43472 info: name: MLFlow 2.8.1 - Sensitive Information Disclosure author: ritikchaddha severity: high description: | An issue in MLFlow versions...

7.5CVSS7AI score0.36582EPSS
Exploits1References2
Nuclei
Nuclei
added 11 hours ago84 views

Digital Watchdog DW Spectrum Server 4.2.0.32842 - Information Disclosure

Digital Watchdog DW Spectrum Server 4.2.0.32842 allows attackers to access sensitive infromation via a crafted API call. id: CVE-2022-34534 info: name: Digital Watchdog DW Spectrum Server 4.2.0.32842 - Information Disclosure author: ritikchaddha severity: high description: | Digital Watchdog DW...

7.5CVSS7AI score0.02102EPSS
Exploits0References2
Nuclei
Nuclei
added 11 hours ago69 views

MStore API < 3.9.8 - SQL Injection

The MStore API WordPress plugin before 3.9.8 is vulnerable to Blind SQL injection via the productid parameter. id: CVE-2023-3077 info: name: MStore API 3.9.8 - SQL Injection author: DhiyaneshDK severity: critical description: | The MStore API WordPress plugin before 3.9.8 is vulnerable to Blind S...

9.8CVSS7.1AI score0.05505EPSS
Exploits2References2
Nuclei
Nuclei
added 11 hours ago65 views

WordPress Guppy <=1.1 - Information Disclosure

WordPress Guppy plugin through 1.1 is susceptible to an API disclosure vulnerability. This can allow an attacker to obtain all user IDs and then use them to make API requests to get messages sent between users and/or send messages posing as one user to another. id: CVE-2021-24997 info: name:...

6.5CVSS6.6AI score0.02753EPSS
Exploits2References5
Nuclei
Nuclei
added 11 hours ago95 views

WSO2 - Cross-Site Scripting

WSO2 contains a reflected cross-site scripting vulnerability in the Management Console of API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0,...

6.1CVSS6.4AI score0.41078EPSS
Exploits5References5
Nuclei
Nuclei
added 11 hours ago63 views

LumisXP <10.0.0 - Blind XML External Entity Attack

LumisXP aka Lumis Experience Platform before 10.0.0 allows unauthenticated blind XML external entity XXE attacks via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service. id:...

9.1CVSS7AI score0.18607EPSS
Exploits1References4
Nuclei
Nuclei
added 11 hours ago58 views

Apache Kylin - Exposed Configuration File

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without...

5.3CVSS6.2AI score0.78331EPSS
Exploits0References5
Rows per page
Query Builder