Lucene search
K

1905 matches found

Cvelist
Cvelist
added 2026/05/29 9:19 p.m.37 views

CVE-2026-9831 ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

6.3CVSS0.00172EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/29 9:19 p.m.13 views

CVE-2026-9831 ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

6.3CVSS5.8AI score0.00172EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.19 views

PT-2026-44998

Name of the Vulnerable Software and Affected Versions ExtremeCloud IQ affected versions not specified Description A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path can intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued AP...

6.3CVSS5.8AI score0.00172EPSS
Exploits0References3
CVE
CVE
added 2026/05/28 4:51 p.m.22 views

CVE-2026-45296

OpenReplay before 1.26.0 exposes cross-tenant risks via the Python API app_apikey routes that trust a caller-provided projectKey after validating only the API key and existence of the projectKey. The authorization flow fails to bind the authenticated API key to the correct tenant, enabling an att...

7.7CVSS5.8AI score0.00231EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/28 4:51 p.m.32 views

CVE-2026-45296 OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several appapikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...

7.7CVSS0.00231EPSS
Exploits0References1
NVD
NVD
added 2026/05/27 6:16 p.m.24 views

CVE-2026-45090

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes...

7.5CVSS0.00231EPSS
Exploits0References2
CVE
CVE
added 2026/05/26 9:34 p.m.20 views

CVE-2026-44213

The CVE affects the OpenTelemetry.Exporter.Instana NuGet package. Before version 1.1.0, when INSTANA_ENDPOINT_PROXY is set, the Transport.ConfigureBackendClient() code creates an HttpClient that disables TLS certificate validation, allowing a network attacker to perform a MitM on the proxy and re...

6.5CVSS5.8AI score0.00207EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/26 9:34 p.m.13 views

EUVD-2026-32014

The OpenTelemetry.Exporter.Instana exports telemetry to Instana backend. Prior to 1.1.0, the OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the...

6.5CVSS5.8AI score0.00207EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/26 9:34 p.m.9 views

CVE-2026-44213

The OpenTelemetry.Exporter.Instana exports telemetry to Instana backend. Prior to 1.1.0, the OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the...

6.5CVSS5.8AI score0.00207EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.10 views

CVE-2026-6895

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'exportsettings' function. This function returns the RES...

8.8CVSS5.8AI score0.00248EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.14 views

CVE-2026-6897

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\TeamAccounts::savesettings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.8AI score0.00244EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 6:16 p.m.14 views

CVE-2026-44775

Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with AllowAnonymous, allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Sin...

6.9CVSS0.00281EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/26 2:20 p.m.19 views

Malicious code in token-me-uk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2a058b653e7a491fdf0c9128b4d2d408c2cdac6a1784adc5f02a0975a0e669eb The CLI in cli.mjs reads its API key from process.env.TOKENMEUKAPIKEY, falling back to process.env.OPENAIAPIKEY and then process.env.ANTHROPICAPIKEY...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/05/26 6:23 a.m.17 views

MAL-2026-4780 Malicious code in reasonix-plugmem (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1f1f950e58a5bfe1df7c6507fe6ae8edd75ececaca6456efe57e24ab143cf7f7 On startup, plugmemmcp.mjs writes /.reasonix/settings.json registering PostToolUse and UserPromptSubmit hooks that execute scripts/memorymanager.py...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/05/26 12:35 a.m.7 views

MAL-2026-4454 Malicious code in @taskd/maritime-email-processor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6a5aef29b4050fca18dd803428274de6072ff7412ecd134bd68dcc1f5e8fa150 The package's sole exported function emailProcessor in dist/index.mjs POSTs to a hardcoded endpoint https://job-api.alex-c92.workers.dev, sending the...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/25 5:23 p.m.15 views

Malicious code in @beyondbday/vibe-terminal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9859c1af428f41ba7f7eb2a1db744705f5644ff2422629d94e3de1ecb59c9405 On every launch of the vibe CLI, dist/vibe.js queries the npm registry for the latest version of @beyondbday/vibe-terminal and, if newer than the...

5.8AI score
Exploits0References4
GithubExploit
GithubExploit
added 2026/05/25 9:10 a.m.118 views

Exploit for CVE-2026-47101

CVE-2026-47101 — LiteLLM Privilege Escalation via /key/genera...

8.8CVSS5.8AI score0.00739EPSS
Exploits3
ATTACKERKB
ATTACKERKB
added 2026/05/23 4:27 a.m.12 views

CVE-2026-6895

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'exportsettings' function. This function returns the RES...

8.8CVSS5.8AI score0.00248EPSS
Exploits0References3
CVE
CVE
added 2026/05/23 4:27 a.m.36 views

CVE-2026-6898

CVE-2026-6898 affects the WordPress plugin “Wishlist Member.” The vulnerability arises from a missing capability check in WishListMember3_Hooks::generate_api_key, present in all versions up to 3.30.1. This allows authenticated users with Subscriber-level access and above to modify the REST API Se...

8.8CVSS5.8AI score0.00244EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/23 4:27 a.m.13 views

CVE-2026-6898

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3Hooks::generateapikey' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.8AI score0.00244EPSS
Exploits0References3
Rows per page
Query Builder