CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/04/13 3:25 p.m.•2 views

MAL-2026-2607 Malicious code in stats-api-js-client (npm)

5.7AI score

OSV•added 2026/04/13 3:25 p.m.•2 views

MAL-2026-2600 Malicious code in cms-site-api-js-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e7c005e0d9ed50229f543036c5c8bd9dd61a1ad0b5373efab2aa9fdba45084f9 The package cms-site-api-js-client was found to contain malicious code. Source: ghsa-malware...

5.7AI score

CVE•added 2026/04/13 2:36 p.m.•43 views

CVE-2026-33858

CVE-2026-33858 concerns Apache Airflow where Dag Authors could craft an XCom payload that enables the webserver to execute arbitrary code due to unsafe deserialization via legacy serialization keys in the XCom API. Affected component: Airflow’s XCom handling. Root cause: insecure deserialization ...

8.8CVSS6.1AI score0.00592EPSS

Exploits0References3Affected Software1

EUVD•added 2026/04/13 12:31 p.m.•1 views

EUVD-2026-21902

Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject without any class filtering or...

8.8CVSS6.4AI score0.01011EPSS

EUVD•added 2026/04/13 12:31 p.m.•2 views

EUVD-2026-21904

Stored Cross-Site Scripting XSS via Unsanitized Topology Metadata in Apache Storm UI Versions Affected: before 2.8.6 Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in...

5.4CVSS5.9AI score0.00466EPSS

Snyk•added 2026/04/13 12:31 p.m.•1 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the TGT credential field via the Nimbus Thrift API, due to deserialization of base64-encoded data using ObjectInputStream.readObject without class filtering or validation. A user with topology...

8.8CVSS6.5AI score0.01011EPSS

OSV•added 2026/04/13 12:31 p.m.•3 views

GHSA-JF89-3Q6Q-VCGR Apache Storm: Deserialization of Untrusted Data vulnerability

8.8CVSS6.4AI score0.01011EPSS

Exploits0References4

CVE•added 2026/04/13 9:11 a.m.•17 views

CVE-2026-35337

CVE-2026-35337 — Apache Storm Deserialization of Untrusted Data via Kerberos TGT Credential Handling. Affected: Storm before 2.8.6. Summary: processing topology credentials submitted to Nimbus Thrift API deserializes base64-encoded TGT blobs with ObjectInputStream.readObject() without class filte...

8.8CVSS6.4AI score0.01011EPSS

Exploits0References2Affected Software1

ATTACKERKB•added 2026/04/13 9:11 a.m.•0 views

CVE-2026-35337

6.4AI score0.01011EPSS

Vulnrichment•added 2026/04/13 9:11 a.m.•0 views

CVE-2026-35337 Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling

6.4AI score0.01011EPSS

Vulnrichment•added 2026/04/13 6:57 a.m.•3 views

CVE-2026-5936 Server-Side Request Forgery (SSRF) via URL Parameter in Foxit PDF Services API

An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints e.g., cloud metadata services, or bypass...

8.5CVSS5.8AI score0.00188EPSS

OSV•added 2026/04/13 5:42 a.m.•4 views

BIT-KIBANA-2026-33461 Incorrect Authorization in Kibana Fleet Leading to Information Disclosure

Incorrect Authorization CWE-863 in Kibana can lead to information disclosure via Privilege Abuse CAPEC-122. A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be...

7.7CVSS5.8AI score0.00282EPSS

OSV•added 2026/04/13 5:38 a.m.•6 views

BIT-ELK-2026-33461 Incorrect Authorization in Kibana Fleet Leading to Information Disclosure

7.7CVSS5.8AI score0.00282EPSS

Tenable Nessus•added 2026/04/13 12:0 a.m.•4 views

Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-8159-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8159-1 advisory. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update...

7.8CVSS6.8AI score0.00236EPSS

Exploits5References5

Tenable Nessus•added 2026/04/13 12:0 a.m.•0 views

Ubuntu Pro Realtime 22.04 LTS : Linux kernel (Intel IoTG Real-time) vulnerabilities (USN-8164-1)

The remote Ubuntu Pro Realtime 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8164-1 advisory. Qualys discovered that several vulnerabilities existed in the AppArmor Linux kernel Security Module LSM. An unprivileged local attacker coul...

7.8CVSS6.9AI score0.00236EPSS

Exploits5References16

CNNVD•added 2026/04/13 12:0 a.m.•4 views

DbGate 代码问题漏洞

DbGate is an open-source database manager developed by DbGate. Versions of DbGate 7.1.4 and earlier contained a code vulnerability. This vulnerability stemmed from a server-side request forgery issue in the apiServerUrl1 function within the REST/GraphQL component’s...

6.5CVSS6.7AI score0.00195EPSS

Positive Technologies•added 2026/04/13 12:0 a.m.•3 views

PT-2026-32328

6.4AI score0.01011EPSS

Cvelist•added 2026/04/13 12:0 a.m.•28 views

CVE-2026-31283

In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime configuration is a ha...

0.00397EPSS

Positive Technologies•added 2026/04/13 12:0 a.m.•3 views

PT-2026-32432

7.7CVSS5.8AI score0.00282EPSS