Lucene search
K

57363 matches found

EUVD
EUVD
added 2026/02/04 9:56 a.m.3 views

EUVD-2025-206810

Stored Cross-Site Scripting XSS vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to '/api/v1/user-avatar', which are then stored on the server and execute...

5.1CVSS5.4AI score0.00243EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/02/04 8:25 a.m.3 views

CVE-2025-15482 Chapa Payment Gateway Plugin for WooCommerce <= 1.0.3 - Unauthenticated Sensitive Information Exposure

The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapaproceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including t...

5.3CVSS5.3AI score0.00282EPSS
Exploits0References2
Nuclei
Nuclei
added 2026/02/04 7:0 a.m.8 views

XWiki REST API - Private Pages Disclosure

A vulnerability in XWiki's REST API allows unauthenticated users to access information about private pages through the pages endpoint. This could lead to disclosure of sensitive information and page metadata. id: CVE-2025-29925 info: name: XWiki REST API - Private Pages Disclosure author:...

8.7CVSS6.2AI score0.00906EPSS
Exploits1
Nuclei
Nuclei
added 2026/02/04 7:0 a.m.17 views

BentoML v1.3.9 - Open Redirect

An open redirect vulnerability exists in BentoML v1.3.9, where the file parameter in the /ui/gradioapi/file= endpoint can be manipulated to redirect users to malicious websites. This could facilitate phishing attacks by tricking users into visiting attacker-controlled URLs. id: CVE-2024-12760 inf...

5.4AI score
Exploits0References1
Nuclei
Nuclei
added 2026/02/04 7:0 a.m.26 views

Hoverfly <= 1.11.3 - Remote Code Execution

Hoverfly versions 1.11.3 and below are vulnerable to remote code execution RCE via command injection in the middleware API endpoint /api/v2/hoverfly/middleware. Insufficient validation of the 'binary' and 'script' parameters allows an unauthenticated attacker to execute arbitrary commands on the...

9.8CVSS9AI score0.10543EPSS
Exploits7References2
Nuclei
Nuclei
added 2026/02/04 7:0 a.m.181 views

Odoo - Cross-Site Scripting

Odoo is a business suite that has features for many business-critical areas, such as e-commerce, billing, or CRM. Versions before the 16.0 release are vulnerable to CVE-2023-1434 and is caused by an incorrect content type being set on an API endpoint. id: CVE-2023-1434 info: name: Odoo - Cross-Si...

6.9AI score
Exploits0References2
Nuclei
Nuclei
added 2026/02/04 7:0 a.m.8 views

Microweber CMS2.0 - Cross-Site Scripting

Reflected Cross-Site Scripting XSS in the id parameter of the liveedit.modulesettings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript. id: CVE-2025-51501 info: name: Microweber CMS2.0 - Cross-Site Scripting author: nukunga severity: medium description: | Reflected...

6.1CVSS6AI score0.00724EPSS
Exploits1References2
Nuclei
Nuclei
added 2026/02/04 7:0 a.m.7 views

Couchbase Server - Broken Access Control

Couchbase Server versions 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0-4.6.5, 5.0.0, 5.1.1, 5.5.0, and 5.5.1 contain insecure permissions for the projector and indexer REST endpoints caused by unauthenticated access, letting attackers access administrative APIs without authentication, exploit require...

9.8CVSS7AI score0.03842EPSS
Exploits0References1
Veracode
Veracode
added 2026/02/04 6:55 a.m.7 views

Prototype Pollution

nocodb is vulnerable to prototype pollution. The vulnerability is due to improper handling of user-controlled input in the /api/v2/meta/connection/test endpoint, which allows an authenticated attacker with org-level-creator permissions to pollute object prototypes and cause application-wide...

4.9CVSS5.5AI score0.00348EPSS
Exploits1References4Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/02/04 5:14 a.m.9 views

Malicious code in zalando-consent-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfebb7ed5c3e35afeff037425cd019134eb927484b619019f7d11b13d6fe59c5 The package zalando-consent-api was found to contain malicious code. Source: ghsa-malware...

5.4AI score
Exploits0References1
Snyk
Snyk
added 2026/02/04 5:14 a.m.2 views

Malicious Package

Overview zalando-consent-api is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
OSV
OSV
added 2026/02/04 5:14 a.m.5 views

MAL-2026-729 Malicious code in zalando-consent-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfebb7ed5c3e35afeff037425cd019134eb927484b619019f7d11b13d6fe59c5 The package zalando-consent-api was found to contain malicious code. Source: ghsa-malware...

5.5AI score
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/04 3:15 a.m.9 views

CVE-2025-61635

Vulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability is associated with program files includes/FancyCaptcha/ApiFancyCaptchaReload.Php. This issue affects ConfirmEdit:...

5.2AI score0.00356EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/04 3:15 a.m.8 views

CVE-2025-69970

FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API...

9.3CVSS5.5AI score0.00463EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/04 3:15 a.m.5 views

CVE-2026-25228

Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The...

5CVSS5.5AI score0.00384EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/02/04 12:0 a.m.5 views

PT-2026-6419

Summary An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. Impact A local process on the same machine could execute arbitrary...

8.4CVSS6AI score
Exploits0References3
CNNVD
CNNVD
added 2026/02/04 12:0 a.m.6 views

AutoGPT 日志信息泄露漏洞

AutoGPT is an open-source tool developed by AutoGPT. It aims to make AI accessible and usable for everyone. Previous versions of AutoGPT, including autogpt-platform-beta-v0.6.46, had a vulnerability related to log information leakage. This vulnerability stemmed from the Stagehand integration...

8.1CVSS5.8AI score0.00433EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/02/04 12:0 a.m.7 views

Apache Answer 安全漏洞

Apache Answer is a community platform of the Apache Foundation in the United States. Versions of Apache Answer prior to 1.7.1 contained security vulnerabilities. These vulnerabilities stemmed from unvalidated API endpoints that exposed the complete revision history of deleted content, potentially...

7.5CVSS5.8AI score0.00619EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/04 12:0 a.m.3 views

PT-2026-6207

Name of the Vulnerable Software and Affected Versions Apache Answer versions through 1.7.1 github.com/apache/answer versions prior to 2.0.0 Description An issue exists in Apache Answer where an unauthenticated API endpoint incorrectly exposes the full revision history of deleted content. This...

7.5CVSS5.4AI score0.00619EPSS
Exploits0References15
Positive Technologies
Positive Technologies
added 2026/02/04 12:0 a.m.6 views

PT-2026-6476

Summary An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability. Details The frontend is using React. In...

6.1CVSS5.5AI score0.00297EPSS
Exploits1References6
Rows per page
Query Builder