Lucene search
K

57420 matches found

OSV
OSV
added 2026/01/29 5:12 p.m.6 views

CVE-2026-23896 immich API Key Privilege Escalation vulnerability

immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issu...

7.2CVSS5.9AI score0.00303EPSS
Exploits1References3
EUVD
EUVD
added 2026/01/29 5:12 p.m.6 views

EUVD-2026-4957

immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issu...

7.2CVSS5.9AI score0.00303EPSS
Exploits1References1
OSV
OSV
added 2026/01/29 3:16 p.m.5 views

CVE-2020-37002

Ajenti 2.1.36 contains an authentication bypass vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoint to send a netcat reverse shell payload targeting a specified IP and port...

9.8CVSS6AI score0.00653EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/01/29 3:0 p.m.10 views

@amazeelabs/bridge-waku (>=1.1.9 <=2.0.1), @amazeelabs/executors (>=3.1.12 <=3.1.14) +18 more potentially affected by CVE-2026-23864 via react-server-dom-webpack (>=19.0.0 <=19.0.1)

react-server-dom-webpack NPM version =19.0.0, =1.1.9, =3.1.12, =1.4.7, =1.1.3, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859,...

7.5CVSS7.4AI score0.02329EPSS
Exploits0
HackRead
HackRead
added 2026/01/29 3:0 p.m.5 views

This startup aims to solve crypto’s broken key management problem

Crypto security firm Sodot launches Exchange API Vault to stop API key theft, securing billions in assets while supporting low latency, high frequency trading...

5.9AI score
Exploits0
CVE
CVE
added 2026/01/29 2:28 p.m.11 views

CVE-2020-37012

CVE-2020-37012 - Tea LaTex 1.0 Remote Code Execution Affected: Tea LaTex 1.0. The vulnerability is a remote code execution flaw that allows unauthenticated attackers to run arbitrary shell commands by crafting a malicious LaTeX payload and submitting it to the tex2png-based API action exposed at ...

9.8CVSS6.7AI score0.00755EPSS
Exploits0References3
EUVD
EUVD
added 2026/01/29 2:28 p.m.6 views

EUVD-2020-30907

Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API...

9.8CVSS6.7AI score0.00755EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/01/29 9:8 a.m.6 views

urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP...

8.9CVSS5.8AI score0.02667EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/01/29 8:36 a.m.27 views

CVE-2026-1188

In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly sized, failing to...

6.9CVSS0.00491EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/01/29 12:0 a.m.6 views

TP-Link VIGI C385 security vulnerabilities

The TP-Link VIGI C385 is a surveillance camera produced by the TP-Link company. The TP-Link VIGI C385 V1 version has a security vulnerability. This vulnerability stems from buffer handling defects in the Web API, along with insufficient input cleaning, which may lead to memory corruption and remo...

8.8CVSS6.2AI score0.06605EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/01/29 12:0 a.m.6 views

PT-2026-5312

Name of the Vulnerable Software and Affected Versions AutoGPT versions prior to 0.6.44 Description AutoGPT Platform’s block execution endpoints, both the main web API and external API, allow execution of blocks by UUID without verifying the disabled flag. This allows any authenticated user to...

9.4CVSS6.2AI score0.01147EPSS
Exploits1References21
CNNVD
CNNVD
added 2026/01/29 12:0 a.m.6 views

Budibase security vulnerabilities

Budibase is an open-source platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Budibase versions 3.26.3 and earlier contain security vulnerabilities. These vulnerabilities stem from the Creator-level user’...

8.8CVSS5.9AI score0.00523EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/01/29 12:0 a.m.5 views

AlmaLinux 8 : python-urllib3 (ALSA-2026:1254)

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2026:1254 advisory. urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion CVE-2025-66418 urllib3: urllib3 Streaming API improperly handles highly...

8.9CVSS5.9AI score0.02667EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/01/29 12:0 a.m.5 views

MiracleLinux 9 : python3.12-urllib3-1.26.19-1.el9_7.1 (AXSA:2026-094:02)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2026-094:02 advisory. urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion CVE-2025-66418 urllib3: urllib3 Streaming API improperly handles highly...

8.9CVSS5.9AI score0.02667EPSS
Exploits0References4
Snyk
Snyk
added 2026/01/28 11:0 p.m.4 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the /api/file/getFile endpoint. An attacker can access sensitive configuration files by submitting mixed-case paths to bypass case-sensitive checks on case-insensitive file systems. Remediation...

8.7CVSS5.9AI score0.00505EPSS
Exploits1References2
OSV
OSV
added 2026/01/28 11:0 p.m.4 views

GHSA-F72R-2H5J-7639 SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal

File Read Interface Case Bypass Vulnerability Vulnerability Name File Read Interface Case Bypass Vulnerability Overview The /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can...

8.7CVSS5.6AI score0.00505EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/01/28 9:17 p.m.6 views

CVE-2026-23892

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a theoretical timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the firs...

6CVSS5.9AI score0.00475EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/28 9:17 p.m.7 views

CVE-2026-0746

The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'getaudio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...

6.4CVSS5.9AI score0.00181EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/28 9:16 p.m.6 views

CVE-2026-22039

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved urlPath is executed using the Kyverno admission controller ServiceAccount, with no...

9.9CVSS5.9AI score0.00516EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/01/28 8:27 p.m.7 views

CVE-2026-24766

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the /api/v2/meta/connection/test endpoint, causing all database write operations to fail application-wide until server...

4.9CVSS5.9AI score0.00348EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder