CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

102438 matches found

CVE•added 2026/05/28 7:32 p.m.•16 views

CVE-2026-32847

DeepCode (commit c991dc2) exposes a path traversal vulnerability in the SPA catch-all route of new_ui/backend/main.py. An unauthenticated attacker can read arbitrary files by sending percent-encoded path segments to GET /{full_path:path}, bypassing Starlette path normalization via %2F and %2E%2E....

8.7CVSS5.9AI score0.00078EPSS

Exploits1References2Affected Software1

Cvelist•added 2026/05/28 7:32 p.m.•31 views

CVE-2026-32847 DeepCode 1.2.0 Path Traversal via SPA Catch-All Route in main.py

DeepCode through commit c991dc2 contains a path traversal vulnerability in the SPA catch-all route in newui/backend/main.py that allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to the GET /fullpath:path endpoint. Attackers can bypass Starlette's...

8.7CVSS0.00078EPSS

Exploits1References2

IBM Security Bulletins•added 2026/05/28 7:30 p.m.•13 views

Security Bulletin: Multiple Vulnerabilities have been identified in IBM WebSphere Application Server and WebSphere Application Server Liberty shipped with IBM WebSphere Remote Server

Summary IBM WebSphere Application Server and WebSphere Application Server Liberty is shipped with IBM WebSphere Remote Server. Information about security vulnerabilities affecting IBM WebSphere Application Server and WebSphere Application Server Liberty have been published in a security bulletin...

9.8CVSS5.9AI score0.0026EPSS

Exploits0Affected Software1

NVD•added 2026/05/28 7:16 p.m.•8 views

CVE-2026-43000

An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token...

8.8CVSS0.00041EPSS

Exploits1References2

NVD•added 2026/05/28 7:16 p.m.•7 views

CVE-2026-42998

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application...

8.8CVSS0.00064EPSS

Exploits1References2

OSV•added 2026/05/28 7:16 p.m.•4 views

UBUNTU-CVE-2026-42998

8.8CVSS5.8AI score0.00064EPSS

Exploits1References4

NVD•added 2026/05/28 6:16 p.m.•8 views

CVE-2026-45307

Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the issafeurl helper used to validate post-login redirect targets applied urljoinrequest.hosturl, target before parsing, while the controller passed the raw target to redirect. A...

6.1CVSS0.00029EPSS

Exploits0References1

IBM Security Bulletins•added 2026/05/28 5:27 p.m.•9 views

Security Bulletin: Multiple vulnerabilities within WebSphere Application Server, affect IBM Tivoli Monitoring.

Summary Multiple vulnerabilities within WebSphere Application Server which is included as part of IBM Tivoli Monitoring ITM portal server have been addressed. Vulnerability Details CVEID:CVE-2025-12635 DESCRIPTION: IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server...

7.5CVSS5.7AI score0.00036EPSS

Exploits1Affected Software1

ATTACKERKB•added 2026/05/28 4:51 p.m.•10 views

CVE-2026-45296

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several appapikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...

7.7CVSS5.8AI score0.00032EPSS

Exploits0References2Affected Software1

Cvelist•added 2026/05/28 4:51 p.m.•25 views

CVE-2026-45296 OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding

7.7CVSS0.00032EPSS

Exploits0References1

Snyk•added 2026/05/28 4:50 p.m.•6 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write via the bzip2recover utility when processing a specially crafted file. An attacker can cause memory corruption and application crash by supplying a malicious input file. Remediation A fix was pushed into the master...

5.1CVSS5.8AI score0.00021EPSS

Exploits0References2

RedHat Linux•added 2026/05/28 3:46 p.m.•11 views

dotnet: .NET: infinite loop allows an attacker to cause a denial of service

A flaw was found in dotnet. An infinite loop in ASP.NET Core allows an unauthenticated remote attacker to cause a denial of service over a network. This issue can lead to an application crash and a high consumption of system resources...

7.5CVSS5.8AI score0.00036EPSS

Exploits0References5

RedhatCVE•added 2026/05/28 2:15 p.m.•9 views

CVE-2026-9466

A vulnerability was determined in Tiandy Easy7 Integrated Management Platform 7.17.0. This issue affects some unknown processing of the file /rest/user/updateUserPassword of the component API Endpoint. Executing a manipulation can lead to weak password recovery. The attack can be executed remotel...

6.9CVSS5.7AI score0.00037EPSS

Exploits0References1

EUVD•added 2026/05/28 2:13 p.m.•6 views

EUVD-2026-32903

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via PO...

8.7CVSS5.8AI score0.00098EPSS

Exploits0References2

IBM Security Bulletins•added 2026/05/28 1:24 p.m.•7 views

Security Bulletin: Multiple Vulnerabilities in IBM Library Support for Spring

Summary Multiple vulnerabilities were addressed in IBM Library Support for Spring 3.3 Vulnerability Details CVEID:CVE-2026-40972 DESCRIPTION: An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extrem...

9.8CVSS6.5AI score0.00085EPSS

Exploits0Affected Software1

EUVD•added 2026/05/28 12:30 p.m.•11 views

EUVD-2026-32862

FlowIntel up to version 3.3.0 contains a server-side request forgery SSRF vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specifi...

6.2CVSS5.8AI score0.00044EPSS

Exploits0References2

Akamai Blog•added 2026/05/28 12:0 p.m.•8 views

Consistent Protections Without Compromise: Akamai’s WAF Is Now on AWS Marketplace

...

5.8AI score

Exploits0

RedhatCVE•added 2026/05/28 8:12 a.m.•7 views

CVE-2026-44410

This vulnerability stems from a business logic flaw.Attackers can exploit legitimate application functions in unintended and abnormal ways, deviating from the designer's expectations, to carry out malicious attacks...

3.8CVSS5.8AI score0.0002EPSS

Exploits0References1

ICS•added 2026/05/28 6:0 a.m.•11 views

Fourth Frontier Frontier X Mobile Application, Frontier X2

ADVISORY SUMMARY Successful exploitation of this vulnerability could allow an attacker to read and write arbitrary handle values and change clinical readings, which could result in taking control of the device and lead to patient harm. 2. RECOMMENDED PRACTICES CISA recommends users take...

8.8CVSS5.9AI score0.00035EPSS

Exploits0References11