Lucene search
K

1168 matches found

CVE
CVE
added 5 days ago12 views

CVE-2026-15186

The CVE-2026-15186 vulnerability affects macrozheng mall (up to version 1.0.3) in the Portal Endpoint’s /returnApply/create function, where manipulating the orderId can lead to improper control of resource identifiers. This is a network-exposed issue with a low- to medium-severity CVSS range (bas...

6.5CVSS6.3AI score0.00237EPSS
Exploits0References6
CVE
CVE
added 6 days ago7 views

CVE-2026-50812

SQLite 3.53.1 and earlier trunk builds of the SQLite Session Extension are affected by a NULL pointer dereference in sqlite3changeset_apply_v3() when applying a malformed changeset, reaching sqlite3_value_type() with a NULL sqlite3_value pointer, leading to denial of service. The issue is tied to...

5.5CVSS6AI score0.00112EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/07 8:37 p.m.9 views

CVE-2026-59707

LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper...

9.2CVSS6.1AI score0.0036EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/07/07 8:37 p.m.5 views

CVE-2026-59707 LocalAI - Server-Side Request Forgery via POST /models/apply

LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper...

9.2CVSS6.1AI score0.0036EPSS
Exploits0References4
CVE
CVE
added 2026/07/07 8:37 p.m.15 views

CVE-2026-59707

CVE-2026-59707 : LocalAI exposes an unauthenticated SSRF via POST /models/apply. The endpoint forwards unsanitized gallery URL fields to gallery.GetGalleryConfigFromURLWithContext, allowing requests to internal/private/loopback URLs and leaking partial responses in error messages. No exploitation...

9.2CVSS6.1AI score0.0036EPSS
Exploits0References4
OSV
OSV
added 2026/07/07 8:37 p.m.7 views

CVE-2026-59707 LocalAI - Server-Side Request Forgery via POST /models/apply

LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper...

9.2CVSS6.1AI score0.0036EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/07 8:37 p.m.32 views

CVE-2026-59707 LocalAI - Server-Side Request Forgery via POST /models/apply

LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper...

9.2CVSS0.0036EPSS
Exploits0References4
Snyk
Snyk
added 2026/07/07 1:1 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...

7.7CVSS6AI score0.00437EPSS
Exploits0References2
OSV
OSV
added 2026/07/02 4:38 p.m.10 views

GHSA-CQWV-9QJX-VXW2 OpenClaw: Skill Workshop apply flow could override pending approval

Summary Skill Workshop apply flow could override pending approval. In affected versions, an agent tool call reaching the affected Skill Workshop apply path could set apply: true despite approvalPolicy: pending. This advisory is scoped to the named feature and configuration. It does not change...

5.3CVSS6AI score0.00194EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 4:16 p.m.6 views

Deserialization of Untrusted Data

Overview feast is a Python SDK for Feast Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the ApplyFeatureView handler of registryserver.py, which calls FeatureView.fromproto and deserializes the feature view's embedded user-defined function before the appl...

9.8CVSS6.2AI score0.00862EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:26 p.m.4 views

CVE-2026-56239

Capgo before 12.128.2 contains a potential privilege escalation vulnerability in the public.applyusageoverage SECURITY DEFINER function, which performs sensitive billing operations without enforcing internal authorization checks no validation of auth.uid, org membership, or checkminrights. Becaus...

7.6CVSS6AI score0.00199EPSS
Exploits0References3
CVE
CVE
added 2026/06/21 1:26 p.m.15 views

CVE-2026-56239

Capgo CVE-2026-56239 affects Capgo before 12.128.2. The vulnerability lies in the public.apply_usage_overage SECURITY DEFINER function, which performs billing operations without validating authorization (no auth.uid(), org membership, or check_min_rights). Because the function runs with the owner...

7.6CVSS6AI score0.00199EPSS
Exploits0References2
NVD
NVD
added 2026/06/11 9:16 p.m.11 views

CVE-2026-53808

OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reaching the affected apply path to apply workshop changes before...

6.5CVSS0.00194EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/11 8:6 p.m.12 views

EUVD-2026-36314

OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reaching the affected apply path to apply workshop changes before...

6.5CVSS5.5AI score0.00194EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/11 8:6 p.m.10 views

CVE-2026-53808 OpenClaw < 2026.5.6 - Approval Policy Bypass in Skill Workshop Apply Flow

OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reaching the affected apply path to apply workshop changes before...

6.5CVSS5.2AI score0.00194EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/11 8:6 p.m.36 views

CVE-2026-53808 OpenClaw < 2026.5.6 - Approval Policy Bypass in Skill Workshop Apply Flow

OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reaching the affected apply path to apply workshop changes before...

6.5CVSS0.00194EPSS
Exploits0References2
CVE
CVE
added 2026/06/11 8:6 p.m.27 views

CVE-2026-53808

OpenClaw prior to 2026.5.6 contains an approval policy bypass in the Skill Workshop apply flow, allowing attacker-controlled agent tool calls to set apply: true despite approvalPolicy: pending. This enables modification of workshop configurations without proper authorization when the affected app...

6.5CVSS5.4AI score0.00194EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.15 views

PT-2026-48738

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.6 Description An approval policy bypass exists in the Skill Workshop apply flow. This issue allows agent tool calls to set the apply variable to true even when the approvalPolicy is configured as pending. An...

6.5CVSS5.2AI score0.00194EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/10 5:34 p.m.32 views

CVE-2026-50569 Fission: HTTPTrigger admission omits RelativeURL / Prefix validation; kubectl apply bypasses CLI checks

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeU...

4.3CVSS0.00227EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.15 views

Fission 输入验证错误漏洞

Fission is an open-source function deployment framework based on Kubernetes. Versions of Fission prior to 1.25.0 contained a input validation vulnerability. This vulnerability stemmed from the HTTPTriggerSpec.Validate method, which ignored the RelativeURL and Prefix fields during validation. As a...

4.3CVSS5.3AI score0.00227EPSS
Exploits0References1
Rows per page
Query Builder