CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

PyPA•added 3 days ago•2 views

PYSEC-0000-CVE-2026-45360

7.3CVSS6AI score0.0006EPSS

Exploits0References3Affected Software1

EUVD•added 3 days ago•6 views

EUVD-2026-33587

6AI score0.0006EPSS

Positive Technologies•added 3 days ago•8 views

PT-2026-45374

Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserialize reference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler —...

6AI score0.0006EPSS

Exploits0References3

Positive Technologies•added 3 days ago•3 views

PT-2026-45977

Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserialize reference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler —...

7.3CVSS6AI score

CNNVD•added 6 days ago•3 views

FreePBX 安全漏洞

FreePBX is a set of tools from the FreePBX project that allow configuration of Asterisk an IP telephony system through a GUI graphical web-based interface. Versions of FreePBX prior to 16.0.22 and 17.0.5 contained security vulnerabilities. These vulnerabilities stemmed from the getcontent AJAX...

8.8CVSS5.8AI score0.00047EPSS

Tenable Nessus•added 2026/05/22 12:0 a.m.•3 views

Unity Linux 20.1060e / 20.1070e Security Update: rubygem-kramdown (UTSA-2026-016633)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016633 advisory. Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated. Tenable has extracted th...

9.8CVSS7.4AI score0.0259EPSS

Exploits1References4

AstraLinux•added 2026/05/20 5:53 a.m.•2 views

Astra Linux - уязвимость в ruby-kramdown

Before version 2.3.1, Kramdown did not restrict Rouge formatters to the Rouge::Formatters namespace, allowing arbitrary classes to be instantiated...

9.8CVSS7.4AI score0.0259EPSS

Exploits1References1

Positive Technologies•added 2026/05/19 12:0 a.m.•8 views

PT-2026-41945

Name of the Vulnerable Software and Affected Versions APScheduler affected versions not specified Description The JSONSerializer and CBORSerializer are subject to Remote Code Execution RCE through insecure deserialization. The unmarshal object function enables arbitrary class instantiation and...

6AI score0.00176EPSS

EUVD•added 2026/05/19 12:0 a.m.•5 views

EUVD-2026-30947

The JSONSerializer and CBORSerializer in APScheduler all versions including 3.10.x and 4.0.0a5 are vulnerable to Remote Code Execution RCE via Insecure Deserialization. The unmarshalobject function allows for arbitrary class instantiation and state injection by dynamically importing modules and...

6AI score0.00176EPSS

Debian CVE•added 2026/05/19 12:0 a.m.•4 views

CVE-2026-31072

9.8CVSS6AI score0.00176EPSS

Exploits0

ATTACKERKB•added 2026/05/08 6:36 p.m.•3 views

CVE-2026-8178

An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application...

9.2CVSS6.1AI score0.00029EPSS

CNNVD•added 2026/05/08 12:0 a.m.•5 views

Magnitude Simba Amazon Redshift JDBC Driver 安全漏洞

The Magnitude Simba Amazon Redshift JDBC Driver is a JDBC driver provided by the American company Magnitude. It enables database connection through the standard JDBC Application Programming Interface API available in the Java Platform Enterprise Edition. Versions of the Magnitude Simba Amazon...

9.2CVSS6.1AI score0.00029EPSS

Veracode•added 2026/05/07 7:6 a.m.•8 views

Unsafe Deserialization

Apache MINA is vulnerable to Unsafe Deserialization. The vulnerability is due to incomplete enforcement of a classname allowlist in AbstractIoBuffer.resolveClass, where certain branches e.g., for primitive or static classes bypass validation and call Class.forName without checks, allowing attacke...

9.8CVSS6AI score0.00083EPSS

Exploits1References3Affected Software1

OSV•added 2026/05/04 6:30 p.m.•1 views

GHSA-CX4M-2P55-RW7J Apache OpenNLP ExtensionLoader Vulnerable to Arbitrary Class Instantiation via Model Manifest

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtensionClass, String method loads a class by its fully-qualified name via Class.forName and invokes its no-arg...

9.8CVSS6.1AI score0.00641EPSS

Snyk•added 2026/05/04 6:26 p.m.•6 views

Unsafe Reflection

Overview Affected versions of this package are vulnerable to Unsafe Reflection that leads to arbitrary class instantiation, via the instantiateExtension method in the ExtensionLoader class. An attacker can trigger the static initializer of any class present on the classpath by supplying a model...

9.8CVSS6.1AI score0.00641EPSS

UbuntuCve•added 2026/05/04 5:16 p.m.•1 views

CVE-2026-42027

9.8CVSS5.9AI score0.00641EPSS

Vulnrichment•added 2026/05/04 4:43 p.m.•0 views

CVE-2026-42027 Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader

6.1AI score0.00641EPSS

EUVD•added 2026/05/04 4:43 p.m.•3 views

EUVD-2026-27005

6.1AI score0.00641EPSS