Lucene search
+L

2048 matches found

Cvelist
Cvelist
added 2026/07/03 8:19 p.m.35 views

CVE-2026-28705 Gitea repository dumps write release assets using unsafe path names

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths...

0.00369EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/02 6:49 p.m.9 views

EUVD-2026-41208

Craft CMS: Missing peer-permission check in AssetsController::actionDeleteFolder allows deletion of other users' assets...

7.1CVSS5.8AI score0.00249EPSS
Exploits0References3
OSV
OSV
added 2026/07/02 4:15 p.m.4 views

CVE-2026-50282 Craft CMS: Unauthorized Deletion of Destination Folders During Forced Moves

Craft CMS is a content management system CMS. Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function...

7.1CVSS5.9AI score0.00207EPSS
Exploits0References3
IBM Security Bulletins
IBM Security Bulletins
added 2026/07/02 12:55 p.m.7 views

Security Bulletin: Automation Assets in IBM Cloud Pak for Integration are vulnerable to vulnerability in golang.org/x/net

Summary Automation Assets in IBM Cloud Pak for Integration are vulnerable to vulnerability in golang.org/x/net. CVE-2026-33814 The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-33814 DESCRIPTION: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loo...

7.5CVSS6.6AI score0.00781EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/07/02 12:43 p.m.11 views

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in net

Summary Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in net. CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-39821, CVE-2026-42502, CVE-2026-42506 The vulnerabilities have been addressed. Vulnerability Details...

9.6CVSS6.9AI score0.00478EPSS
Exploits0Affected Software2
NVD
NVD
added 2026/07/01 11:16 p.m.8 views

CVE-2026-50284

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds...

7.1CVSS0.00249EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/01 10:37 p.m.28 views

CVE-2026-50284 Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds...

7.1CVSS0.00249EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 10:37 p.m.20 views

CVE-2026-50284

Craft CMS (versions 5.0.0-RC1–5.9.21 and 4.0.0-RC1–4.17.14) has a privilege check flaw in AssetsController::actionDeleteFolder: it only enforces deleteAssets: for the target folder and does not enforce deletePeerAssets:, allowing a low-privilege user with folder-management rights on a shared volu...

7.1CVSS5.8AI score0.00249EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/01 10:37 p.m.5 views

CVE-2026-50284

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds...

7.1CVSS5.8AI score0.00249EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/07/01 10:37 p.m.4 views

CVE-2026-50284 Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds...

7.1CVSS5.9AI score0.00249EPSS
Exploits0References4
CVE
CVE
added 2026/07/01 10:20 p.m.20 views

CVE-2026-50283

Craft CMS versions 5.0.0-RC1–5.9.20 and 4.0.0-RC1–4.17.13 contain an authorization issue in AssetsController::actionReplaceFile that can delete a source asset without source delete permission when both assetId and sourceAssetId are supplied. The runtime loads assetId ($assetToReplace) and sourceA...

5.3CVSS5.8AI score0.00265EPSS
Exploits0References2
OSV
OSV
added 2026/07/01 10:20 p.m.7 views

CVE-2026-50283 Craft CMS: Unauthorized Deletion of Source Assets During File Replacement

Craft CMS is a content management system CMS. Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId...

5.3CVSS5.9AI score0.00265EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/26 10:12 p.m.11 views

EUVD-2026-38059

Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References2
NVD
NVD
added 2026/06/24 10:16 p.m.10 views

CVE-2026-54066

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 "Path Traversal via Double URL Encoding" sanitized the /export/ route but the identical root cause remains in the /assets/path route. In publish mode anonymous read-only HTTP endpoint,...

7.5CVSS0.01892EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 9:15 p.m.19 views

CVE-2026-54068 SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router router.go, "不需要鉴权" -- no auth needed. When called with type=8 and a valid block id parameter, this endpoint...

5.9CVSS0.00239EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 9:13 p.m.17 views

CVE-2026-54066 SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 "Path Traversal via Double URL Encoding" sanitized the /export/ route but the identical root cause remains in the /assets/path route. In publish mode anonymous read-only HTTP endpoint,...

7.5CVSS0.01892EPSS
Exploits0References1
OSV
OSV
added 2026/06/24 9:13 p.m.5 views

CVE-2026-54066 SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 "Path Traversal via Double URL Encoding" sanitized the /export/ route but the identical root cause remains in the /assets/path route. In publish mode anonymous read-only HTTP endpoint,...

7.5CVSS6.1AI score0.01892EPSS
Exploits0References3
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/23 9:54 a.m.7 views

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to vulnerability in follow-redirects

Summary Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to vulnerability in follow-redirects. CVE-2026-40895 The vulnerabilities have been addressed Vulnerability Details CVEID:CVE-2026-40895 DESCRIPTION: follow-redirects is an open source, drop-in...

7.5CVSS5.8AI score0.00486EPSS
Exploits0Affected Software2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.14 views

PT-2026-51642

Name of the Vulnerable Software and Affected Versions Snipe-IT affected versions not specified Description An authorization bypass exists in the BulkAssetsController::update function. The system accepts the company id variable directly from user input without utilizing the standard company-scopin...

6.3CVSS5.9AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.25 views

PT-2026-51461

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.9 Description An issue exists where a workspace-level builder can read any file the server process has access to by uploading a specially crafted PWA zip file. The POST /api/pwa/process-zip endpoint extracts the...

9.6CVSS5.8AI score0.00494EPSS
Exploits1References8
Rows per page
Query Builder