Lucene search
+L

2048 matches found

NVD
NVD
added 2026/06/19 8:16 p.m.14 views

CVE-2026-48089

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create,...

7.1CVSS0.00235EPSS
Exploits0References2
CVE
CVE
added 2026/06/19 7:38 p.m.29 views

CVE-2026-48089

CVE-2026-48089 affects DevGuard. Before patch 1.4.2, an authenticated user, including from other orgs with no membership, could write and manage VEX rules and related vulnerability-triage endpoints on assets marked public. The root cause is improper authorization for public assets, enabling write...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/19 7:38 p.m.7 views

CVE-2026-48089

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create,...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/06/19 7:38 p.m.26 views

CVE-2026-48089 DevGuard has improper authorization on public assets

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create,...

7.1CVSS0.00235EPSS
Exploits0References2
OSV
OSV
added 2026/06/19 7:38 p.m.3 views

CVE-2026-48089 DevGuard has improper authorization on public assets

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create,...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References4
NVD
NVD
added 2026/06/19 6:16 p.m.20 views

CVE-2026-49287

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could...

7.4CVSS0.0027EPSS
Exploits0References2
OSV
OSV
added 2026/06/19 6:11 p.m.5 views

CVE-2026-49288 Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources...

4.3CVSS5.9AI score0.00162EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/19 4:31 a.m.6 views

CVE-2026-11989

The Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the uploadattachment. This makes it possible for unauthenticated attackers to make web...

6.5CVSS6AI score0.00312EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.26 views

PT-2026-51005

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.23 Statamic versions prior to 6.20.0 Description An authenticated Control Panel user can view metadata and content for resources they lack permission to access. This includes entries, assets, users, roles, group...

4.3CVSS5.9AI score0.00162EPSS
Exploits0References7
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/18 4:29 p.m.10 views

Malicious code in abuden22 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57 The tarball contains a static-site bundle index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundl...

6.2AI score
Exploits0References4
OSV
OSV
added 2026/06/18 4:29 p.m.9 views

MAL-2026-6129 Malicious code in abuden22 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57 The tarball contains a static-site bundle index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundl...

6.2AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/18 4:29 p.m.10 views

Malicious code in abuden218 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 36e1df12b592dc442d5266d4244831fd0b6ceb94c0960a26815f5fad3246b828 The tarball ships auto-publish.sh, a script that republishes the same payload under 100 distinct npm names ishowfeet1-ishowfeet20, nottuff1-nottuff30...

6.2AI score
Exploits0References4
OSV
OSV
added 2026/06/18 4:29 p.m.7 views

MAL-2026-6128 Malicious code in abuden218 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 36e1df12b592dc442d5266d4244831fd0b6ceb94c0960a26815f5fad3246b828 The tarball ships auto-publish.sh, a script that republishes the same payload under 100 distinct npm names ishowfeet1-ishowfeet20, nottuff1-nottuff30...

6.2AI score
Exploits0References4
CVE
CVE
added 2026/06/18 4:31 a.m.29 views

CVE-2026-11357

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress (versions up to and including 3.7.5) contains a Sensitive Information Exposure flaw in editor_assets_variables. Authenticated attackers with contributor-level access can extract license key, license owner email, a...

4.3CVSS5.3AI score0.00243EPSS
Exploits0References8
EUVD
EUVD
added 2026/06/18 4:31 a.m.12 views

EUVD-2026-37843

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editorassetsvariables. This makes it possible for authenticated attackers, with contributor-level access and abov...

4.3CVSS5.2AI score0.00243EPSS
Exploits0References8
CVE
CVE
added 2026/06/17 9:37 p.m.29 views

CVE-2026-54386

CVE-2026-54386 affects marimo prior to 0.23.9. A reflected XSS in the notebook page arises from improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string. An unauthenticated attacker can craft a link with a payload (notably starting with new ) that ...

6.1CVSS5.1AI score0.00239EPSS
Exploits0References4
OSV
OSV
added 2026/06/17 9:37 p.m.3 views

CVE-2026-54386 marimo < 0.23.9 XSS via file Query Parameter in assets.py

marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...

5.1CVSS5.9AI score0.00239EPSS
Exploits0References7
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/16 11:42 p.m.18 views

Malicious code in speed4 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0766e347295e7a13e0604a89de30f662a24b690598f1e4b01edaac5400178347 [email protected] is not a functional Node package. package.json declares main: sw.js, but sw.js is a browser ServiceWorker importScripts'./8cfc2/hgshm.js...

6.1AI score
Exploits0References3
OSV
OSV
added 2026/06/16 11:42 p.m.8 views

MAL-2026-5938 Malicious code in speed4 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0766e347295e7a13e0604a89de30f662a24b690598f1e4b01edaac5400178347 [email protected] is not a functional Node package. package.json declares main: sw.js, but sw.js is a browser ServiceWorker importScripts'./8cfc2/hgshm.js...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/16 7:27 p.m.11 views

Malicious code in nottuff7 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 15a5e98054661d6eea29d8120457ffc7e00d7b516223a5fa6ec91355e9434652 The tarball ships auto-publish.sh, a script that republishes the same payload under 100 distinct npm names ishowfeet1-ishowfeet20, nottuff1-nottuff30...

6.2AI score
Exploits0References4
Rows per page
Query Builder