Lucene search
K

192404 matches found

Snyk
Snyk
added 2026/03/10 11:57 p.m.9 views

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in the FileTypeParser class. This is triggered when the ASF WMV/WMA parser receives input including an ASF sub-header with a size value of 0. An attacker can interrupt service with a 55-byte payload. Remediation Upgrade...

6.9CVSS5.8AI score0.00325EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/10 11:44 p.m.3 views

Symlink Attack

Overview org.webjars.npm:tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Symlink Attack via tar.x extraction, which allows an attacker to overwrite arbitrary files outside the intended extraction directory with a drive-relative symlink target - like...

8.2CVSS6.3AI score0.00253EPSS
Exploits4References2
Snyk
Snyk
added 2026/03/10 11:44 p.m.1 views

Symlink Attack

Overview tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Symlink Attack via tar.x extraction, which allows an attacker to overwrite arbitrary files outside the intended extraction directory with a drive-relative symlink target - like...

8.2CVSS6.3AI score0.00253EPSS
Exploits4References2
NVD
NVD
added 2026/03/10 11:16 p.m.4 views

CVE-2025-22850

Time-of-check time-of-use race condition in the UEFI PdaSmm module for some IntelR reference platforms may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via local...

5.6CVSS0.00083EPSS
Exploits0References1
CVE
CVE
added 2026/03/10 10:49 p.m.9 views

CVE-2025-22444

CVE-2025-22444 affects the UEFI PdaSmm module on certain Intel reference platforms. The flaw is described as Exposure of resource to wrong sphere, enabling information disclosure. A system software adversary with privileged user access and a high-complexity, local attack could potentially cause d...

5.6CVSS5.7AI score0.00103EPSS
Exploits0References1
CVE
CVE
added 2026/03/10 10:49 p.m.1537 views

CVE-2025-20064

CVE-2025-20064 describes improper input validation in the UEFI FlashUcAcmSmm module for Intel reference platforms, enabling local privilege escalation and potential local code execution. The vulnerability requires a privileged system software adversary, with no user interaction, and is characteri...

8.7CVSS5.8AI score0.00115EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/10 10:49 p.m.19 views

CVE-2025-20028

Time-of-check time-of-use race condition in the WheaERST SMM module for some IntelR reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occ...

7.1CVSS0.00076EPSS
Exploits0References1
NVD
NVD
added 2026/03/10 10:16 p.m.3 views

CVE-2026-31826

pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream. Thi...

6.8CVSS0.00172EPSS
Exploits0References3
CVE
CVE
added 2026/03/10 9:4 p.m.38 views

CVE-2026-31812

In Quinn (Rust, QUIC), the quinn-proto parsing path decodes attacker-controlled varints with unwrap(), so a crafted QUIC Initial packet containing malformed quic_transport_parameters can trigger an unexpected end and panic. This remote, unauthenticated DoS is reachable over the network and affect...

8.7CVSS5.8AI score0.005EPSS
Exploits0References8
Snyk
Snyk
added 2026/03/10 9:2 p.m.6 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

7.2CVSS5.8AI score0.00108EPSS
Exploits0References3
CVE
CVE
added 2026/03/10 8:46 p.m.15 views

CVE-2026-0109

CVE-2026-0109 affects the function dhd_tcpdata_info_get in dhd_ip.c, enabling a remote Denial of Service due to a precondition check failure. Exploitation requires no user interaction and can be remote (network vector). The strongest public context comes from Android Pixel bulletin entries, which...

7.5CVSS5.9AI score0.00288EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/10 8:34 p.m.32 views

CVE-2025-66413 Git for Windows leaks NTLM hash when cloning from an attacker-controlled server

Git for Windows is the Windows port of Git. Prior to 2.53.02, it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password. This vulnerability is...

7.4CVSS0.00268EPSS
Exploits1References2
NVD
NVD
added 2026/03/10 8:16 p.m.9 views

CVE-2026-29792

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

9.8CVSS0.00519EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/10 8:12 p.m.6 views

EUVD-2026-10861

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String format: 'url' is vulnerable to ReDoS. Repeating a partial url format protocol and hostname multiple times cause regex to slow down...

7.5CVSS5.8AI score0.00494EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/10 8:6 p.m.3 views

CVE-2026-29792 Feathersjs has an OAuth Callback Account Takeover

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's...

9.3CVSS5.8AI score0.00519EPSS
Exploits0References1
NVD
NVD
added 2026/03/10 7:17 p.m.8 views

CVE-2026-27826

MCP Atlassian is a Model Context Protocol MCP server for Atlassian products Confluence and Jira. Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL b...

8.2CVSS0.13589EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/10 6:31 p.m.3 views

EUVD-2026-10497

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it...

2.3CVSS5.8AI score0.00342EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/03/10 6:31 p.m.7 views

Duplicate Advisory: .NET Denial of Service Vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4vgm-c2wm-63mw. This link is maintained to preserve external references. Original Description Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service...

7.5CVSS5.7AI score0.02818EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/03/10 6:31 p.m.3 views

Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions. An attacker can gain elevated privileges by exploiting these permissions locally. Remediation Upgrade Microsoft.NETCore.App.Runtime.linux-musl-arm64 to version 10.0.4 or higher. References - Vulnerability...

8.5CVSS5.9AI score0.00359EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/10 6:31 p.m.3 views

EUVD-2026-10665

Untrusted search path in Windows GDI allows an unauthorized attacker to execute code locally...

7.8CVSS5.9AI score0.00496EPSS
Exploits0References2
Rows per page
Query Builder