Lucene search
K

437 matches found

Cvelist
Cvelist
added 2 days ago31 views

CVE-2026-47997 Adobe Commerce | Incorrect Authorization (CWE-863)

Adobe Commerce is affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploit depends on conditions beyond the attacker's control...

5.9CVSS0.00612EPSS
Exploits0References1
NVD
NVD
added 2026/07/07 9:17 p.m.9 views

CVE-2026-44454

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a craft...

8.8CVSS0.02642EPSS
Exploits0References7
OSV
OSV
added 2026/07/06 12:0 a.m.2 views

MAL-2026-10222 Malicious code in @flex-ng/filter-pipe (npm)

The @flex-ng/filter-pipe package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @flex-n...

6.1AI score
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/07/01 11:9 a.m.5 views

axios: Axios: Information disclosure due to prototype pollution vulnerability

A flaw was found in Axios, a promise-based HTTP client. This vulnerability involves prototype pollution gadgets in the request configuration processing. If another vulnerability has already polluted the Object.prototype.transformResponse, affected Axios versions may incorrectly interpret this...

7CVSS5.7AI score0.00495EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/06/29 6:18 p.m.8 views

Important: Red Hat Security Advisory: perl-IO-Compress security update

An update for perl-IO-Compress is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

7.8CVSS6.2AI score0.00292EPSS
Exploits3References2
NVD
NVD
added 2026/06/23 5:17 p.m.8 views

CVE-2026-45732

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate ...

8.3CVSS0.00315EPSS
Exploits0References1
NVD
NVD
added 2026/06/19 10:16 p.m.27 views

CVE-2026-56081

Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account...

9.3CVSS0.00351EPSS
Exploits0References2
NVD
NVD
added 2026/06/18 1:25 p.m.13 views

CVE-2026-50643

8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying invalid or oversized line...

5.1CVSS0.00138EPSS
Exploits0References2
OSV
OSV
added 2026/06/13 7:0 a.m.12 views

MAL-2026-5736 Malicious code in node-stack-frames (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5fd4f6c5f3278484d99f6ffffc001cf920dcb0fa4fdfabff957a61c3cfbfc158 package.json declares a preinstall script that runs an inline Node program on npm install. The script requires os and http, collects os.hostname,...

5.4AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.24 views

PT-2026-48306

Name of the Vulnerable Software and Affected Versions Spring REST Docs version 4.0.0 Spring REST Docs versions 3.0.0 through 3.0.5 Spring REST Docs versions 2.0.0.RELEASE through 2.0.8.RELEASE Description An XXE XML External Entity injection attack can occur when using spring-restdocs-webtestclie...

5.9CVSS6AI score0.00223EPSS
Exploits0References4
OSV
OSV
added 2026/06/05 7:32 p.m.1 views

CVE-2026-45300 async-http-client: Cookie header not stripped on cross-origin redirect

The AsyncHttpClient AHC library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak Cookie headers to cross-origin redirect targets. When following a redirect to a...

7.4CVSS6AI score0.00322EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/06/04 10:17 p.m.10 views

CVE-2026-48523

A flaw was found in PyJWT, a Python library for handling JSON Web Tokens JWT. An attacker with control over a registered JSON Web Key JWK private key can bypass security checks by signing a token with a forbidden algorithm while claiming to use an allowed one. This allows the attacker to have the...

5.4CVSS5.6AI score0.00127EPSS
Exploits1References4
OSV
OSV
added 2026/05/21 12:47 p.m.13 views

MAL-2026-4738 Malicious code in zest-product (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c9081ad708b658c1bd56299e401ca6a764cc9137d99573bc922d38a7381cc30d On npm install, postinstall.js collects host identity and environment data os.hostname, username, process.cwd, process.env values, plus shelled-out...

5.8AI score
Exploits0References3
OSV
OSV
added 2026/05/19 7:50 p.m.11 views

GHSA-PHQJ-4MHP-Q6MQ rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers

CipherCtxRef::cipherupdateinplace incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers EVPaes128,192,256wrappad. For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-controllable heap corruption whe...

5.1CVSS5.8AI score0.00019EPSS
Exploits0References2
Veracode
Veracode
added 2026/05/16 5:7 a.m.6 views

Local Code Execution

electerm is vulnerable to Local Code Execution. The vulnerability is due to insufficient validation of messages received over the single-instance IPC socket/pipe, where any process running under the same user can send crafted JSON payloads to create tabs and spawn attacker-controlled local...

9.3CVSS5.8AI score0.00114EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/12 2:23 a.m.15 views

CVE-2026-40137

SAP CVE-2026-40137 affects the SAP TAF_APPLAUNCHER component of Business Server Pages. It describes a Cross-Site Scripting (XSS) issue where an unauthenticated attacker can craft malicious links that, when a victim clicks, redirect to attacker‑controlled sites and potentially expose or alter info...

6.1CVSS5.8AI score0.00211EPSS
Exploits0References2
NVD
NVD
added 2026/05/11 10:22 p.m.18 views

CVE-2026-44695

Outline is a service that allows for collaborative documentation. Prior to 1.7.1, the Slack integration callback for GET /auth/slack.post accepts an unsigned, session-independent OAuth state value. A third party who can obtain a Slack OAuth code for the same Outline Slack client can make a...

6.5CVSS0.00125EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/08 9:22 p.m.7 views

CVE-2026-42195 Unvalidated gitlab URL parameter redirects OAuth authorize step to attacker-controlled host

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to ope...

3.4CVSS5.8AI score0.00192EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/08 6:35 p.m.12 views

EUVD-2026-28513

Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click...

9.6CVSS6AI score0.00394EPSS
Exploits0References2
OSV
OSV
added 2026/05/06 7:54 p.m.3 views

CVE-2026-40325 Masa CMS CSRF in content restoration allows unauthorized restoration of deleted content

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.restore function does not properly validate anti-CSRF tokens for content restoration requests. An attacker can trick a logged-in administrator to submit a forged request that restores deleted...

8.7CVSS5.8AI score0.00151EPSS
Exploits0References3
Rows per page
Query Builder