Lucene search
K

59 matches found

Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.11 views

PT-2026-53944

Name of the Vulnerable Software and Affected Versions IBM WebSphere Extreme Scale versions 8.6.1.0 through 8.6.1.6 Description Approximately 50 CORBA stub classes within the ogclient.jar file call the ORB.string to object function using an attacker-controlled IOR string during Java deserializatio...

10CVSS6.6AI score0.03415EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/29 3:40 p.m.38 views

CVE-2026-13744 Snowflake CLI SQL Injection Through Improper Neutralization of User-Controlled Input

Improper neutralization of attacker-controlled content in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. By supplying crafted repository content, project configuration, manifest data, or specification input, an attacker could cause Snowflake CLI to execute unintended SQL i...

8.3CVSS0.0032EPSS
Exploits0References1
NVD
NVD
added 2026/06/24 6:17 p.m.19 views

CVE-2026-49851

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear approximately On² behavior in parselinktext. When parsing Markdown containing many consecutive characters, parselinktext repeatedly scans the input usin...

8.7CVSS0.0035EPSS
Exploits0References4
OSV
OSV
added 2026/06/23 5:42 p.m.6 views

PSF-2026-29

When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters \r the resulting file could be injected with unexpected keys and values if the attacker controls the written value...

4.1CVSS5.8AI score0.00128EPSS
Exploits0References7
Snyk
Snyk
added 2026/06/15 5:24 p.m.9 views

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the formatDate function when processing an excessively long or attacker-controlled date format string. An attacker can cause high CPU and memory consumption, leading to application...

8.2CVSS5.8AI score0.00331EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.16 views

PT-2026-49564

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.14.0 Description Attacker-controlled input included in multipart/payload headers can be used to modify a request to inject additional headers or change the request contents. This occurs when an application passes...

6.9CVSS5.8AI score0.00301EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.19 views

PT-2026-49583

Name of the Vulnerable Software and Affected Versions Angular versions prior to 22.0.1 Angular versions prior to 21.2.17 Angular versions prior to 20.3.25 Description A Denial of Service DoS issue exists in the @angular/common package. The formatDate function, also used by the standard DatePipe,...

8.2CVSS5.9AI score0.00331EPSS
Exploits0References7
Snyk
Snyk
added 2026/06/12 3:13 p.m.10 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the NuxtLink href when attacker-controlled input is bound to the to or href properties. An attacker can execute arbitrary scripts in the context of the application by supplying a crafted javascript: or data:...

5.4CVSS5.3AI score0.00198EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.19 views

PT-2026-48666

Guzzle Services provides an implementation of the Guzzle Command library that uses Guzzle service descriptions to describe web services, serialize requests, and parse responses into easy to use model structures. Versions prior ro 1.5.4 do not safely serialize scalar XML element values containing...

5.8CVSS5.4AI score0.00219EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/15 12:0 a.m.39 views

CVE-2026-39053

Oinone Pamirs 7.0.0 contains an XML External Entity XXE issue in its XStream-based XML parsing logic. When attacker-controlled XML is passed to framework parsing entry points such as PamirsXmlUtils.fromXML... or ViewXmlUtils.fromXML..., unsafe XML processing can lead to file disclosure or SSRF...

0.00365EPSS
Exploits0References3
OSV
OSV
added 2026/05/14 8:30 p.m.6 views

GHSA-F3CJ-J4F6-WQ85 Svelte: SSR XSS via Insecure Promise Serialization in hydratable

Contents of hydratable promises were not properly stringified, potentially leading to an XSS exploit. You are vulnerable if all of the following is true: - you are using hydratable an experimental feature at the time of this report - you are passing attacker-controlled input such that a synchrono...

5.3CVSS5.8AI score
Exploits0References4
Snyk
Snyk
added 2026/05/14 8:29 p.m.10 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of attribute spreading and dynamic name attributes within form elements. An attacker can inject malicious scripts by manipulatin...

8.1CVSS5.5AI score0.00319EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.13 views

PT-2026-40538

Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 7.5.6 protobufjs versions prior to 8.0.2 Description Message constructors generate JavaScript functions that copy enumerable properties from a provided properties object without filtering the proto key. If an...

5.3CVSS5.8AI score0.00264EPSS
Exploits0References8
Snyk
Snyk
added 2026/05/07 9:18 p.m.7 views

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the RSS feed rendering process. An attacker can execute arbitrary JavaScript in the context of RSS readers by injecting malicious tag names or raw HTML markdown content. This is only exploitab...

4.8CVSS6AI score
Exploits0References3
UbuntuCve
UbuntuCve
added 2026/05/07 12:0 a.m.12 views

CVE-2026-41674

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any...

8.7CVSS5.9AI score0.00457EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.7 views

PT-2026-31816

Name of the Vulnerable Software and Affected Versions WolfSSL affected versions not specified Description The TLSX EchChangeSNI function incorrectly set extensions even when TLSX Find returned NULL. This allowed TLSX UseSNI to attach an attacker-controlled publicName to the shared WOLFSSL CTX whe...

9.1CVSS5.8AI score0.00393EPSS
Exploits0References11
Vulnrichment
Vulnrichment
added 2026/04/07 7:56 p.m.5 views

CVE-2026-39382 dbt has a Command Injection in Reusable Workflow via Unsanitized comment-body Output

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an...

9.3CVSS6AI score0.00389EPSS
Exploits0References2
CVE
CVE
added 2026/04/03 11:43 p.m.19 views

CVE-2026-34767

CVE-2026-34767 affects Electron before 38.8.6, 39.8.3, 40.8.3, and 41.0.3. It describes HTTP response header injection when apps register custom protocol handlers (protocol.handle / protocol.registerSchemesAsPrivileged) or modify headers via webRequest.onHeadersReceived if attacker-controlled inp...

6.5CVSS5.8AI score0.00211EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/03 11:1 p.m.4 views

CVE-2026-35053

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId without any authentication middleware. An attacker who ca...

9.8CVSS6.2AI score0.00546EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.8 views

PT-2026-29997

Impact Apps that register custom protocol handlers via protocol.handle / protocol.registerSchemesAsPrivileged or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or...

5.9CVSS5.9AI score0.00211EPSS
Exploits0References4
Rows per page
Query Builder