Lucene search
+L

67 matches found

CVE
CVE
added 2026/07/11 6:50 a.m.16 views

CVE-2026-9017

The CVE describes an authorization bypass in the NEX-Forms – Ultimate Forms Plugin for WordPress (vulnerable up to and including 9.2.2). The underlying issue is that the plugin does not properly verify that a user is authorized to perform an action, enabling unauthenticated attackers to overwrite...

5.3CVSS6.1AI score0.00273EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/08 4:13 p.m.33 views

CVE-2026-59930 Mistune toc / TableOfContents directive: heading IDs use predictable `toc_N` numbering with no slugification, allowing collision with attacker-controlled `id="toc_N"` content

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable tocN values without slugifying the heading text, allowing attacker-controlled id="tocN" content to collide with generated anchors and...

4.3CVSS0.00128EPSS
Exploits1References3
OSV
OSV
added 2026/06/29 3:40 p.m.3 views

CVE-2026-13744 Snowflake CLI SQL Injection Through Improper Neutralization of User-Controlled Input

Improper neutralization of attacker-controlled content in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. By supplying crafted repository content, project configuration, manifest data, or specification input, an attacker could cause Snowflake CLI to execute unintended SQL i...

8.3CVSS6.1AI score0.0032EPSS
Exploits0References3
OSV
OSV
added 2026/06/26 2:18 a.m.6 views

MAL-2026-6499 Malicious code in mongoose-json-format (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 910cc6eef707ac872daeb3a527e6dd9c75044ebb178f9eb48745f5cfd4123968 helpers.js defines a createLog helper that base64-decodes a constant HASHKEY to https://www.jsonkeeper.com/b/XVHGD an anonymous JSON-paste host and...

6.1AI score
Exploits0References3
OSV
OSV
added 2026/06/25 8:57 p.m.8 views

USN-8477-1 tar vulnerability

It was discovered that tar incorrectly handled certain crafted archive files. An attacker could possibly use this to inject hidden files with attacker-controlled content, bypassing pre-extraction inspection mechanisms...

5.5CVSS5.8AI score0.0043EPSS
Exploits1References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/18 10:29 p.m.15 views

Malicious code in db-connector-log (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0b028ed25796b267dc7df004e294b917a05c2e5fdd76e2540530b8c179843c6 [email protected] impersonates the legitimate dx-db-connector package divbloxjs; package.json's repository/homepage point at the divbloxjs proje...

6.2AI score
Exploits0References3
NVD
NVD
added 2026/06/18 8:16 p.m.14 views

CVE-2026-48716

nanobot is a personal AI assistant. In versions 0.1.5.post3 and prior, the WhatsApp bridge in bridge/src/whatsapp.ts constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitization. The WhatsApp bridge downloads media attachments and writes th...

8.7CVSS0.00276EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.18 views

PT-2026-50573

Name of the Vulnerable Software and Affected Versions TypeBot versions prior to 3.17.0 Description An unauthenticated issue exists in the chatbot builder tool where the endpoint "/api/blocks/file-input/v3/generate-upload-url" uses unsanitized fileName input to construct public S3 object keys. The...

9.3CVSS6AI score0.00268EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/11 5:3 a.m.10 views

EUVD-2026-36202

A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem outside the configured local-directory with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through...

7.1CVSS5.6AI score0.0021EPSS
Exploits0References1
Spring Security Advisories
Spring Security Advisories
added 2026/06/10 12:0 a.m.12 views

cve-2026-40987 - HIGH - Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization

cve-2026-40987 - HIGH - Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization...

7.1CVSS6.1AI score0.0021EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.9 views

CVE-2026-45244

Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invo...

5.4CVSS5.5AI score0.00227EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/27 2:42 p.m.50 views

CVE-2026-44972 GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content

GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject...

5CVSS0.00113EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/27 2:42 p.m.11 views

CVE-2026-44972 GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content

GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject...

5CVSS5.9AI score0.00113EPSS
Exploits0References1
OSV
OSV
added 2026/05/27 2:42 p.m.5 views

CVE-2026-44972 GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content

GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject...

5CVSS6AI score0.00113EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/18 9:31 p.m.11 views

Summarize contains a missing authorization vulnerability

Summarize prior to 0.15.0 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invo...

5.4CVSS5.9AI score0.00227EPSS
Exploits1References7Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/18 6:57 p.m.14 views

CVE-2026-45244 Summarize < 0.15.1 Unapproved Browser Automation Execution

Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invo...

5.4CVSS5.9AI score0.00227EPSS
Exploits1References4
EUVD
EUVD
added 2026/05/18 6:57 p.m.29 views

EUVD-2026-30796

Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invo...

5.4CVSS5.9AI score0.00227EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.25 views

PT-2026-41723

Name of the Vulnerable Software and Affected Versions Summarize versions prior to 0.15.1 Description A missing authorization issue allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. By using malicious page or...

5.4CVSS5.9AI score0.00227EPSS
Exploits1References7
NVD
NVD
added 2026/05/15 5:16 p.m.17 views

CVE-2026-45036

Tabby formerly Terminus is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays attacker-controlled content. T...

7CVSS0.0013EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.13 views

PT-2026-41321

Tabby formerly Terminus is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays attacker-controlled content. T...

7CVSS6.2AI score0.0013EPSS
Exploits0References2
Rows per page
Query Builder