Lucene search
+L

7921 matches found

Nuclei
Nuclei
added yesterday51 views

Magento 2 Amasty Order Attributes < 4.0.0 - Unauthenticated Arbitrary File Upload

Amasty Order Attributes for Magento 2 4.0.0 contains an unrestricted file upload vulnerability caused by lack of authentication and validation in the upload endpoint, letting unauthenticated attackers upload arbitrary files including PHP, enabling remote code execution or malware hosting. id:...

9.8CVSS6.5AI score0.04591EPSS
Exploits0References3
Cvelist
Cvelist
added yesterday10 views

CVE-2026-15759 ChatHelp <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'number' and 'group' Shortcode Attributes

The ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'number' and 'group' Shortcode Attributes in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escapin...

6.4CVSS0.00201EPSS
Exploits0References7
NVD
NVD
added 2 days ago6 views

CVE-2026-44174

Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password...

8.7CVSS0.0028EPSS
Exploits0References3
NVD
NVD
added 2 days ago7 views

CVE-2026-15945

A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions FGAP v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group the...

4.3CVSS0.00193EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2 days ago8 views

CVE-2026-15945

A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions FGAP v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group the...

4.3CVSS6.1AI score0.00193EPSS
Exploits0References3
NVD
NVD
added 2 days ago8 views

CVE-2026-13397

HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes. The parsercparse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...

7.5CVSS0.00186EPSS
Exploits0References3
NVD
NVD
added 2 days ago6 views

CVE-2026-13401

XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parsercparse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...

7.5CVSS0.00186EPSS
Exploits0References3
CVE
CVE
added 2 days ago7 views

CVE-2026-13401

CVE-2026-13401 affects Perl’s XML::Bare up to version 0.53. The vulnerability is a hang/infinite loop in the attribute parser: the parserc_parse state cursor does not advance for certain malformed attribute forms (e.g., nameless attributes like ), causing looping. Impact is a potential denial-of-...

7.5CVSS6.1AI score0.00186EPSS
Exploits0References3
Cvelist
Cvelist
added 2 days ago32 views

CVE-2026-13401 XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes

XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parsercparse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...

0.00186EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-44964

XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parsercparse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...

6.1AI score0.00186EPSS
Exploits0References2
CVE
CVE
added 2 days ago7 views

CVE-2026-13397

CVE-2026-13397 affects HTML::Bare up to version 0.04 for Perl. The vulnerability is an infinite loop in the parser when encountering certain malformed attributes, because parserc_parse does not advance the attribute-parse state cursor for those forms (e.g., nameless attributes like and unbalance...

7.5CVSS6.1AI score0.00186EPSS
Exploits0References3
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-44963

HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes. The parsercparse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...

6.1AI score0.00186EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago36 views

CVE-2026-13397 HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes

HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes. The parsercparse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...

0.00186EPSS
Exploits0References2
Nuclei
Nuclei
added 2 days ago228 views

CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution

CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. id: CVE-2023-43177 info: name: CrushFTP 10.5.1 - Unauthenticated Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | CrushFTP prior...

9.8CVSS7.1AI score0.81801EPSS
Exploits7References5
RedhatCVE
RedhatCVE
added 2 days ago5 views

CVE-2026-15697

A flaw was found in svgdotjs svg.js. A remote attacker could exploit a vulnerability in the EventTarget.on function, which improperly controls modifications to object prototype attributes. This could allow an attacker to manipulate object properties, potentially leading to unintended behavior or...

6.5CVSS6.6AI score0.0033EPSS
Exploits0References9
Tenable Nessus
Tenable Nessus
added 2 days ago8 views

Linux Distros Unpatched Vulnerability : CVE-2026-49459

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve...

6.1CVSS5AI score0.00254EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 3 days ago5 views

kernel: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr

In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMADIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then...

6AI score0.00174EPSS
Exploits0References5
NVD
NVD
added 4 days ago3 views

CVE-2026-49459

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...

6.1CVSS0.00254EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago35 views

CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...

6.1CVSS0.00254EPSS
Exploits0References3
OSV
OSV
added 4 days ago4 views

CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...

6.1CVSS6.1AI score0.00254EPSS
Exploits0References5
Rows per page
Query Builder