Lucene search
K

269 matches found

CVE
CVE
added yesterday9 views

CVE-2026-9708

Mattermost vulnerable versions (11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x

4.9CVSS6.1AI score0.0021EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added yesterday24 views

CVE-2026-9708 Incoming webhook user attribution via unvalidated webhook owner

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via...

4.9CVSS0.0021EPSS
Exploits0References1
OSV
OSV
added 2026/07/07 2:34 p.m.5 views

PYSEC-2026-1962 TensorFlow has segfault in array_ops.upper_bound

Impact arrayops.upperbound causes a segfault when not given a rank 2 tensor. Patches We have patched the issue in GitHub commit 915884fdf5df34aaedd00fc6ace33a2cfdefa586. The fix will be included in TensorFlow 2.13. We will also cherrypick this commit in TensorFlow 2.12.1. For more information...

8.7CVSS5.9AI score0.00429EPSS
Exploits0References7
OSV
OSV
added 2026/07/07 2:34 p.m.5 views

PYSEC-2026-1954 Invalid char to bool conversion when printing a tensor

Impact When printing a tensor, we get it's data as a const char array since that's the underlying storage and then we typecast it to the element type. However, conversions from char to bool are undefined if the char is not 0 or 1, so sanitizers/fuzzers will crash. Patches We have patched the issu...

4.8CVSS6AI score0.00389EPSS
Exploits0References7
OSV
OSV
added 2026/07/07 10:17 a.m.4 views

PYSEC-2026-971 Tensorflow vulnerable to Out-of-Bounds Read

Impact When the BaseCandidateSamplerOp function receives a value in trueclasses larger than rangemax, a heap oob vuln occurs. python tf.rawops.ThreadUnsafeUnigramCandidateSampler trueclasses=0x100000,1, numtrue = 2, numsampled = 2, unique = False, rangemax = 2, seed = 2, seed2 = 2 Patches We have...

6.8CVSS5.9AI score0.0038EPSS
Exploits1References7
OSV
OSV
added 2026/07/07 10:17 a.m.3 views

PYSEC-2026-1050 Segfault via invalid attributes in `pywrap_tfe_src.cc`

Impact If a list of quantized tensors is assigned to an attribute, the pywrap code fails to parse the tensor and returns a nullptr, which is not caught. An example can be seen in tf.compat.v1.extractvolumepatches by passing in quantized tensors as input ksizes. python import numpy as np import...

5.5CVSS6AI score0.00404EPSS
Exploits1References7
OSV
OSV
added 2026/07/07 10:17 a.m.2 views

PYSEC-2026-951 Overflow in `ImageProjectiveTransformV2`

Impact When tf.rawops.ImageProjectiveTransformV2 is given a large output shape, it overflows. python import tensorflow as tf interpolation = "BILINEAR" fillmode = "REFLECT" images = tf.constant0.184634328, shape=2,5,8,3, dtype=tf.float32 transforms = tf.constant0.378575385, shape=2,8,...

4.8CVSS7AI score0.0043EPSS
Exploits1References7
OSV
OSV
added 2026/07/06 5:55 a.m.3 views

BIT-MASTODON-2026-50128 Mastodon: Spoofing of attribution domains

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how...

5.3CVSS6AI score0.00129EPSS
Exploits0References3
OSV
OSV
added 2026/07/02 7:39 p.m.3 views

GHSA-4FC2-H7JH-287C zebrad has mempool transaction admission denial via single-peer inbound queue saturation

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listenaddr is set, which is the default. 3. Your node's mempool is active node is synced near the chain tip. All default configurations are affected. Summary A...

5.3CVSS5.7AI score
Exploits0References3
NVD
NVD
added 2026/06/24 9:16 p.m.9 views

CVE-2026-50128

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how...

5.3CVSS0.00129EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/24 7:48 p.m.21 views

CVE-2026-50128

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how...

5.3CVSS5.9AI score0.00129EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/24 7:48 p.m.19 views

CVE-2026-50128 Mastodon: Spoofing of attribution domains

Mastodon is a free, open-source social network server based on ActivityPub. From 4.3.0 until 4.5.11 and 4.4.18, Mastodon has a feature to let websites credit authors of their articles. To prevent false attribution claims, Mastodon uses the attributionDomains JSON-LD term, however, an error in how...

5.3CVSS0.00129EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 7:48 p.m.15 views

CVE-2026-50128

Mastodon vulnerability CVE-2026-50128 affects versions 4.3.0 through 4.5.11 and 4.4.18, where an error in the attributionDomains JSON-LD handling allows an attacker to arbitrarily modify the attributionDomains value on a legitimately signed Update and bypass signature verification. This can under...

5.3CVSS5.9AI score0.00129EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.10 views

PT-2026-52082

Name of the Vulnerable Software and Affected Versions Mastodon versions 4.3.0 through 4.5.10 Mastodon versions 4.4.0 through 4.4.17 Description Mastodon is a free, open-source social network server based on ActivityPub. A flaw in the definition of the attributionDomains JSON-LD term makes Linked...

5.3CVSS5.8AI score0.00129EPSS
Exploits0References7
Filippo.io
Filippo.io
added 2026/06/23 1:0 p.m.18 views

Vulnerability Reports Are Not Special Anymore

A requirement for staying sane while working in public as an open source maintainer is realizing that every issue, PR, and piece of feedback is a present, not an obligation. You can accept it, ignore it, and use it partially or not at all. Except… For years, as lead of the Go Security team at the...

5.9AI score
Exploits0
OSV
OSV
added 2026/06/17 12:0 p.m.8 views

MAL-2026-6160 Malicious code in firebase-readability (npm)

The npm package firebase-readability published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it registers...

5.5AI score
Exploits0References1
OSV
OSV
added 2026/06/17 12:0 p.m.6 views

MAL-2026-6145 Malicious code in accordion-animationtiming-authorization (npm)

The npm package accordion-animationtiming-authorization published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component moun...

5.5AI score
Exploits0References1
OSV
OSV
added 2026/06/17 12:0 p.m.6 views

MAL-2026-6153 Malicious code in datapersistence-profiling (npm)

The npm package datapersistence-profiling published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it registers...

5.5AI score
Exploits0References1
OSV
OSV
added 2026/06/17 12:0 p.m.7 views

MAL-2026-6156 Malicious code in documents-widgets (npm)

The npm package documents-widgets published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it registers...

5.5AI score
Exploits0References1
OSV
OSV
added 2026/06/17 12:0 p.m.8 views

MAL-2026-6162 Malicious code in font-picker-responsive (npm)

The npm package font-picker-responsive published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it registers...

5.4AI score
Exploits0References1
Rows per page
Query Builder