CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

6431 matches found

OSV•added 2026/05/15 8:42 a.m.•2 views

BIT-GRAFANA-2026-33376 Auth Proxy IPv6 whitelist bypass

When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask usually /128 to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here...

7.4CVSS5.8AI score0.00018EPSS

Exploits0References2

NCSC•added 2026/05/15 8:19 a.m.•6 views

Vulnerabilities found in Cisco Catalyst SD-WAN Controllers and Managers

Cisco has identified vulnerabilities in the Catalyst SD-WAN Controller and Manager products. Cisco has uncovered four vulnerabilities in these products. These vulnerabilities involve XXE injection, privilege escalation, and authentication bypass. The authentication bypass vulnerability resides in...

10CVSS6AI score0.83125EPSS

Exploits4References2

Vulnrichment•added 2026/05/15 2:13 a.m.•7 views

CVE-2026-2652 Authentication Bypass in mlflow/mlflow

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

8.6CVSS7.5AI score0.01321EPSS

Exploits1References2

SUSE CVE•added 2026/05/15 1:59 a.m.•5 views

SUSE CVE-2026-33376

7.4CVSS5.8AI score0.00018EPSS

Exploits0References3

RedhatCVE•added 2026/05/15 1:57 a.m.•7 views

CVE-2026-44380

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within...

8.6CVSS5.8AI score0.00061EPSS

Exploits0References1

Positive Technologies•added 2026/05/15 12:0 a.m.•7 views

PT-2026-41393

Name of the Vulnerable Software and Affected Versions Better Auth versions prior to 1.4.17 Better Auth versions prior to 1.5.0-beta.9 Description The HTTP rate limiter in Better Auth identifies requests based on the exact textual IP address found in the x-forwarded-for header or other configured...

7.3CVSS5.8AI score0.00083EPSS

Exploits0References8

RedhatCVE•added 2026/05/14 7:58 p.m.•5 views

CVE-2026-42349

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...

8.1CVSS5.8AI score0.00049EPSS

Exploits0References1

OSV•added 2026/05/14 7:24 p.m.•2 views

MAL-2026-3766 Malicious code in nock-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1070514eba7a5f0fedc2760db7710399d38e070d98dc99910d3b49923959820 The package declares scripts.postinstall: node postinstall.js, which runs automatically on npm install. The script is an explicit credential harveste...

5.8AI score

Exploits0References5

NVD•added 2026/05/14 7:16 p.m.•6 views

CVE-2025-64526

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...

6.9CVSS0.0001EPSS

Exploits0References4

Vulnrichment•added 2026/05/14 6:32 p.m.•6 views

CVE-2025-64526 Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying

6.9CVSS6AI score0.0001EPSS

Exploits0References4

CVE•added 2026/05/14 4:20 p.m.•9 views

CVE-2026-44514

Kubetail vulnerability (CVE-2026-44514) is a CSWSH flaw where the dashboard exposed WebSocket endpoints before 0.14.0 did not properly validate the Origin header, allowing an attacker to read authenticated users’ Kubernetes logs via a malicious page. Affected components and versions: Kubetail Das...

6.5CVSS5.8AI score0.00006EPSS

Exploits0References1

The Hacker News•added 2026/05/14 11:40 a.m.•11 views

PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure

Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI , an open-source multi-agent orchestration framework, within four hours of its public disclosure. The vulnerability in question is CVE-2026-44338 CVSS score: 7.3, a case of missing...

7.3CVSS5.8AI score0.00029EPSS

Exploits3

Nuclei•added 2026/05/14 3:20 a.m.•23 views

ThinVNC 1.0b1 - Authentication Bypass

ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a...

9.8CVSS7.4AI score0.94097EPSS

Exploits11References5

Tenable Nessus•added 2026/05/14 12:0 a.m.•10 views

JetBrains TeamCity <= 2025.11.4 Privilege Escalation (CVE-2026-44413)

The version of JetBrains TeamCity installed on the remote host is 2025.11.4 or prior. It is, therefore, affected by a post-authentication privilege escalation vulnerability that may allow any authenticated user, including standard or guest accounts, to expose some parts of the TeamCity server API...

8.2CVSS5.8AI score0.00003EPSS

Exploits0References2

Tenable Nessus•added 2026/05/14 12:0 a.m.•5 views

RHEL 10 : dovecot (RHSA-2026:17602)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:17602 advisory. Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3...

7.5CVSS5.9AI score0.00068EPSS

Exploits2References8