20637 matches found
WP BASE Booking - Reflected XSS
WP BASE Booking of Appointments, Services and Events WordPress plugin 5.0.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before output, letting attackers execute malicious scripts in high privilege users' browsers, exploit requires victim to...
Malicious code in prettier-plugin-base (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e4c522699877c1eca1bb9c838a443e3c4bfa21950cf5c5b1d23182ae91a534e The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
MAL-2026-10430 Malicious code in prettier-plugin-base (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e4c522699877c1eca1bb9c838a443e3c4bfa21950cf5c5b1d23182ae91a534e The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
Malicious code in dotnet-runtime-base (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c10c75766303f8c3bf261487e341e537f103116026309006ab71d977aacdd235 The package's postinstall lifecycle script package.json line 7: "postinstall": "node install.js" runs install.js, which on Windows writes a PowerShel...
CVE-2026-56259
Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables. Attackers can exploit the unauthenticated /md, /llm, and /llm/job endpoints by...
CVE-2026-56259 Crawl4AI - LLM Credential Exfiltration via base_url and Environment Variable Resolution
Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables. Attackers can exploit the unauthenticated /md, /llm, and /llm/job endpoints by...
CVE-2026-56259 Crawl4AI - LLM Credential Exfiltration via base_url and Environment Variable Resolution
Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables. Attackers can exploit the unauthenticated /md, /llm, and /llm/job endpoints by...
CVE-2026-56259
CVE-2026-56259 affects Crawl4AI prior to 0.8.8. A credential-exfiltration vulnerability exists in the Docker API server that lets an attacker redirect LLM API calls to attacker-controlled endpoints and read environment variables. By targeting unauthenticated endpoints /md, /llm, and /llm/job and ...
CVE-2026-61454
The Grav Admin2 plugin getgrav/grav-plugin-admin2 before 2.0.4 embeds a global JavaScript variable window.GRAVCONFIG in the Admin2 SPA bootstrap page at /grav/admin and its subroutes. This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base...
CVE-2026-61454 Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__
The Grav Admin2 plugin getgrav/grav-plugin-admin2 before 2.0.4 embeds a global JavaScript variable window.GRAVCONFIG in the Admin2 SPA bootstrap page at /grav/admin and its subroutes. This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base...
EUVD-2026-43184
The Grav Admin2 plugin getgrav/grav-plugin-admin2 before 2.0.4 embeds a global JavaScript variable window.GRAVCONFIG in the Admin2 SPA bootstrap page at /grav/admin and its subroutes. This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base...
GHSA-QCQ2-496W-V96P vulnerabilities
Vulnerabilities for packages: jupyter-base-notebook, kubeflow-pipelines-visualization-server, tensorflow-cpu-jupyter...
CVE-2026-49851 vulnerabilities
Vulnerabilities for packages: jupyter-base-notebook, kubeflow-pipelines-visualization-server, tensorflow-cpu-jupyter...
WordPress BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot plugin <= 4.6.0 - Authenticated (Custom+) SQL Injection vulnerability
Authenticated Custom+ SQL Injection vulnerability discovered by PRISM in WordPress Plugin BetterDocs versions = 4.6.0...
CVE-2026-59217
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledgeid and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing...
CVE-2026-59217
Open WebUI prior to version 0.10.0 allowed a metadata.knowledge_id value in file uploads to auto-link files to a knowledge base, bypassing the write-access check on /api/v1/knowledge//file/add. This enabled read-only knowledge-base users to add arbitrary files. The issue is fixed in version 0.10....
CVE-2026-59217 Open WebUI: Upload `metadata.knowledge_id` bypasses the knowledge-base write-access check (read-only users can add files to KB)
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledgeid and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing...
CVE-2026-54798
A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.20, SICORE Base system All versions V26.20.0. The affected application includes a debugging interface that is accessible through HTTP endpoints. This could allow an authenticated attacker to disrupt th...
CVE-2026-54799
A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.20, SICORE Base system All versions V26.20.0. The affected application contains a vulnerability in its firmware update mechanism's signature validation process. This could allow an attacker to install...
CVE-2026-54801
A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.20, SICORE Base system All versions V26.20.0. The affected application contains insufficient validation of authentication credentials when processing administrative account modifications through the we...