Lucene search
K

4261 matches found

NVD
NVD
added yesterday5 views

CVE-2026-61504

Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. A user with upload permission - or an anonymous user on servers with an open upload folder - can store a file whose name...

5.4CVSS
Exploits0References2
CVE
CVE
added yesterday8 views

CVE-2026-61504

CVE-2026-61504 affects Rejetto HFS 3.0.0–3.2.0, where the basic web listing does not escape file names and can be forced with the browser parameter ?get=basic. This enables stored XSS: a file with a script in its name can execute in the viewer’s browser when the listing is viewed, potentially by ...

5.4CVSS6.1AI score
Exploits0References2
NVD
NVD
added yesterday3 views

CVE-2026-57371

Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through = 7.0...

8.8CVSS0.00518EPSS
Exploits0References1
NVD
NVD
added yesterday3 views

CVE-2026-57372

Server-Side Request Forgery SSRF vulnerability in denishua WPJAM Basic wpjam-basic allows Server Side Request Forgery.This issue affects WPJAM Basic: from n/a through = 7.0...

7.2CVSS0.00266EPSS
Exploits0References1
CVE
CVE
added yesterday6 views

CVE-2026-57371

The CVE-2026-57371 entry describes a Deserialization of Untrusted Data vulnerability in the WordPress WPJAM Basic plugin (wpjam-basic), affecting versions up to 7.0. The underlying issue is object injection via deserialization, enabling an attacker to potentially execute unintended actions throug...

8.8CVSS6.1AI score0.00518EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday5 views

CVE-2026-57371 WordPress WPJAM Basic plugin <= 7.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through = 7.0...

8.8CVSS0.00518EPSS
Exploits0References1
CVE
CVE
added yesterday7 views

CVE-2026-57372

CVE-2026-57372 is a Server-Side Request Forgery (SSRF) vulnerability affecting the WordPress WPJAM Basic plugin (wpjam-basic) versions up to and including 7.0. The CVE entry states the issue is a SSRF in WPJAM Basic, but the provided documents do not specify the underlying code path, affected fun...

7.2CVSS6.1AI score0.00266EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday5 views

CVE-2026-57372 WordPress WPJAM Basic plugin <= 7.0 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery SSRF vulnerability in denishua WPJAM Basic wpjam-basic allows Server Side Request Forgery.This issue affects WPJAM Basic: from n/a through = 7.0...

7.2CVSS0.00266EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday17 views

MLflow < 3.10.0 - Authentication Bypass on FastAPI Routes

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

8.6CVSS7.1AI score0.01502EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday33 views

MLflow Job API - Authentication Bypass

MLflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/ when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions. id:...

9.8CVSS7.1AI score0.04392EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday17 views

TOTOLINK/Realtek Routers - CAPTCHA Bypass

On certain TOTOLINK Realtek SDK based routers, the CAPTCHA text can be retrieved via a POST request to the boafrm/formLogin URI with the JSON payload "topicurl":"setting/getSanvas". This allows an unauthenticated attacker to bypass CAPTCHA verification, gaining unauthorized access to restricted...

9.8CVSS7AI score0.29557EPSS
Exploits3References2
NVD
NVD
added 6 days ago5 views

CVE-2026-44332

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username...

5.3CVSS0.00516EPSS
Exploits0References4
Cvelist
Cvelist
added 6 days ago42 views

CVE-2026-44332 Fiber: Username Enumeration via Timing Oracle in BasicAuth Default Authorizer

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username...

5.3CVSS0.00516EPSS
Exploits0References4
CVE
CVE
added 6 days ago22 views

CVE-2026-44332

Fiber’s Go-based web framework vulnerability CVE-2026-44332 affects the BasicAuth middleware’s default Authorizer prior to v3.3.0. The issue arises from short-circuit evaluation in the Authorizer: for non-existent usernames, the password hash check is skipped, enabling remote username enumeration...

5.3CVSS6AI score0.00516EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added last week9 views

SUSE CVE-2026-54763

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which...

7.5CVSS6AI score0.00256EPSS
Exploits0References3
Patchstack
Patchstack
added last week5 views

WordPress WPJAM Basic plugin <= 7.0 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by hhhai in WordPress Plugin WPJAM Basic versions = 7.0...

8.8CVSS5.9AI score0.00518EPSS
Exploits0Affected Software1
OSV
OSV
added 2026/07/06 8:33 p.m.2 views

CVE-2026-54763 Traefik: headerField underscore-variant identity spoofing in BasicAuth / DigestAuth / ForwardAuth

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which...

7.8CVSS6AI score0.00256EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/06 8:33 p.m.38 views

CVE-2026-54763 Traefik: headerField underscore-variant identity spoofing in BasicAuth / DigestAuth / ForwardAuth

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which...

7.8CVSS0.00256EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:33 p.m.5 views

CVE-2026-54763

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which...

7.8CVSS6AI score0.00256EPSS
Exploits0References4Affected Software1
AlpineLinux
AlpineLinux
added 2026/07/06 8:33 p.m.6 views

CVE-2026-54763

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which...

10CVSS6AI score0.00256EPSS
Exploits0References3
Rows per page
Query Builder