Lucene search
K

522 matches found

NVD
NVD
added 3 days ago6 views

CVE-2026-61448

Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...

2.1CVSS0.00245EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago9 views

EUVD-2026-43183

Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...

2.1CVSS6AI score0.00245EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago33 views

CVE-2026-61448 Parse Server 9.0.0 Stored XSS via malformed Content-Type

Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...

2.1CVSS0.00245EPSS
Exploits0References2
NVD
NVD
added 4 days ago5 views

CVE-2026-50180

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, SQLChatAgent in langroid ships a validatequery defense-in-depth layer whose DANGEROUSSQLPATTERNS regex blocklist enumerates dangerous SQL primitives by specific function name. The list misses...

8.7CVSS0.00686EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-54760 Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.1, the SQLChatAgent SQL-injection mitigation, with default allowdangerousoperations=False, combines a raw-text regex blocklist DANGEROUSSQLPATTERNS with a sqlglot SELECT-only statement allowlist...

9.3CVSS0.00646EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 5 days ago6 views

CVE-2026-50180

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, SQLChatAgent in langroid ships a validatequery defense-in-depth layer whose DANGEROUSSQLPATTERNS regex blocklist enumerates dangerous SQL primitives by specific function name. The list misses...

8.7CVSS6.2AI score0.00686EPSS
Exploits0References3Affected Software1
CVE
CVE
added 5 days ago13 views

CVE-2026-50180

Summary: CVE-2026-50180 in Langroid’s SQLChatAgent allows arbitrary PostgreSQL file reads due to an incomplete DANGEROUS_SQL_PATTERNS blocklist. The blocklist misses several pg_read * and related functions (e.g., pg_read_file, pg_stat_file, pg_ls_logdir, pg_ls_waldir, pg_current_logfile) and does...

8.7CVSS6.1AI score0.00686EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-50180 Langroid: SQLChatAgent _validate_query blocklist misses pg_read_file family enabling arbitrary file read

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.64.0, SQLChatAgent in langroid ships a validatequery defense-in-depth layer whose DANGEROUSSQLPATTERNS regex blocklist enumerates dangerous SQL primitives by specific function name. The list misses...

8.7CVSS0.00686EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 5 days ago7 views

CVE-2026-59223

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEBFETCHFILTERLIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based blocklist bypasses such as !internal.example.com in a URL pa...

4.3CVSS6AI score0.00223EPSS
Exploits0References5Affected Software1
NVD
NVD
added 6 days ago7 views

CVE-2026-55778

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type,...

2.1CVSS0.00406EPSS
Exploits0References7
Cvelist
Cvelist
added 6 days ago37 views

CVE-2026-60105 Monsta FTP < 2.14.5 SSRF via IPv4-Mapped IPv6 Address Bypass

Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obta...

8.6CVSS0.00308EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-55778 Parse Server: Stored XSS via non-standard file extension bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type,...

2.1CVSS0.00406EPSS
Exploits0References7
CVE
CVE
added 6 days ago22 views

CVE-2026-55778

Parse Server is affected by a stored XSS vulnerability where the default fileUpload.fileExtensions blocklist can be bypassed using non-standard or compound extensions paired with a dangerous Content-Type. This enables attacker-supplied content to be served by storage adapters (e.g., S3, GCS) and ...

2.1CVSS5.6AI score0.00406EPSS
Exploits0References7
CVE
CVE
added 6 days ago23 views

CVE-2026-49145

CVE-2026-49145 affects App::Ack for Perl up to version 3.10.0. The flaw arises because ack searches upward for a project .ackrc and loads its options; the project-source blocklist did not include --files-from, allowing a project .ackrc to set --files-from to a path whose listed files ack will rea...

7.5CVSS6AI score0.00329EPSS
Exploits0References2
EUVD
EUVD
added 6 days ago4 views

EUVD-2026-42288

App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include...

7.5CVSS6AI score0.00329EPSS
Exploits0References1
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-455 PickleScan's profile.run blocklist mismatch allows exec() bypass

Summary picklescan v1.0.3 blocks profile.Profile.run and profile.Profile.runctx but does NOT block the module-level profile.run function. A malicious pickle calling profile.runstatement achieves arbitrary code execution via exec while picklescan reports 0 issues. This is because the blocklist ent...

9.8CVSS6.5AI score0.0046EPSS
Exploits0References6
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-456 PickleScan's pkgutil.resolve_name has a universal blocklist bypass

Summary pkgutil.resolvename is a Python stdlib function that resolves any "module:attribute" string to the corresponding Python object at runtime. By using pkgutil.resolvename as the first REDUCE call in a pickle, an attacker can obtain a reference to ANY blocked function e.g., os.system,...

10CVSS5.8AI score0.00623EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/26 7:17 p.m.12 views

EUVD-2026-37512

pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses incomplete fix of CVE-2026-46678...

6.8CVSS5.8AI score0.00332EPSS
Exploits0References5
OSV
OSV
added 2026/06/26 7:17 p.m.4 views

GHSA-CG7W-RG45-PC59 pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)

Summary When an application using Pydantic AI opts a URL into forcedownload='allow-local' which disables the default block on private/internal IPs and runs on a network that routes the affected IPv6 transition forms NAT64- or ISATAP-configured networks, the cloud-metadata blocklist could be...

6.8CVSS5.8AI score0.00332EPSS
Exploits0References6
NVD
NVD
added 2026/06/23 9:17 p.m.8 views

CVE-2026-53927

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint axiosRequestMake accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16,...

5.1CVSS0.00282EPSS
Exploits0References1
Rows per page
Query Builder