Lucene search
K

2388 matches found

NVD
NVD
added 2 days ago3 views

CVE-2026-57414

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in QuantumCloud ChatBot for eCommerce WoowBot woowbot-woocommerce-chatbot allows Stored XSS.This issue affects ChatBot for eCommerce WoowBot: from n/a through = 4.6.1...

6.5CVSS0.00161EPSS
Exploits0References1
Snyk
Snyk
added 3 days ago3 views

Server-side Request Forgery (SSRF)

Overview AstrBot is a 易上手的多平台 LLM 聊天机器人及开发框架 Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the ToolsRoute.testmcpconnection function. An attacker can make unauthorized requests to internal or external systems by supplying crafted input to the...

6.5CVSS6.1AI score0.00206EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago31 views

CVE-2026-15500 AstrBotDevs AstrBot market_list Endpoint plugin.py get_online_plugins server-side request forgery

A weakness has been identified in AstrBotDevs AstrBot up to 4.25.2. Affected by this vulnerability is the function getonlineplugins of the file astrbot/dashboard/routes/plugin.py of the component marketlist Endpoint. Executing a manipulation of the argument customregistry can lead to server-side...

6.5CVSS0.00209EPSS
Exploits0References6
CVE
CVE
added 5 days ago11 views

CVE-2026-59155

Nezha Monitoring (self-hosted) had a credential exposure flaw prior to version 2.2.5. The GET endpoints /api/v1/ddns and /api/v1/notification returned full resource objects that included plaintext third-party API credentials (Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram ...

6.9CVSS6.1AI score0.00304EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 5 days ago8 views

Malicious code in stella-coder (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0c3ed879ef15a68d537ad7b6ddb59508aba58eee49c8ca19b916ef59a0c2da6 stella-cli/telegram-bot.mjs hardcodes a Telegram bot API token BOTTOKEN = "8923551485:AAFw4wG8ZwOtp5rzFsnguxhu4AH-2ebSi0" that is controlled by the...

6.2AI score
Exploits0References11
OSV
OSV
added 5 days ago3 views

MAL-2026-10134 Malicious code in stella-coder (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0c3ed879ef15a68d537ad7b6ddb59508aba58eee49c8ca19b916ef59a0c2da6 stella-cli/telegram-bot.mjs hardcodes a Telegram bot API token BOTTOKEN = "8923551485:AAFw4wG8ZwOtp5rzFsnguxhu4AH-2ebSi0" that is controlled by the...

6.2AI score
Exploits0References11
Cvelist
Cvelist
added 2026/07/01 3:19 p.m.39 views

CVE-2026-58029 Full Account Takeover from BotPasswords and OAuth via action=changeauthenticationdata

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiChangeAuthenticationData.Php, includes/Api/ApiLinkAccount.Php, includes/Api/ApiRemoveAuthenticationData.Php, includes/Specials/SpecialLinkAccounts.Php,...

5.3CVSS0.00351EPSS
Exploits0References1
Imperva Blog
Imperva Blog
added 2026/06/30 9:25 a.m.9 views

AI Agents Are Visiting Your Website. Which Ones Should You Trust?

The internet is changing fast. For years, the main goal of search was simple: to help users find links. A user searched, reviewed results, clicked a website, and consumed the content directly from the source. But AI is changing that model. Increasingly, users ask AI assistants for answers instead...

5.9AI score
Exploits0
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-339 FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft

Impact The POST /api/v2/firefighter/raid/jirabot endpoint CreateJiraBotView is reachable without authentication permissionclasses = permissions.AllowAny. Its attachments payload is fetched server-side via httpx.get with no URL validation, then uploaded as an attachment on the Jira ticket that get...

9.9CVSS6AI score0.00272EPSS
Exploits0References6
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-438 OpenViking: Unauthenticated remote bot control via OpenAPI HTTP routes

OpenViking prior to commit c7bb167 contains an authentication bypass vulnerability in the VikingBot OpenAPI HTTP route surface where the authentication check fails open when the apikey configuration value is unset or empty. Remote attackers with network access to the exposed service can invoke...

9.1CVSS5.8AI score0.00571EPSS
Exploits1References8
OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-285 AstrBot is vulnerable to RCE with hard-coded JWT signing keys

Summary AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin. Details AstrBot uses a hard-coded JWT signing key, which allows attackers to bypass the authentication mechanism. Once bypassed, the attacker can install a Python...

9.8CVSS6.2AI score0.00281EPSS
Exploits2References8
OSV
OSV
added 2026/06/26 11:55 p.m.5 views

GHSA-WW5P-J6CJ-6MQQ Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API

Summary The GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials — Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram webhook URLs with embedded bot tokens, and Authorization header values — withou...

6.9CVSS5.8AI score0.00304EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/26 3:32 p.m.9 views

EUVD-2026-39775

Mattermost versions 10.11.x = 10.11.18, 11.6.x = 11.6.3, 11.5.x = 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into to...

3.5CVSS5.8AI score0.00194EPSS
Exploits0References2
NVD
NVD
added 2026/06/26 3:16 p.m.7 views

CVE-2026-3472

Mattermost versions 10.11.x = 10.11.18, 11.6.x = 11.6.3, 11.5.x = 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into to...

3.5CVSS0.00194EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 2:42 p.m.23 views

CVE-2026-3472

CVE-2026-3472 affects Mattermost where specific versions (10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x

3.5CVSS5.8AI score0.00194EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/06/26 10:50 a.m.6 views

MAL-2026-6516 Malicious code in inlifegram (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3975a0998bf76dddc25f0138b1d4b408bb06304b3203dc1e62e0110b2b56425f InLifeGram distributes a modified copy of the pyrogram Telegram client library and installs it into the top-level pyrogram import namespace, so impor...

6AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/26 10:50 a.m.9 views

Malicious code in inlifegram (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3975a0998bf76dddc25f0138b1d4b408bb06304b3203dc1e62e0110b2b56425f InLifeGram distributes a modified copy of the pyrogram Telegram client library and installs it into the top-level pyrogram import namespace, so impor...

6AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/25 6:42 a.m.7 views

Malicious code in base62-86x (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 811002816e7f72588c7c6540b088af5c44b8280574e43dbaeef4701fe377fe9f Package impersonates the legitimate base-x/base62 library by Daniel Cousens name base62-86x, homepage pointing at cryptocoinjs/base-x, identical sour...

6.1AI score
Exploits0References3
OSV
OSV
added 2026/06/25 6:42 a.m.6 views

MAL-2026-6446 Malicious code in base62-86x (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 811002816e7f72588c7c6540b088af5c44b8280574e43dbaeef4701fe377fe9f Package impersonates the legitimate base-x/base62 library by Daniel Cousens name base62-86x, homepage pointing at cryptocoinjs/base-x, identical sour...

6.1AI score
Exploits0References3
EUVD
EUVD
added 2026/06/24 5:33 a.m.10 views

EUVD-2026-38668

The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistioplugindeleteassistiosettings function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers,...

4.3CVSS5.9AI score0.00238EPSS
Exploits0References3
Rows per page
Query Builder