Lucene search
+L

244 matches found

euvd
euvd
added last week10 views

EUVD-2026-39007

Mistune: Potential DoS via quadratic-time parsing in parselinktext...

8.7CVSS7.1AI score0.0035EPSS
Exploits0References5
osv
osv
added 2026/07/08 5:17 p.m.3 views

DEBIAN-CVE-2026-59882

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost to disagree with the URI authority used for security ...

4.2CVSS6.1AI score0.00186EPSS
Exploits0References1
nvd
nvd
added 2026/07/08 5:17 p.m.9 views

CVE-2026-59882

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost to disagree with the URI authority used for security ...

4.2CVSS0.00186EPSS
Exploits0References4
cve
cve
added 2026/07/08 3:50 p.m.9 views

CVE-2026-59882

The CVE affects guzzlehttp/psr7 (PSR-7 HTTP message library for PHP). Prior to version 2.12.3, Uri::assertValidHost() fails to reject authority delimiters, embedded ports, or malformed IPv6 brackets in host components, causing Uri::getHost() to disagree with the URI authority used for security or...

4.2CVSS6AI score0.00186EPSS
Exploits0References4
cve
cve
added 2026/07/06 9:0 p.m.12 views

CVE-2026-59711

CVE-2026-59711 affects the showdown library. A cross-site scripting vulnerability exists in metadata title handling when the completeHTMLDocument option is enabled; unescaped characters in markdown frontmatter metadata are placed into HTML title tags, allowing script execution in the rendered pa...

6.1CVSS6AI score0.00187EPSS
Exploits0References3
osv
osv
added 2026/06/24 5:5 p.m.3 views

CVE-2026-49851 Mistune: Potential DoS via quadratic-time parsing in parse_link_text

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear approximately On² behavior in parselinktext. When parsing Markdown containing many consecutive characters, parselinktext repeatedly scans the input usin...

8.7CVSS7.1AI score0.0035EPSS
Exploits0References6
redhatcve
redhatcve
added 2026/05/14 7:58 p.m.12 views

CVE-2026-42260

Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not recognize bracketed IPv6 literals and do not resolve DNS, which combine to allow non-blind SSRF wit...

8.2CVSS5.8AI score0.00215EPSS
Exploits0References1
nessus
nessus
added 2026/05/09 12:0 a.m.7 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: golang (UTSA-2026-016817)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016817 advisory. The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to ...

5.3CVSS7.2AI score0.00443EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2026/05/07 2:59 a.m.8 views

CVE-2026-41661 Admidio: Reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion

Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msgwindow.php. The endpoint passes user input through htmlspecialchars, which does not encode...

6.1CVSS6AI score0.00181EPSS
Exploits0References2
cvelist
cvelist
added 2026/05/07 2:59 a.m.39 views

CVE-2026-41661 Admidio: Reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion

Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msgwindow.php. The endpoint passes user input through htmlspecialchars, which does not encode...

6.1CVSS0.00181EPSS
Exploits0References2
osv
osv
added 2026/05/07 2:59 a.m.5 views

CVE-2026-41661 Admidio: Reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion

Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msgwindow.php. The endpoint passes user input through htmlspecialchars, which does not encode...

6.1CVSS6.1AI score0.00181EPSS
Exploits0References4
osv
osv
added 2026/04/29 9:51 p.m.11 views

GHSA-GQ27-FC8W-VCMP Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion

Summary An unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msgwindow.php. The endpoint passes user input through htmlspecialchars, which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholder...

6.1CVSS6.2AI score0.00181EPSS
Exploits0References4
github
github
added 2026/04/29 9:51 p.m.11 views

Admidio vulnerable to reflected XSS in msg_window.php via Square Bracket to HTML Tag Conversion

Summary An unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msgwindow.php. The endpoint passes user input through htmlspecialchars, which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholder...

6.1CVSS6AI score0.00181EPSS
Exploits0References4Affected Software1
nessus
nessus
added 2026/04/24 12:0 a.m.4 views

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: python3 (UTSA-2026-014321)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-014321 advisory. The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986...

6.3CVSS6.7AI score0.01499EPSS
Exploits0References3
ibm
ibm
added 2026/04/14 5:11 p.m.4 views

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to incorrect parse function values in net/url (CVE-2025-47912)

Summary IBM Watson Speech Services Cartridge is vulnerable to a condition in net/url that allows incorrect parse function values other than IPv6 addresses to be included in square brackets within the host component of a URL CVE-2025-47912, Net/url is used in our speech-utilities. This...

5.3CVSS7AI score0.00443EPSS
Exploits0Affected Software1
redhat
redhat
added 2026/04/10 2:24 p.m.2 views

net/url: Insufficient validation of bracketed IPv6 hostnames in net/url

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://::1/". IPv4 addresses and hostnames mus...

5.3CVSS6.1AI score0.00443EPSS
Exploits0References8
osv
osv
added 2026/04/07 7:2 p.m.3 views

CVE-2026-39361 OpenObserve has a SSRF Protection Bypass via IPv6 Bracket Notation in validate_enrichment_url

OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validateenrichmenturl function in src/handler/http/request/enrichmenttable/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets e.g. "::1" not "::1". An authenticated...

7.7CVSS6AI score0.00265EPSS
Exploits1References4
cve
cve
added 2026/04/07 7:2 p.m.13 views

CVE-2026-39361

OpenObserve (cloud-native observability platform)

7.7CVSS5.9AI score0.00265EPSS
Exploits1References2Affected Software1
nvd
nvd
added 2026/03/26 10:16 p.m.4 views

CVE-2026-33672

Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the POSIXREGEXSOURCE object. Because the object inherits from Object.prototype, specially crafted POSIX bracket expressions e.g., :constructor: ca...

5.3CVSS0.0041EPSS
Exploits0References2
vulnrichment
vulnrichment
added 2026/03/26 9:39 p.m.5 views

CVE-2026-33672 Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching

Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the POSIXREGEXSOURCE object. Because the object inherits from Object.prototype, specially crafted POSIX bracket expressions e.g., :constructor: ca...

5.3CVSS6.1AI score0.0041EPSS
Exploits0References2
Rows per page
Query Builder