Lucene search
K

47 matches found

EUVD
EUVD
added 5 hours ago7 views

EUVD-2026-43577

Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API /system/buckets/api. The api method in modules/System/Controller/Buckets.php sanitizes the bucket name with pregreplace'/^a-zA-Z0-9-\./','', $bucket, which permits '..' and '../' sequences. The sanitized value is...

8.8CVSS6.1AI score
Exploits0References6
EUVD
EUVD
added 6 days ago6 views

EUVD-2026-42285

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side...

7.7CVSS6AI score0.00327EPSS
Exploits0References4
Cvelist
Cvelist
added 6 days ago34 views

CVE-2026-55874 SeaweedFS: Path traversal in the S3 gateway X-Amz-Copy-Source header allows cross-bucket object read

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side...

7.7CVSS0.00327EPSS
Exploits0References4
OSV
OSV
added 2026/06/30 11:51 p.m.9 views

BIT-SEAWEEDFS-2026-54917 SeaweedFS: Path traversal in the S3 and Iceberg REST gateways allows cross-bucket access

SeaweedFS is a distributed storage system for object storage S3, file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter.SkipCleantrue. With path cleaning disabled, a .. segment inside the URL survives...

10CVSS5.8AI score0.00766EPSS
Exploits1References3
CVE
CVE
added 2026/06/26 8:41 p.m.32 views

CVE-2026-50137

Budibase prior to 3.39.0 is affected by CVE-2026-50137: unauthenticated POST /api/attachments/:datasourceId/url allows anonymous callers to mint 15-minute AWS S3 pre-signed PUT URLs using the datasource’s IAM credentials, with the bucket not pinned to the datasource. The attack discloses the targ...

9.4CVSS5.8AI score0.00415EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/06/25 6:41 p.m.23 views

CVE-2026-54917 SeaweedFS: Path traversal in the S3 and Iceberg REST gateways allows cross-bucket access

SeaweedFS is a distributed storage system for object storage S3, file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter.SkipCleantrue. With path cleaning disabled, a .. segment inside the URL survives...

7.8CVSS0.00345EPSS
Exploits1References2
CVE
CVE
added 2026/06/25 6:41 p.m.20 views

CVE-2026-54917

CVE-2026-54917 affects SeaweedFS prior to 4.30. The S3 gateway and Iceberg REST catalog gateway construct routers with mux.NewRouter().SkipClean(true); when path cleaning is disabled, a .. segment in URLs can survive routing (example: GET /bucket-A/../evil-bucket/key) and be parsed as a valid buc...

10CVSS5.9AI score0.00345EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/06/25 6:34 p.m.3 views

GHSA-G697-2XRC-GC46 amazon-braket-sdk vulnerable to Insecure Deserialization via pickle.loads()

Summary Amazon Braket SDK is an open-source Python library for interacting with the Amazon Braket quantum computing service, including managing hybrid quantum jobs and retrieving job results. An issue exists where, under certain circumstances, a remote authenticated user with S3 write access to a...

7.5CVSS6.5AI score0.0038EPSS
Exploits0References5
NVD
NVD
added 2026/06/18 1:25 p.m.20 views

CVE-2025-10560

Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed AWS credentials...

9.3CVSS0.00388EPSS
Exploits1References3
OSV
OSV
added 2026/05/04 6:30 p.m.3 views

GHSA-VXGG-MQX2-3W59 Apache Polaris has an Improper Input Validation Issue

Apache Polaris accepts literal characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unescaped in S3 IAM resource patterns and s3:prefix conditions. In S3 IAM policy matching, is treated as ...

9.9CVSS5.8AI score0.00424EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/02 12:0 a.m.18 views

PT-2026-36670

Name of the Vulnerable Software and Affected Versions Apache Polaris version 1.4.0 Description Apache Polaris fails to properly escape namespace and table identifiers when constructing Common Expression Language CEL strings for Google Cloud Storage GCS Credential Access Boundaries CAB. This allow...

9.9CVSS5.8AI score0.00431EPSS
Exploits0References13
RedhatCVE
RedhatCVE
added 2026/03/31 10:59 a.m.3 views

CVE-2026-1612

AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified...

6.9CVSS5.8AI score0.00392EPSS
Exploits0References1
NVD
NVD
added 2026/03/30 11:16 a.m.7 views

CVE-2026-1612

AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified...

6.9CVSS0.00392EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/30 9:56 a.m.24 views

CVE-2026-1612 Hard-coded AWS Key in AL-KO Robolinho Update Software

AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified...

6.9CVSS0.00392EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/30 9:56 a.m.3 views

CVE-2026-1612 Hard-coded AWS Key in AL-KO Robolinho Update Software

AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified...

6.9CVSS5.8AI score0.00392EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/30 9:56 a.m.4 views

CVE-2026-1612

AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified...

6.9CVSS5.8AI score0.00392EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/03/30 9:56 a.m.12 views

CVE-2026-1612

AL-KO Robolinho Update Software contains hard-coded AWS Access and Secret keys that grant at least read access to objects in an AWS bucket. The vulnerability is documented for version 8.0.21.0610 as vulnerable; other versions were not tested and may also be affected. No remediation details are pr...

6.9CVSS5.8AI score0.00392EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/30 12:0 a.m.8 views

AL-KO Robolinho Update Software 信任管理问题漏洞

AL-KO Robolinho Update Software is a firmware update tool developed by the German company AL-KO. Version 8.0.21.0610 of AL-KO Robolinho Update Software contains a vulnerability related to trust management. This vulnerability stems from hard-coded AWS keys, which may allow unauthorized access to A...

6.9CVSS5.8AI score0.00392EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/30 12:0 a.m.9 views

PT-2026-29008

AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified...

6.9CVSS5.9AI score0.00392EPSS
Exploits0References2
NVD
NVD
added 2026/03/11 9:16 p.m.5 views

CVE-2026-32101

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized function is declared async returns Promise but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in...

7.6CVSS0.00183EPSS
Exploits1References1
Rows per page
Query Builder