Lucene search
K

53054 matches found

NVD
NVD
added yesterday3 views

CVE-2026-57418

Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through = 20.8.13...

6.5CVSS0.0034EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added yesterday3 views

xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: use-after-free in FreeCounter()

A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter. A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for...

7.8CVSS6.9AI score0.00154EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added yesterday5 views

xorg: X11: xserver: X.org: glamor Font Atlas Heap Buffer Overflow

A flaw was found in the glamorfontget function of the xorg-x11-server. This vulnerability, a heap buffer overflow, occurs when the server processes a specially crafted PCF font file where individual glyph metrics exceed the declared maximum bounds. An authenticated X client can exploit this by...

8.5CVSS6.5AI score0.00212EPSS
Exploits0References4
Cvelist
Cvelist
added yesterday6 views

CVE-2026-41041 Apache Gravitino: URL path injection via unencoded user-supplied identifiers in MCP REST client f-string URL construction, enabling path traversal to unintended API endpoints.

URL path injection via unencoded user-supplied identifiers vulnerability in Apache Gravitino. This issue affects Apache Gravitino: from 1.0.0 before 1.2.1. Users are recommended to upgrade to version 1.2.1, which fixes the issue...

0.00214EPSS
Exploits0References1
CVE
CVE
added yesterday4 views

CVE-2026-57418

CVE-2026-57418 covers a Missing Authorization vulnerability in the WordPress/plugin set associated with Sprout Invoices, specifically the Sprout Invoices Client Invoicing (WordPress plugin, versions up to 20.8.13). The root cause is an Incorrectly Configured Access Control , described as broken a...

6.5CVSS6.1AI score0.0034EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday5 views

CVE-2026-57418 WordPress Client Invoicing by Sprout Invoices plugin <= 20.8.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through = 20.8.13...

6.5CVSS0.0034EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday127 views

KeyCloak - Information Exposure

A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients like client secret without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this...

6.5CVSS6.6AI score0.17943EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday12 views

Apache Kafka Client - Arbitrary File Read

Apache Kafka Client contains arbitrary file read and server-side request forgery caused by untrusted configuration of sasl.oauthbearer.token.endpoint.url and sasl.oauthbearer.jwks.endpoint.url, letting attackers read files or send requests to unintended locations, exploit requires untrusted party...

7.5CVSS7AI score0.62368EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday747 views

aiohttp - Directory Traversal

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symboli...

7.5CVSS6.8AI score0.76875EPSS
Exploits15References3
Nuclei
Nuclei
added yesterday19 views

Zimbra - Cross-Site Scripting via ICS Files

Detects Zimbra Collaboration Suite versions vulnerable to CVE-2025-27915, a stored XSS vulnerability in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an email with a malicious ICS entry, embedded JavaScript executes via an ontoggle event...

5.4CVSS6.7AI score0.04241EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday139 views

ServiceNow - Cross-site Scripting

A XSS vulnerability was identified in the ServiceNow UI page assessmentredirect. To exploit this vulnerability, an attacker would need to persuade an authenticated user to click a maliciously crafted URL. Successful exploitation potentially could be used to conduct various client-side attacks,...

6.1CVSS6.4AI score0.01089EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday277 views

Keycloak 10.0.0 - 18.0.0 - Cross-Site Scripting

Keycloak 10.0.0 to 18.0.0 contains a cross-site scripting vulnerability via the client-registrations endpoint. On a POST request, the application does not sanitize an unknown attribute name before including it in the error response with a 'Content-Type' of text/hml. Once reflected, the response i...

6.1CVSS6.6AI score0.37246EPSS
Exploits3References6
RedHat Linux
RedHat Linux
added yesterday8 views

xorg: X11: xserver: X.org: glamor Font Atlas Heap Buffer Overflow

A flaw was found in the glamorfontget function of the xorg-x11-server. This vulnerability, a heap buffer overflow, occurs when the server processes a specially crafted PCF font file where individual glyph metrics exceed the declared maximum bounds. An authenticated X client can exploit this by...

8.5CVSS6.5AI score0.00212EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added yesterday4 views

xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: use-after-free in SyncChangeCounter()

A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter. A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or f...

7.8CVSS6.8AI score0.0014EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added yesterday2 views

xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: use-after-free in FreeCounter()

A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter. A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for...

7.8CVSS6.9AI score0.00154EPSS
Exploits0References7
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday4 views

Malicious code in slds-lsp-client (npm)

The slds-lsp-client package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a Salesforce SLD...

6.1AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2 days ago7 views

Malicious code in babel-preset-lib-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4274de0136aa69f8b0f4eba03412c7809a1b8c2446bb3ed7f6de1333475aa4c4 index.js, the package main, runs a load-time IIFE that collects OS platform and architecture, hostname, username, private and public IP via...

6.1AI score
Exploits0References4
CVE
CVE
added 2 days ago14 views

CVE-2026-61876

LuCI DHCPv6 lease hostnames are not properly encoded before rendering in status pages, enabling stored cross-site scripting. An adjacent attacker can deliver a DHCPv6 Client FQDN containing script tags that execute in the administrator’s browser when viewing DHCP lease pages. Affected: LuCI web i...

9.4CVSS6.2AI score0.002EPSS
Exploits0References2
CVE
CVE
added 3 days ago15 views

CVE-2026-10660

The CVE-2026-10660 issue affects the Zephyr Bluetooth BAP Broadcast Assistant GATT client (subsys/bluetooth/audio/bap_broadcast_assistant.c). A single static net_buf_simple buffer (att_buf, BT_ATT_MAX_ATTRIBUTE_LEN = 512) is shared across all connections; per-connection state (BUSY flag, long-rea...

6.4CVSS6.2AI score0.00159EPSS
Exploits0References2
NVD
NVD
added 3 days ago5 views

CVE-2026-10865

The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...

5.3CVSS0.0037EPSS
Exploits0References10
Rows per page
Query Builder