34393 matches found
CVE-2026-46421
The SAP Cloud Application Programming Model is a tool for building enterprise-grade cloud applications, and cap-js/cds-dbs is the monorepo for SQL database services for that tool. On April 29, 2026, compromised versions of @cap-js/[email protected], @cap-js/[email protected], and @cap-js/[email protected]....
CVE-2026-62355
TDengine (TDengine Cloud DB) prior to 3.4.1.15 had a permission issue where a Data Reader admin_user could run create udf and access non-database objects, despite read-only intent for standard users. The vulnerability impact is limited to unauthorized creation of user-defined functions and relate...
CVE-2026-20297
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, and 9.3.14, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.2.2510.18, and 10.1.2507.24, a user who holds a role that contains the editlocalapps and installapps capabilities could cause a legitimate app...
EUVD-2026-44738
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, and 10.1.2507.24, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could view stored credential hashes...
CVE-2026-20298 Sensitive Information Disclosure through the storage/passwords REST Endpoint in Splunk Enterprise
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, and 10.1.2507.24, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could view stored credential hashes...
EUVD-2026-44736
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, and 9.3.14, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.2.2510.18, and 10.1.2507.24, a user who holds a role that contains the editlocalapps and installapps capabilities could cause a legitimate app...
CVE-2026-20297 Path Traversal through 'explicit_appname' in the App Install REST Endpoint in Splunk Enterprise
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, and 9.3.14, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.2.2510.18, and 10.1.2507.24, a user who holds a role that contains the editlocalapps and installapps capabilities could cause a legitimate app...
CVE-2026-61613
Cursor is a code editor built for programming with AI. Prior to the Cloud Agent fix on 03/31/2026, browser-enabled Cursor Cloud Agent sessions allowed attacker-controlled web content to connect from inside the agent container to an unauthenticated local agent endpoint, enabling code execution...
EUVD-2026-44678
FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta5, FastGPT's shared SSRF guard validates only the initial request URL before handing the request to axios, and axios follows redirects by default. An authenticated workflow user can configure an HTTP request node to call an...
CVE-2026-61646 FastGPT: Shared axios SSRF guard validates only the initial URL before following redirects
FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta5, FastGPT's shared SSRF guard validates only the initial request URL before handing the request to axios, and axios follows redirects by default. An authenticated workflow user can configure an HTTP request node to call an...
CVE-2026-61646 FastGPT: Shared axios SSRF guard validates only the initial URL before following redirects
FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta5, FastGPT's shared SSRF guard validates only the initial request URL before handing the request to axios, and axios follows redirects by default. An authenticated workflow user can configure an HTTP request node to call an...
CVE-2026-61613
Cursor: Cloud Agent browser sandbox escape where attacker-controlled web content inside the agent container could reach an unauthenticated local agent endpoint, allowing code execution and access to files, repository contents, environment variables, credentials, and GitHub App tokens. Fixed 2026-...
SASE Has An AI Blind Spot. Inspecting Packets Is No Longer Enough.
For years, routing traffic through cloud proxies was good enough. Then work moved to the browser, AI entered the workflow, and the inspection model stopped keeping up. Enterprise workflows now live across SaaS applications, browsers, and an expanding ecosystem of generative AI tools, unsanctioned...
CVE-2026-15583 SSRF (confused deputy) in Grafana MCP Server via X-Grafana-URL header
A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud...
CVE-2026-15583
Grafana MCP Server is affected by CVE-2026-15583, a confusion-deputy vulnerability that allows an unauthenticated remote attacker to exfiltrate the server’s Grafana service-account token and perform SSRF via a crafted X-Grafana-URL header. The flaw enables targeting internal services, including c...
PT-2026-60233
Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 10.4.1 Splunk Enterprise versions prior to 10.2.5 Splunk Enterprise versions prior to 10.0.8 Splunk Enterprise versions prior to 9.4.13 Splunk Cloud Platform versions prior to 10.5.2605.0 Splunk Cloud Platfo...
CVE-2026-61520
Simple Machines Forum 2.1 prior to commit 4bf35cf and 3.0 prior to commit b4d23df contains a server-side request forgery vulnerability in the image proxy that allows authenticated attackers to trigger internal HTTP requests by embedding attacker-controlled URLs in BBCode image tags, which the pro...
CVE-2026-48344
Creative Cloud Desktop is affected by a Time-of-check Time-of-use TOCTOU Race Condition vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user...
CVE-2026-48272
Creative Cloud Desktop is affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction. Scop...
CVE-2026-48272 Creative Cloud Desktop | Uncontrolled Search Path Element (CWE-427)
Creative Cloud Desktop is affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction. Scop...