Lucene search
K

5203 matches found

Nuclei
Nuclei
added yesterday64 views

NocoBase - SQL Injection

NocoBase @nocobase/plugin-collection-sql versions prior to 2.0.39 are vulnerable to SQL injection via the sqlCollection:update endpoint. The checkSQL function, which blocks dangerous SQL keywords and ensures only SELECT statements are allowed, is not called during collection updates. id:...

7.2CVSS6.1AI score0.01833EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday90 views

NocoBase - SQL Injection

NocoBase versions prior to 2.0.39 contain a SQL injection vulnerability in the @nocobase/database package. The queryParentSQL function in eager-loading-tree.ts constructs a recursive CTE query by directly concatenating user-controlled primary key values into the SQL WHERE IN clause without...

8.8CVSS6.2AI score0.01875EPSS
Exploits1References2
OSV
OSV
added 2 days ago3 views

MAL-2026-10403 Malicious code in @iana-rzms/bff-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b7adbad0c719aec3345c5aa16b3435e8621f4a81b5a0e0cf0e0d979509e5d21f Package published to the public @iana-rzms scope as a dependency-confusion squat targeting an internal ICANN namespace. The preinstall lifecycle scri...

6.1AI score
Exploits0References1
NVD
NVD
added 4 days ago7 views

CVE-2026-60090

PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the PGVector and Cassandra knowledge-store createcollection backends. Although schema, keyspace, and collection-name identifiers are validated, the dimension value declared as int but not enforced at runtime is...

9.8CVSS0.0041EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-60090 PraisonAI before 4.6.78 SQL/CQL Injection via vector dimension

PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the PGVector and Cassandra knowledge-store createcollection backends. Although schema, keyspace, and collection-name identifiers are validated, the dimension value declared as int but not enforced at runtime is...

9.8CVSS0.0041EPSS
Exploits0References3
CVE
CVE
added 4 days ago15 views

CVE-2026-60090

CVE-2026-60090 affects PraisonAI prior to 4.6.78, exposing a SQL/CQL injection risk via the vector dimension in the PGVector and Cassandra knowledge-store backends. The root cause is that the caller-controlled dimension value is interpolated into the generated CREATE TABLE DDL without runtime enf...

9.8CVSS6.1AI score0.0041EPSS
Exploits0References3
EUVD
EUVD
added 4 days ago10 views

EUVD-2026-43175

PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the PGVector and Cassandra knowledge-store createcollection backends. Although schema, keyspace, and collection-name identifiers are validated, the dimension value declared as int but not enforced at runtime is...

9.8CVSS6.1AI score0.0041EPSS
Exploits0References3
CVE
CVE
added 2026/07/07 9:16 p.m.13 views

CVE-2026-54601

CVE-2026-54601 affects FastGPT up to 4.15.0-beta4, where an authenticated tenant user can abuse POST /api/core/dataset/collection/create/reTrainingCollection to persist a server-owned datasetId from another tenant. This yields mixed dataset objects and downstream endpoints (dataset, collection, a...

6.3CVSS6AI score0.00246EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/07 9:16 p.m.24 views

CVE-2026-54601 FastGPT: reTrainingCollection allows server-owned datasetId override causing cross-tenant authorization confusion

FastGPT is an open source AI knowledge base platform. From 4.14.17 to before 4.15.0-beta4, FastGPT allows an authenticated tenant user to call POST /api/core/dataset/collection/create/reTrainingCollection in a way that persists a server-owned datasetId value from another tenant. This creates mixe...

6.3CVSS0.00246EPSS
Exploits0References4
NVD
NVD
added 2026/07/07 8:16 a.m.10 views

CVE-2026-8377

Missing Authorization vulnerability in Armiya Information Technologies Ltd. Co. Access Control System GKS allows Collect Data from Common Resource Locations. This issue affects Access Control System GKS: before Version 2...

8.2CVSS0.00198EPSS
Exploits0References1
CVE
CVE
added 2026/07/07 7:25 a.m.14 views

CVE-2026-8377

CVE-2026-8377 affects Armiya Information Technologies Ltd. Co. Access Control System (GKS) prior to version 2. The vulnerability is described as Missing/Improper Authorization allowing data collection from common resource locations. According to the connected records, the issue enables network-ba...

8.2CVSS5.9AI score0.00198EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/07 7:25 a.m.34 views

CVE-2026-8377 Improper Authorization in Armiya Technologies' Access Control System

Missing Authorization vulnerability in Armiya Information Technologies Ltd. Co. Access Control System GKS allows Collect Data from Common Resource Locations. This issue affects Access Control System GKS: before Version 2...

8.2CVSS0.00198EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/07 7:25 a.m.7 views

CVE-2026-8377

Missing Authorization vulnerability in Armiya Information Technologies Ltd. Co. Access Control System GKS allows Collect Data from Common Resource Locations. This issue affects Access Control System GKS: before Version 2...

8.2CVSS5.9AI score0.00198EPSS
Exploits0References2
NVD
NVD
added 2026/07/07 4:17 a.m.10 views

CVE-2026-34149

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and MongoDB collection exclusion names into backup shell commands without adequate escaping, allowing an...

3.3CVSS0.00221EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/06 9:22 p.m.6 views

CVE-2026-34049

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. From 4.0.0-beta.451 through 4.0.0-beta.470, database backup handling for MongoDB collection names did not fully validate shell metacharacters, allowing a highly privileged attacker who can configur...

3.3CVSS6AI score0.00195EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/07/06 9:22 p.m.11 views

CVE-2026-34049

Coolify (open-source self-hosted) versions 4.0.0-beta.451–4.0.0-beta.470 have a command-injection risk in MongoDB backup handling where collection names do not fully validate shell metacharacters. An attacker with the ability to configure backup inputs and high privileges can inject commands into...

3.3CVSS6AI score0.00195EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 3:6 a.m.9 views

Malicious code in zod-pino444 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 560c3d47344d4da5dffac230236b5248d2f1856c221ffac7ff72d4e3b197957b Package [email protected] is a credential/secret harvester disguised behind a benign-sounding name. scripts/postinstall-agent.mjs is a...

6AI score
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.5 views

Malicious code in @flex-ng/error-component (npm)

The @flex-ng/error-component package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the...

6.1AI score
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/07/05 2:59 p.m.13 views

CVE-2026-53361

A flaw was found in the Linux kernel's afunix component. A race condition exists within the unixgc garbage collection function where the gcinprogress flag may not be correctly set. This could lead to unixpeekfpl misinterpreting garbage collection status when handling MSGPEEK operations, potential...

7CVSS5.9AI score0.00171EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/05 12:2 p.m.36 views

CVE-2026-59509 Unauthenticated arbitrary MongoDB collection read in cve-search

An unauthenticated improper input validation vulnerability in the POST /fetchcvedata endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections...

9.2CVSS0.00349EPSS
Exploits0References2
Rows per page
Query Builder