CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

11907 matches found

CVE-2026-45692

Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different...

5.4CVSS0.00017EPSS

Exploits0References1

CVE•added yesterday•14 views

CVE-2026-45692

CVE-2026-45692 (Caddy) describes a remote admin authorization bypass where the /config traversal layer and the authorization layer disagree on the target object. Specifically, from 2.4.0 through 2.11.3, an authorized path such as /config/apps/http/servers/srv/routes/0 could be used to access or m...

5.4CVSS5.8AI score0.00017EPSS

Exploits0References1

AlpineLinux•added yesterday•3 views

CVE-2026-45692

5.4CVSS5.9AI score0.00017EPSS

Exploits0

NVD•added yesterday•3 views

CVE-2026-13007

Tenable Identity Exposure contains multiple unauthenticated API endpoints under /w/api/ that expose sensitive application configuration data including cleartext LDAP credentials, SAML configuration, user accounts, and directory settings to unauthenticated remote attackers. Affected responses are...

8.7CVSS

Exploits0References1

Nuclei•added yesterday•27 views

MotionEye Config Info Disclosure

MotionEye v0.42.1 and below allows attackers to access sensitive information via a GET request to /config/list. To exploit this vulnerability, a regular user password must be unconfigured. id: CVE-2022-25568 info: name: MotionEye Config Info Disclosure author: DhiyaneshDK severity: high...

7.5CVSS7.1AI score0.06829EPSS

Exploits1References5

Nuclei•added yesterday•11 views

Progress ShareFile Storage Zones Controller - Authentication Bypass

Customer Managed ShareFile Storage Zones Controller SZC contains an authentication bypass Execution After Redirect that allows unauthenticated attackers to access restricted configuration pages. This leads to changing system configuration and potential remote code execution. id: CVE-2026-2699 inf...

9.8CVSS6.4AI score0.49424EPSS

Exploits1References3

Nuclei•added yesterday•16 views

XWiki Platform - Information Disclosure

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. id: CVE-2025-55747 info: name: XWiki Platform - Information Disclosure author: Redmomn...

9.3CVSS5.8AI score0.01557EPSS

Exploits0References2

Nuclei•added yesterday•10 views

Spring Cloud Config Server - Path Traversal

Spring Cloud 3.1.x 3.1.13, 4.1.x 4.1.9, 4.2.x 4.2.3, 4.3.x 4.3.2, and 5.0.x 5.0.2 contain a path traversal caused by profile parameter substitution in Config Server using native file system backend, letting attackers access files outside configured directories, exploit requires crafted request. i...

8.6CVSS5.8AI score0.0122EPSS

Exploits0References4

NVD•added 2 days ago•7 views

CVE-2026-41046

A path traversal attack when using a "configName" parameter in qSnapper before version 1.3.3 allowed a local attacker to use malicious config files for snapper and so cause a denial of service or potentially escalate privileges to root...

7.3CVSS0.00157EPSS

Exploits0References3

CVE•added 2 days ago•6 views

CVE-2026-56109

The CVE concerns ALSA Library prior to 1.2.16.1, where a double-free occurs in parse_def() (src/conf.c) due to not validating return values when parsing nested compound or array configuration blocks. This can cause snd_config_delete() to be invoked twice on an already-freed node, leading to NULL-...

7CVSS5.9AI score0.00138EPSS

Exploits0References4

Cvelist•added 2 days ago•28 views

CVE-2026-41046 path traversal via `config` parameter in qSnapper

7.3CVSS0.00157EPSS

Exploits0References3

NVD•added 2 days ago•6 views

CVE-2026-54100

A flaw was found in the Windows Machine Config Operator WMCO for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture...

8.3CVSS0.00157EPSS

Exploits0References2

NVD•added 2 days ago•8 views

CVE-2026-54099

A flaw was found in the Windows Machine Config Operator WMCO for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A...

8.8CVSS0.00069EPSS

Exploits0References2

CVE•added 2 days ago•9 views

CVE-2026-54100

CVE-2026-54100 affects the Windows Machine Config Operator (WMCO) used with Red Hat OpenShift Container Platform. The flaw is that WMCO establishes SSH connections to Windows worker nodes without verifying the remote host key, enabling an adjacent-network attacker who can intercept or redirect WM...

8.3CVSS5.9AI score0.00157EPSS

Exploits0References2

EUVD•added 2 days ago•6 views

EUVD-2026-38234

8.3CVSS5.9AI score0.00157EPSS

Exploits0References2

CVE•added 2 days ago•9 views

CVE-2026-54099

The CVE-2026-54099 entry describes a vulnerability in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift. The WICD CSR auto-approver only checks that a CSR’s organization includes system:wicd-nodes and does not reject extra organization values such as system:masters. A compromised W...

8.8CVSS5.8AI score0.00069EPSS

Exploits0References2

EUVD•added 2 days ago•7 views

EUVD-2026-38233

8.8CVSS5.8AI score0.00069EPSS

Exploits0References2

Cvelist•added 2 days ago•30 views

CVE-2026-54099 Windows-machine-config-operator: windows-machine-config-operator: wicd csr extra-organization allows privilege escalation to system:masters

8.8CVSS0.00069EPSS

Exploits0References2