Lucene search
+L

2436 matches found

Nuclei
Nuclei
added 20 hours ago16 views

D-Link DIR-803 - Authentication Bypass

An authentication bypass vulnerability exists in D-Link DIR-803 routers firmware A1 1.04 and earlier. By manipulating the AUTHORIZEDGROUP parameter in /getcfg.php via newline injection, an attacker can retrieve XML configuration containing administrator credentials without authentication. id:...

7.5CVSS5.6AI score0.03559EPSS
Exploits1References3
Nuclei
Nuclei
added 2 days ago51 views

Kaseya VSA < 9.5.7 - Credential Disclosure via Windows Agent

Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client...

10CVSS8.5AI score0.85619EPSS
Exploits1References5
Nuclei
Nuclei
added 3 days ago91 views

Crestron Device - Credentials Disclosure

An issue was discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname...

10CVSS7AI score0.75711EPSS
Exploits5References5
CVE
CVE
added 4 days ago12 views

CVE-2026-15746

CVE-2026-15746 affects strands-agents-tools’ elasticsearch_memory tool (used with Strands Agents SDK). The tool’s schema exposed connection parameters (es_url, cloud_id, api_key); if api_key is omitted, it falls back to the operator’s ELASTICSEARCH_API_KEY and may be sent to a host chosen by an L...

6.9CVSS6.1AI score0.00244EPSS
Exploits0References3
OSV
OSV
added 4 days ago4 views

CVE-2026-15746 Credential disclosure in Strands Agents Tools elasticsearch_memory tool

Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearchmemory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery SSRF issue i...

6.9CVSS6.1AI score0.00244EPSS
Exploits0References5
CVE
CVE
added 4 days ago7 views

CVE-2026-20298

CVE-2026-20298 affects Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, and 10.1.2507.24. A low-privileged user without admin/power roles could view stored credential hashes by query...

5.3CVSS6.1AI score0.00219EPSS
Exploits0References1
OSV
OSV
added 4 days ago7 views

JLSEC-2026-761

iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of message...

5.9CVSS6.4AI score0.01098EPSS
Exploits0References5
EUVD
EUVD
added 2026/07/10 3:25 p.m.6 views

EUVD-2026-42927

A flaw was found in the filetype content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition XSD string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file...

9.3CVSS6.1AI score0.00255EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/10 9:5 a.m.44 views

CVE-2026-41879 Weak password hashing in R-SOFT DMS

R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. This allows an attacker who obtain password hash to decode superadmin credentials. Critically, this password cannot be changed except by modifying the configuration file. This issue was fixed in version v3.17-2000...

8.2CVSS0.00269EPSS
Exploits0References1
Snyk
Snyk
added 2026/07/06 10:39 p.m.4 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the users.getUser method in the JSON-RPC API. An attacker can retrieve sensitive credential information, such as password hashes, TOTP secrets, and session tokens, by supplying...

8.6CVSS6.1AI score0.0025EPSS
Exploits0References2
CVE
CVE
added 2026/07/06 8:43 p.m.21 views

CVE-2026-59712

According to the connected NVD records, CVE-2026-59712 affects Leantime’s JSON-RPC API via the Users::getUser method. The vulnerability arises from missing authorization checks, enabling authenticated users to call users.getUser with arbitrary user IDs and enumerate accounts. The outcome is expos...

8.6CVSS6AI score0.0025EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/06 8:43 p.m.39 views

CVE-2026-59712 Leantime - JSON-RPC API Broken Access Control via users.getUser

Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to...

8.6CVSS0.0025EPSS
Exploits0References4
NVD
NVD
added 2026/07/01 5:16 a.m.13 views

CVE-2026-7830

UltraVNC through 1.8.2.2 uses inadequate cryptography in the MS-Logon II authentication scheme rfbUltraVNCMsLogonIIAuth. In rfb/dh.cpp the Diffie-Hellman key exchange is performed with parameters that fit in an unsigned 64-bit integer DHMAXBITS controls the prime size. A 64-bit DH key can be brok...

7.4CVSS0.0022EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/01 3:33 a.m.7 views

CVE-2026-7830

UltraVNC through 1.8.2.2 uses inadequate cryptography in the MS-Logon II authentication scheme rfbUltraVNCMsLogonIIAuth. In rfb/dh.cpp the Diffie-Hellman key exchange is performed with parameters that fit in an unsigned 64-bit integer DHMAXBITS controls the prime size. A 64-bit DH key can be brok...

7.4CVSS5.8AI score0.0022EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/01 3:33 a.m.8 views

EUVD-2026-40882

UltraVNC through 1.8.2.2 uses inadequate cryptography in the MS-Logon II authentication scheme rfbUltraVNCMsLogonIIAuth. In rfb/dh.cpp the Diffie-Hellman key exchange is performed with parameters that fit in an unsigned 64-bit integer DHMAXBITS controls the prime size. A 64-bit DH key can be brok...

7.4CVSS5.8AI score0.0022EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.10 views

PT-2026-54486

Name of the Vulnerable Software and Affected Versions UltraVNC versions prior to 1.8.2.3 Description Inadequate cryptography in the MS-Logon II authentication scheme rfbUltraVNC MsLogonIIAuth allows a network attacker to disclose credentials. In the file rfb/dh.cpp, the Diffie-Hellman key exchang...

7.4CVSS5.9AI score0.0022EPSS
Exploits0References7
NVD
NVD
added 2026/06/30 9:16 p.m.8 views

CVE-2025-36323

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

5.4CVSS0.00231EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/30 8:22 p.m.39 views

CVE-2025-36320 Vulnerabilities found in Watson Data Intelligence

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a...

6.4CVSS0.00257EPSS
Exploits0References1
CVE
CVE
added 2026/06/30 8:22 p.m.19 views

CVE-2025-36320

IBM watsonx.data intelligence (versions 5.2.0, 5.2.1, 5.2.2, 5.3.0) is described as vulnerable to stored cross-site scripting. The vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI, potentially altering functionality and leading to credentials disclosure ...

6.4CVSS5.5AI score0.00257EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/30 8:19 p.m.6 views

EUVD-2025-210380

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.2.2, 5.3.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

5.4CVSS5.5AI score0.00231EPSS
Exploits0References1
Rows per page
Query Builder