Lucene search
+L

1936 matches found

CVE
CVE
added 2026/07/08 7:43 p.m.8 views

CVE-2026-59806

Gradio before 6.20.0 is affected by an open redirect and server-side request forgery via the /gradio_api/file= endpoint, allowing an attacker to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to file_fetch(). Attackers could craft a malicious...

7.4CVSS6AI score0.00247EPSS
Exploits0References5
EUVD
EUVD
added 2026/07/08 12:15 a.m.8 views

EUVD-2026-42144

Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privileged authenticated customer to look up domains they do not own, because ownership is enforced only for certain lookup filters and schema validation is bypassed for legacy protocol versions. This result...

9.9CVSS6AI score0.00364EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/07 5:41 p.m.6 views

CVE-2026-7017

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, mayberedirect follows the Location: header and prepareheadersandcb re-merges the caller's headers argument into the new request, without checking whether...

7.1CVSS6AI score0.0026EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/07 5:41 p.m.9 views

EUVD-2026-42072

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, mayberedirect follows the Location: header and prepareheadersandcb re-merges the caller's headers argument into the new request, without checking whether...

7.1CVSS6AI score0.0026EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/07/06 9:37 p.m.7 views

9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover

Summary The /api/settings/database endpoint allows full database export containing all credentials, API keys, OAuth tokens, and settings and full database import complete overwrite without any authentication requirement beyond the ALWAYSPROTECTED middleware check, which only validates JWT or CLI...

9.9CVSS6AI score0.00685EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/07/06 7:52 p.m.8 views

CVE-2026-13769

A flaw was found in AWS CLI. Overly permissive file permissions on Unix-like systems, where the umask has not been configured to restrict file permissions, may allow other local users on the same host to read credentials. This occurs when certain AWS CLI subcommands, such as aws codeartifact logi...

6.8CVSS5.9AI score0.00101EPSS
Exploits0References7
NVD
NVD
added 2026/07/06 7:16 p.m.8 views

CVE-2026-13753

A missing authorization vulnerability exists in the embedded webserver of HP Deskjet 2800 Series Printers running firmware version =TBP1CN2612AR. An unauthenticated attacker with network access can send GET requests to multiple exposed administrative API endpoints and retrieve sensitive...

7.5CVSS0.00271EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/07/06 6:0 p.m.6 views

CVE-2026-13753

A missing authorization vulnerability exists in the embedded webserver of HP Deskjet 2800 Series Printers running firmware version =TBP1CN2612AR. An unauthenticated attacker with network access can send GET requests to multiple exposed administrative API endpoints and retrieve sensitive...

7.5CVSS6AI score0.00271EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:11 a.m.7 views

CVE-2026-49365

Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component. The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to fal...

5.8AI score0.00363EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/07/06 8:9 a.m.33 views

CVE-2026-48206 Apache Camel JIRA: A set of non-Camel-prefixed Exchange header constants bypass the HTTP header filter, allowing an HTTP client to drive arbitrary JIRA issue operations using the endpoint's configured credentials

Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel JIRA component. The camel-jira producers read their operation parameters - the issue key, project key, transition id, summary, type, assignee, components, watchers, link type, work-log minute...

0.00349EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 7:18 a.m.39 views

CVE-2026-14808 PROG MIS|Prog Management System - Exposure of Sensitive Information

Prog Management System developed by PROG MIS has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to view a specific page and obtain the database account and password...

9.8CVSS0.00507EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.13 views

PT-2026-55961

Name of the Vulnerable Software and Affected Versions HP Deskjet 2800 Series Printers versions prior to TBP1CN2612AR Description A missing authorization flaw exists in the embedded webserver. An unauthenticated attacker with network access can bypass administrative controls by sending GET request...

7.5CVSS6AI score0.00271EPSS
Exploits1References9
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.5 views

PT-2026-57884

Name of the Vulnerable Software and Affected Versions 9Router versions prior to 0.4.42 Description An unauthenticated access issue exists due to missing authentication middleware in the Next.js API routes located under src/app/api/providers/. This allows remote attackers to interact with provider...

10CVSS6.1AI score0.01905EPSS
Exploits0References9
CVE
CVE
added 2026/07/02 7:41 p.m.16 views

CVE-2026-59095

CVE-2026-59095 affects LobeChat prior to 2.2.10-canary.18. It is a server-side request forgery (SSRF) vulnerability where authenticated attackers can supply input to the skill import service (importFromUrl) and topic cover update (fetchImageFromUrl) endpoints that use the global fetch without the...

8.3CVSS5.9AI score0.00235EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/02 7:39 p.m.8 views

CVE-2026-59092

JuiceFS through 1.3.1, fixed in commit a46979c, contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access sensitive debug and metrics endpoints by exploiting improper handler registration on the shared http.DefaultServeMux. Attackers can request the...

7.7CVSS5.9AI score0.00266EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/02 7:39 p.m.36 views

CVE-2026-59092 JuiceFS - Authentication Bypass via pprof and metrics Endpoints

JuiceFS through 1.3.1, fixed in commit a46979c, contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access sensitive debug and metrics endpoints by exploiting improper handler registration on the shared http.DefaultServeMux. Attackers can request the...

7.7CVSS0.00266EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.13 views

PT-2026-55293

Name of the Vulnerable Software and Affected Versions JuiceFS versions prior to 1.3.2 Description An authentication bypass exists due to improper handler registration on the shared http.DefaultServeMux. This allows unauthenticated remote attackers to access sensitive debug and metrics endpoints...

7.7CVSS6AI score0.00266EPSS
Exploits0References7
OSV
OSV
added 2026/07/01 6:34 p.m.5 views

CVE-2026-13769 Overly permissive File Permissions in AWS CLI

Overly permissive file permissions in AWS CLI before 1.44.78 v1 and 2.34.29 v2 on Unix-like systems where the umask has not been configured to restrict file permissions the default on most systems may allow other local users on the same host to read credentials written by certain CLI subcommands...

6.8CVSS5.9AI score0.00101EPSS
Exploits0References6
CVE
CVE
added 2026/07/01 3:46 p.m.17 views

CVE-2026-13211

CVE-2026-13211 affects the Genucenter web interface prior to version 8.0p11, where SNMP authentication and encryption keys are exposed in HTTP responses to users with Service or Admin roles. This disclosure creates a confidentiality risk (SNMP credentials exposed); the documentation does not spec...

4.3CVSS5.8AI score0.00139EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/30 10:11 p.m.26 views

CVE-2026-54673 electron-updater: Cross-origin redirect leaks `PRIVATE-TOKEN` and mixed-case `Authorization` credentials in `builder-util-runtime`

electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler HttpExecutor.prepareRedirectUrlOptions only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers —...

8.2CVSS0.00235EPSS
Exploits0References2
Rows per page
Query Builder