CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/06/10 1:59 p.m.•9 views

EUVD-2026-36036

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agentaction app/routes/smon/agentroutes.py:166-179 has decorators @bp.post'/agent/action/' and @jwtrequired only — no role check, no group ownership check on the serverip form...

8.5CVSS5.5AI score0.00199EPSS

Cvelist•added 2026/06/10 1:59 p.m.•32 views

CVE-2026-45552 Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on every registered server

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.beforerequest → @jwtrequired app/routes/install/routes.py:36-39. The individual endpoints installexporter, installwaf, installgeoip,...

9.9CVSS0.00267EPSS

EUVD•added 2026/06/10 1:59 p.m.•7 views

EUVD-2026-36035

9.9CVSS5.5AI score0.00267EPSS

CVE•added 2026/06/10 1:59 p.m.•11 views

CVE-2026-45552

CVE-2026-45552 affects Roxy-WI web interface (versions up to 8.2.6.4). The install blueprint allows bp.before_request → @jwt_required(), but several endpoints under /install/* (install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, get_task_status) lack admin/ownership c...

9.9CVSS5.5AI score0.00267EPSS

EUVD•added 2026/06/10 1:55 p.m.•7 views

EUVD-2026-36032

A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security TLS connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle MITM attacker to intercept and harvest vCenter administrator credentials. This can lead to...

9.3CVSS5.4AI score0.00253EPSS

Vulnrichment•added 2026/06/10 1:55 p.m.•5 views

CVE-2026-53474 Migration-planner: second-order sql injection via rvtools upload

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL...

9.6CVSS5.8AI score0.00298EPSS

EUVD•added 2026/06/10 1:55 p.m.•8 views

EUVD-2026-36030

9.6CVSS5.8AI score0.00298EPSS

Cvelist•added 2026/06/10 1:55 p.m.•36 views

CVE-2026-53473 Migration-planner-ui-app: stored xss via javascript: url in agent credential link

A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser...

7.3CVSS0.00187EPSS

Ubuntu•added 2026/06/10 6:44 a.m.•13 views

USN-8417-1: Tomcat vulnerabilities

It was discovered that Tomcat did not properly limit the size of WebDAV LOCK and PROPFIND request bodies. A remote attacker could use this issue to cause Tomcat to consume excessive memory, resulting in a denial of service. CVE-2026-41284 It was discovered that Tomcat incorrectly validated HTTP/2...

9.8CVSS7.7AI score0.0078EPSS

Exploits2

EUVD•added 2026/06/10 12:31 a.m.•7 views

EUVD-2026-35886

An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository saml2assertingpartymetadata may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials verificationcredentials and...

7.3CVSS5.5AI score0.00198EPSS

6.2CVSS5.5AI score0.00153EPSS

EUVD-2026-35845

CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this iss...

EUVD•added 2026/06/10 12:31 a.m.•7 views

EUVD-2026-35856

MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction...

6.8CVSS5.5AI score0.00119EPSS

7.5CVSS5.5AI score0.00407EPSS

EUVD-2026-35849

CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Improper Input Validation vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user...

EUVD•added 2026/06/10 12:31 a.m.•11 views

EUVD-2026-35846

6.2CVSS5.5AI score0.00153EPSS

EUVD•added 2026/06/10 12:31 a.m.•10 views

EUVD-2026-35850

CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require...

7.5CVSS5.5AI score0.0043EPSS

5.5CVSS5.6AI score0.0017EPSS

EUVD-2026-35844

CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability that could result in an arbitrary file system write. An attacker could leverage this vulnerability to write to...

EUVD•added 2026/06/10 12:31 a.m.•15 views

EUVD-2026-35843

7.5CVSS5.5AI score0.00407EPSS

6.2CVSS5.5AI score0.00153EPSS

EUVD-2026-35848