Lucene search
K

58425 matches found

Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.8 views

PT-2026-51453

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.3 Description The application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by recaptcha...

7.4CVSS6AI score0.0029EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.16 views

PT-2026-51299

Name of the Vulnerable Software and Affected Versions Tempo datasource plugin affected versions not specified Loki datasource plugin affected versions not specified Description These plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization,...

5.4CVSS5.8AI score0.00258EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.16 views

PT-2026-51454

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.0 Description An authentication bypass exists in the Budibase server route POST /api/attachments/:datasourceId/url because it lacks the authorized... middleware. An anonymous attacker who can enumerate a workspa...

9.4CVSS6AI score0.00415EPSS
Exploits1References6
NVD
NVD
added 2026/06/21 2:16 p.m.13 views

CVE-2026-56382

Craft CMS composer package craftcms/cms versions = 5.5.0 and = 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout without calling Component::cleanseConfig...

8.6CVSS0.00493EPSS
Exploits0References2
NVD
NVD
added 2026/06/21 2:16 p.m.18 views

CVE-2026-56229

Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched appid and jobid combination. Limited API keys restricted to a single app can...

7.1CVSS0.00221EPSS
Exploits0References2
NVD
NVD
added 2026/06/21 2:16 p.m.12 views

CVE-2026-56236

Capgo CLI before 12.128.2 contains arbitrary file overwrite vulnerabilities in login and build credentials operations that follow symlinks without validation. Attackers can create malicious symlinks in repositories to overwrite arbitrary files or expose credentials with world-readable permissions...

6.8CVSS0.00134EPSS
Exploits0References2
CVE
CVE
added 2026/06/21 1:26 p.m.14 views

CVE-2026-56299

CVE-2026-56299 (Capgo) affects Capgo prior to 12.128.2. An authentication bypass in the /build/upload/:jobId/* endpoint allows unauthenticated remote attackers to trigger repeated 500 errors by sending OPTIONS requests, bypassing authentication middleware and invoking tusProxy logic with invalid ...

6.9CVSS5.9AI score0.00391EPSS
Exploits0References2
CVE
CVE
added 2026/06/21 1:26 p.m.14 views

CVE-2026-56236

CVE-2026-56236 affects Capgo CLI prior to 12.128.2. The issue is arbitrary file overwrite in login and build credentials operations that follow symlinks without validation. An attacker can place malicious symlinks in a repository to overwrite arbitrary files or expose credentials with world-reada...

6.8CVSS6AI score0.00134EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:26 p.m.4 views

CVE-2026-56236

Capgo CLI before 12.128.2 contains arbitrary file overwrite vulnerabilities in login and build credentials operations that follow symlinks without validation. Attackers can create malicious symlinks in repositories to overwrite arbitrary files or expose credentials with world-readable permissions...

6.8CVSS6AI score0.00134EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/21 1:26 p.m.29 views

CVE-2026-56236 Capgo CLI - Arbitrary File Overwrite via Symlink-Following in Local Credential Operations

Capgo CLI before 12.128.2 contains arbitrary file overwrite vulnerabilities in login and build credentials operations that follow symlinks without validation. Attackers can create malicious symlinks in repositories to overwrite arbitrary files or expose credentials with world-readable permissions...

6.8CVSS0.00134EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/21 1:26 p.m.7 views

EUVD-2026-38165

Capgo CLI before 12.128.2 contains arbitrary file overwrite vulnerabilities in login and build credentials operations that follow symlinks without validation. Attackers can create malicious symlinks in repositories to overwrite arbitrary files or expose credentials with world-readable permissions...

6.8CVSS6AI score0.00134EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/21 1:26 p.m.8 views

EUVD-2026-38164

Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched appid and jobid combination. Limited API keys restricted to a single app can...

7.1CVSS5.9AI score0.00221EPSS
Exploits0References2
NVD
NVD
added 2026/06/20 7:16 p.m.13 views

CVE-2026-56342

AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL validation and accepts requests to private IP ranges and cloud metadata...

6.8CVSS0.00236EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/20 7:8 p.m.13 views

Malicious code in d0rk3r-telemetry (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da4542d225ef144ecc5df2f578104ffc12659196c57b2214ecb54f60620601c6 On import d0rk3rtelemetry, the package spawns a background thread that reads installer-owned secrets and POSTs them to an attacker-controlled endpoin...

6AI score
Exploits0References3
OSV
OSV
added 2026/06/20 7:8 p.m.8 views

MAL-2026-6244 Malicious code in d0rk3r-telemetry (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da4542d225ef144ecc5df2f578104ffc12659196c57b2214ecb54f60620601c6 On import d0rk3rtelemetry, the package spawns a background thread that reads installer-owned secrets and POSTs them to an attacker-controlled endpoin...

6AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/20 6:47 p.m.8 views

Malicious code in request-cache-py (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eafb96e46544cb1351d26caf52bff79055bc205a1f8454737b677fff8fbc6fea request-cache-py impersonates the legitimate requests-cache HTTP caching library. On import requestcachepy, the package's init.py starts a background...

6.1AI score
Exploits0References7
OSV
OSV
added 2026/06/20 6:47 p.m.6 views

MAL-2026-6245 Malicious code in request-cache-py (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eafb96e46544cb1351d26caf52bff79055bc205a1f8454737b677fff8fbc6fea request-cache-py impersonates the legitimate requests-cache HTTP caching library. On import requestcachepy, the package's init.py starts a background...

6.1AI score
Exploits0References7
EUVD
EUVD
added 2026/06/20 6:27 p.m.8 views

EUVD-2026-38131

AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL validation and accepts requests to private IP ranges and cloud metadata...

6.8CVSS6AI score0.00236EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/20 3:24 p.m.29 views

CVE-2026-56276 Flowise - Mass Assignment in PUT /api/v1/user Allows Password Hash Override

Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password has...

6CVSS0.00251EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/20 12:0 a.m.13 views

PT-2026-51151

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the 'PUT /api/v1/user' endpoint. This allows authenticated users to modify the credential field without proper validation. By providing a crafted password hash, an...

6CVSS5.9AI score0.00251EPSS
Exploits0References9
Rows per page
Query Builder