Lucene search
K

58393 matches found

OSV
OSV
added 2026/06/16 2:15 p.m.6 views

GHSA-88FW-HQM2-52QC hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Summary With credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints...

7.1CVSS5.5AI score0.00248EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/06/16 2:15 p.m.4 views

NPM: hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

NPM: hono: CORS Middleware reflects any Origin with credentials when origin defaults to the wildcard vulnerability discovered by ? in WordPress Npm hono versions 4.12.25...

7.1CVSS5.8AI score0.00248EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/16 2:15 p.m.14 views

hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Summary With credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints...

7.1CVSS5.4AI score0.00248EPSS
Exploits0References2Affected Software1
Ubuntu
Ubuntu
added 2026/06/16 1:45 p.m.8 views

USN-8433-1: OpenStack Keystone vulnerabilities

It was discovered that OpenStack Keystone allowed restricted application credentials to create EC2 credentials. An authenticated attacker with only a reader role could possibly use this issue to bypass the role restrictions imposed on the application credential. CVE-2026-33551 It was discovered...

8.8CVSS5.8AI score0.00446EPSS
Exploits6
OSV
OSV
added 2026/06/16 1:45 p.m.4 views

USN-8433-1 keystone vulnerabilities

It was discovered that OpenStack Keystone allowed restricted application credentials to create EC2 credentials. An authenticated attacker with only a reader role could possibly use this issue to bypass the role restrictions imposed on the application credential. CVE-2026-33551 It was discovered...

8.8CVSS5.7AI score0.00446EPSS
Exploits6References8
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.116 views

Buffalo WSR-2533DHPL2 - Path Traversal

Buffalo WSR-2533DHPL2 firmware version = 1.02 and WSR-2533DHP3 firmware version = 1.24 are susceptible to a path traversal vulnerability that could allow unauthenticated remote attackers to bypass authentication in their web interfaces. id: CVE-2021-20090 info: name: Buffalo WSR-2533DHPL2 - Path...

9.8CVSS8.3AI score0.99983EPSS
Exploits5References5
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.68 views

Fortinet FortiOS - Credentials Disclosure

Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests due to improper limitation of a...

9.8CVSS8.4AI score0.99999EPSS
Exploits22References3
EUVD
EUVD
added 2026/06/16 3:30 a.m.8 views

EUVD-2026-37023

Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials via a crafted alterna...

5.7AI score0.00295EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/16 3:30 a.m.7 views

EUVD-2026-37024

Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain...

5.3AI score0.00112EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/16 3:30 a.m.6 views

CVE-2026-6964 Video Conferencing with Zoom <= 4.6.7 - Missing Authorization to Unauthenticated Zoom SDK Credential Exposure via 'get_auth' AJAX Action

The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain...

5.3CVSS5.3AI score0.00323EPSS
Exploits0References8
SUSE CVE
SUSE CVE
added 2026/06/16 2:19 a.m.6 views

SUSE CVE-2026-54421

In OpenStack Ironic before 37.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information such as iSCSI credentials. The PATCH outcome is a security issue; the POST outcome is not a security issue...

6.8CVSS5.8AI score0.00291EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/16 2:15 a.m.9 views

Malicious code in carousel-controller-mixin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1a4b1be297682ca77d8a92fc502887ee6d718a5541fa88413acdc6accb3ed97 package.json declares both preinstall and postinstall hooks that execute callback.js on every install. callback.js collects username, uid, hostname,...

5.8AI score
Exploits0References2
OSV
OSV
added 2026/06/16 2:15 a.m.8 views

MAL-2026-5856 Malicious code in carousel-controller-mixin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1a4b1be297682ca77d8a92fc502887ee6d718a5541fa88413acdc6accb3ed97 package.json declares both preinstall and postinstall hooks that execute callback.js on every install. callback.js collects username, uid, hostname,...

5.8AI score
Exploits0References2
NVD
NVD
added 2026/06/16 1:16 a.m.7 views

CVE-2026-12162

Improper host validation in the social login autofill feature in Devolutions Remote Desktop Manager 2026.2.8 allows an attacker to disclose stored social login credentials via a crafted web entry pointing to a provider lookalike domain...

5.5CVSS0.00112EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/06/16 12:0 a.m.27 views

Google Chrome < 149.0.7827.155 Multiple Vulnerabilities

The version of Google Chrome installed on the remote macOS host is prior to 149.0.7827.155. It is, therefore, affected by multiple vulnerabilities as referenced in the 202606stable-channel-update-for-desktop01750511403 advisory. - Use after free in Extensions in Google Chrome prior to...

9.6CVSS6AI score0.00601EPSS
Exploits0References67
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.11 views

PT-2026-50171

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.55 n8n versions prior to 2.25.7 n8n versions prior to 2.26.2 Description Three Enterprise Edition endpoints used by the Dynamic Credentials feature fail to perform per-resource ownership or scope checks on target...

9.9CVSS6AI score0.00343EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.15 views

PT-2026-50129

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. In versions 1.56.0 through 1.101.0, 2.0.0b1, and 2.0.0b2, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form that the previous fix, CVE-2026-46678...

6.8CVSS5.3AI score0.00332EPSS
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2026/06/16 12:0 a.m.7 views

Google Chrome < 149.0.7827.155 Multiple Vulnerabilities

The version of Google Chrome installed on the remote Windows host is prior to 149.0.7827.155. It is, therefore, affected by multiple vulnerabilities as referenced in the 202606stable-channel-update-for-desktop01750511403 advisory. - Use after free in Extensions in Google Chrome prior to...

9.6CVSS6AI score0.00601EPSS
Exploits0References67
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.14 views

PT-2026-50172

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.25.7 n8n versions prior to 2.26.2 Description A prototype pollution issue allows a crafted public webhook payload to inject attacker-controlled fields into workflow data during internal object copying. Prototype polluti...

6.4CVSS5.9AI score0.00259EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.16 views

PT-2026-49737

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.25 Description The CORS Middleware reflects the request Origin and sends Access-Control-Allow-Credentials: true when credentials: true is enabled and no explicit origin is defined defaulting to the wildcard. This...

7.1CVSS5.9AI score0.00248EPSS
Exploits0References4
Rows per page
Query Builder