Lucene search
K

58341 matches found

NVD
NVD
added 2026/06/08 8:17 p.m.20 views

CVE-2026-40519

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary...

7.7CVSS0.00921EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/08 7:28 p.m.6 views

CVE-2026-40519

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary...

7.7CVSS6.7AI score0.00921EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/06/08 7:28 p.m.13 views

EUVD-2026-35196

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary...

7.7CVSS6.7AI score0.00921EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/08 7:28 p.m.9 views

CVE-2026-40519 Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary...

7.7CVSS6.7AI score0.00921EPSS
Exploits0References3
CVE
CVE
added 2026/06/08 7:28 p.m.71 views

CVE-2026-40519

Nginx Proxy Manager versions 2.9.14–2.15.1 are affected by an authenticated remote code execution via OS command injection in backend/setup.js (setupCertbotPlugins). The user-controlled dns_provider_credentials field is interpolated directly into a shell command executed with child_process.exec()...

7.7CVSS6.7AI score0.00921EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/08 7:28 p.m.43 views

CVE-2026-40519 Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary...

7.7CVSS0.00921EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/08 7:20 p.m.14 views

Malicious code in nerfstudio-gs (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 523b928ceb73227e96f02eb85783222da17d0e716c9c7012b4cbcafd1e787f58 During installation or Python setup via PTH file, the code exfiltrated all kinds of sensitive data, including env variables, browser's data, SSH keys, data fro...

5.7AI score
Exploits0References1
NVD
NVD
added 2026/06/08 7:16 p.m.11 views

CVE-2026-10786

Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : Devolutions Server 2026.2.4.0 Devolutions Server...

6.5CVSS0.00148EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/08 6:47 p.m.9 views

CVE-2020-37248

A flaw was found in OfflineIMAP. This vulnerability allows a remote attacker to perform a man-in-the-middle attack by exploiting the client's trust in the server's STARTTLS capability before authentication. This can lead to the attacker taking over the connection and extracting sensitive account...

6.5CVSS5.5AI score0.00186EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/08 6:26 p.m.6 views

CVE-2026-10786

Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : Devolutions Server 2026.2.4.0 Devolutions Server...

6.5CVSS5.5AI score0.00148EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/08 6:26 p.m.11 views

EUVD-2026-35182

Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : Devolutions Server 2026.2.4.0 Devolutions Server...

6.5CVSS5.5AI score0.00148EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/08 6:26 p.m.35 views

CVE-2026-10786

Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : Devolutions Server 2026.2.4.0 Devolutions Server...

0.00148EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/08 6:26 p.m.7 views

CVE-2026-10786

Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : Devolutions Server 2026.2.4.0 Devolutions Server...

5.5AI score0.00148EPSS
Exploits0References1
CVE
CVE
added 2026/06/08 6:26 p.m.21 views

CVE-2026-10786

CVE-2026-10786 affects Devolutions Server 2026.2.4.0 and 2026.1.20.0 and earlier. The issue is improper access control in the ticketing integration settings that allows an authenticated low-privilege user to obtain cleartext credentials for configured ticketing integrations via a crafted API requ...

6.5CVSS5.5AI score0.00148EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/06/08 4:16 p.m.14 views

CVE-2026-46440

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2...

9.1CVSS0.00251EPSS
Exploits0References2
OSV
OSV
added 2026/06/08 4:16 p.m.6 views

UBUNTU-CVE-2020-37248

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext...

6.5CVSS5.4AI score0.00186EPSS
Exploits0References7
CVE
CVE
added 2026/06/08 3:30 p.m.41 views

CVE-2026-46443

FlowiseAI Flowise (Flowise server) has a credential data leak when querying credentials with a credentialName filter. In versions prior to 3.1.2, the encryptedData field is not removed from the API response for filtered credential fetches, exposing sensitive credential data (API keys, passwords, ...

7CVSS5.4AI score0.00271EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/06/08 3:30 p.m.8 views

EUVD-2026-35111

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response. The code properly omits encryptedData when no filter is...

7CVSS5.4AI score0.00271EPSS
Exploits1References2
EUVD
EUVD
added 2026/06/08 3:29 p.m.11 views

EUVD-2026-35107

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2...

7.5CVSS7.1AI score0.00251EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/08 3:29 p.m.42 views

CVE-2026-46440 Flowise: Basic Auth Credentials Exposed via API

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2...

7.5CVSS0.00251EPSS
Exploits0References2
Rows per page
Query Builder