Lucene search
K

426 matches found

AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.8 views

Astra Linux – Vulnerability in symfony

Symfony is a PHP framework for web and console applications, along with a set of reusable PHP components. When authenticating users, Symfony automatically regenerates the session ID upon login, but preserves the remaining session attributes. Since this does not clear the CSRF tokens upon login, i...

8.8CVSS7AI score0.0079EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/30 12:0 a.m.38 views

CVE-2026-36960

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft ...

0.00183EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/30 12:0 a.m.3 views

CVE-2026-36960

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft ...

5.4AI score0.00183EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/30 12:0 a.m.9 views

EUVD-2026-26377

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An...

8.8CVSS5.5AI score0.00171EPSS
Exploits1References2
CVE
CVE
added 2026/04/30 12:0 a.m.8 views

CVE-2026-36960

CVE-2026-36960 describes a CSRF flaw in the web management interface of the U-SPEED N300 Router V1.0.0. The device lacks anti-CSRF tokens and strict Origin/Referer checks for administrative endpoints, enabling a crafted page to trigger forged requests when an authenticated administrator visits it...

8.8CVSS5.4AI score0.00183EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/28 6:43 p.m.2 views

CVE-2025-15604

Amon2 versions before 6.17 for Perl use an insecure randomstring implementation for security functions. In versions 6.06 through 6.16, the randomstring function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 has...

5.8AI score0.00521EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/03/28 6:43 p.m.32 views

CVE-2025-15604 Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions

Amon2 versions before 6.17 for Perl use an insecure randomstring implementation for security functions. In versions 6.06 through 6.16, the randomstring function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 has...

0.00521EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/17 12:0 a.m.13 views

PT-2026-25909

Name of the Vulnerable Software and Affected Versions Next.js versions 16.0.1 through 16.1.7 Description Next.js, a React framework for building full-stack web applications, had a flaw in its Server Action CSRF validation. Specifically, origin: null was incorrectly treated as a missing origin,...

5.3CVSS5.8AI score0.002EPSS
Exploits1References14
Tenable Nessus
Tenable Nessus
added 2026/03/03 12:0 a.m.5 views

Ubuntu 16.04 LTS / 20.04 LTS : Mailman vulnerability (USN-8067-1)

The remote Ubuntu 16.04 LTS / 20.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-8067-1 advisory. It was discovered that Mailman incorrectly handled CSRF tokens. A remote list member or moderator could possibly use their own token to craft an admin...

8.8CVSS6AI score0.0073EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/23 6:19 a.m.5 views

CVE-2026-24037

Horilla is a free and open source Human Resource Management System HRMS. In version 1.4.0, the hasxss function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to...

5.4CVSS5.3AI score0.00227EPSS
Exploits1References1
NVD
NVD
added 2026/01/22 4:15 a.m.4 views

CVE-2026-24037

Horilla is a free and open source Human Resource Management System HRMS. In version 1.4.0, the hasxss function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to...

5.4CVSS0.00227EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/01/19 11:25 p.m.4 views

CVE-2026-23626

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

6.8CVSS5.7AI score0.00389EPSS
Exploits1References1
Snyk
Snyk
added 2026/01/18 11:48 p.m.3 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the export process. An attacker with export permissions can access sensitive information, including environment variables, user password hashes, serialized sessio...

8.2CVSS5.8AI score0.00389EPSS
Exploits1References2
NVD
NVD
added 2026/01/18 11:15 p.m.5 views

CVE-2026-23626

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

6.8CVSS0.00389EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/01/18 10:45 p.m.16 views

CVE-2026-23626 Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

6.8CVSS0.00389EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/01/18 10:45 p.m.3 views

CVE-2026-23626

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

6.8CVSS5.5AI score0.00389EPSS
Exploits1References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/18 10:45 p.m.2 views

CVE-2026-23626 Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

6.8CVSS5.7AI score0.00389EPSS
Exploits1References4
OSV
OSV
added 2026/01/18 10:45 p.m.6 views

CVE-2026-23626 Kimai Vulnerable to Authenticated Server-Side Template Injection (SSTI)

Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy DefaultPolicy that allows arbitrary method calls on objects available in the template context. An authenticated user with...

6.8CVSS5.7AI score0.00389EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/01/09 9:21 a.m.7 views

CVE-2021-41245

Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, CSRF tokens generated by privUITransactionFile aren't properly checked. Versions 2.7.6 and 3.0.0 contain a patch for this issue. As a workaround, use the session implementation by adding in the iTop conf...

8.1CVSS6.9AI score0.00694EPSS
Exploits1References1
GithubExploit
GithubExploit
added 2025/12/29 10:8 a.m.273 views

Exploit for Improper Certificate Validation in Apache Http_Server

Uefiscdi-Gov-Ro-Vulnerability- UNTESTED PAYLOADS, WAF-BYPASS,...

7.8CVSS8.8AI score0.98945EPSS
Exploits29
Rows per page
Query Builder