Lucene search
+L

7675 matches found

EUVD
EUVD
added 2026/07/09 12:29 p.m.10 views

EUVD-2026-42589

The implementation of an internal and undocumented Dashboard API endpoint POST /api/users//user/tokens forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition for successful exploitation was a preexisting internal user with more...

8.7CVSS6.4AI score0.00281EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/07/08 9:12 p.m.8 views

Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE

Summary Serena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port TCP 24282, hardcoded as 0x5EDA in constants.py. The server has no authentication, no CSRF protection, and no Host header validation. A DNS rebinding attack allows a malicious webpage to reach...

8.3CVSS6.7AI score0.00237EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/07/08 2:16 p.m.8 views

CVE-2026-15034

A vulnerability has been found in flask-dashboard Flask-MonitoringDashboard up to 5.0.2. Affected by this issue is some unknown functionality. Such manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used...

5.3CVSS0.00222EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/07/08 1:30 p.m.31 views

CVE-2026-15034 flask-dashboard Flask-MonitoringDashboard cross-site request forgery

A vulnerability has been found in flask-dashboard Flask-MonitoringDashboard up to 5.0.2. Affected by this issue is some unknown functionality. Such manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used...

5.3CVSS0.00222EPSS
Exploits0References9
CVE
CVE
added 2026/07/08 1:30 p.m.14 views

CVE-2026-15034

CVE-2026-15034 affects the Flask-MonitoringDashboard component of the Flask-dashboard project up to version 5.0.2. The issue is described as a cross-site request forgery (CSRF) affecting an unknown functionality, with the attack potentially executable remotely. Public exploit information is indic...

5.3CVSS5.2AI score0.00222EPSS
Exploits0References9
EUVD
EUVD
added 2026/07/08 1:30 p.m.6 views

EUVD-2026-42238

A vulnerability has been found in flask-dashboard Flask-MonitoringDashboard up to 5.0.2. Affected by this issue is some unknown functionality. Such manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used...

5.3CVSS5.2AI score0.00222EPSS
Exploits0References9
OSV
OSV
added 2026/07/08 1:30 p.m.3 views

CVE-2026-15034 flask-dashboard Flask-MonitoringDashboard cross-site request forgery

A vulnerability has been found in flask-dashboard Flask-MonitoringDashboard up to 5.0.2. Affected by this issue is some unknown functionality. Such manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used...

5.3CVSS5.5AI score0.00222EPSS
Exploits0References11
NVD
NVD
added 2026/07/08 1:16 a.m.7 views

CVE-2026-55437

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the AgentLogLine dashboard component instantiated ansi-to-html without escapeXML: true and inserted the result via dangerouslySetInnerHTML so HTML embedded...

5.4CVSS0.00316EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/08 12:37 a.m.7 views

EUVD-2026-42109

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers...

3.1CVSS5.9AI score0.00136EPSS
Exploits0References2
OSV
OSV
added 2026/07/08 12:29 a.m.10 views

CVE-2026-55437 Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the AgentLogLine dashboard component instantiated ansi-to-html without escapeXML: true and inserted the result via dangerouslySetInnerHTML so HTML embedded...

5.4CVSS6AI score0.00316EPSS
Exploits0References8
NVD
NVD
added 2026/07/07 10:16 p.m.9 views

CVE-2026-28378

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers...

3.1CVSS0.00136EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/07 9:8 p.m.4 views

CVE-2026-28378 Cross-Organization Public Dashboard Deletion via Missing Org Isolation

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers...

3.1CVSS5.9AI score0.00136EPSS
Exploits0References1
CVE
CVE
added 2026/07/07 9:8 p.m.57 views

CVE-2026-28378

The CVE-2026-28378 entry describes a vulnerability in Grafana where the public dashboard deletion endpoint does not enforce organization isolation. An Org Admin in one organization can delete public dashboards belonging to another organization by supplying the target dashboard identifiers. Impact...

3.1CVSS5.9AI score0.00136EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/07/07 9:8 p.m.26 views

CVE-2026-28378 Cross-Organization Public Dashboard Deletion via Missing Org Isolation

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers...

3.1CVSS0.00136EPSS
Exploits0References1
OSV
OSV
added 2026/07/07 9:8 p.m.4 views

CVE-2026-28378 Cross-Organization Public Dashboard Deletion via Missing Org Isolation

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers...

3.1CVSS6.1AI score0.00136EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/07 8:50 p.m.5 views

CVE-2026-49471

Serena is a powerful MCP toolkit for coding that provides semantic retrieval and editing capabilities. Prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port, with no authentication, no CSRF protection, and no Host header validation. A D...

8.3CVSS6.7AI score0.00237EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/07/07 8:50 p.m.22 views

CVE-2026-49471

Serena exposes an unauthenticated Flask API on a fixed port prior to v1.5.2, with no authentication, CSRF protection, or Host header validation. A DNS rebinding attack can reach this API from any browser and write arbitrary content to the agent’s persistent memory store, which the agent may read ...

8.3CVSS6.7AI score0.00237EPSS
Exploits0References3
OSV
OSV
added 2026/07/07 8:50 p.m.6 views

CVE-2026-49471 Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE

Serena is a powerful MCP toolkit for coding that provides semantic retrieval and editing capabilities. Prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port, with no authentication, no CSRF protection, and no Host header validation. A D...

8.3CVSS6.7AI score0.00237EPSS
Exploits0References5
CVE
CVE
added 2026/07/07 8:37 p.m.12 views

CVE-2026-55647

DataEase (open source data visualization/analysis tool) contains an XSS flaw in dashboard text components. Before version 2.10.24, stored content rendered via Vue v-html without server-side sanitization, enabling an authenticated user who can edit dashboard component data to inject HTML with exec...

5.1CVSS6AI score0.00269EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/07 8:37 p.m.32 views

CVE-2026-55647 DataEase: authenticated stored XSS in the dashboard text components

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, dashboard text components render stored component content with Vue v-html without server-side HTML sanitization, allowing an authenticated user who can edit dashboard component data to inject HTML with executable...

5.1CVSS0.00269EPSS
Exploits0References3
Rows per page
Query Builder