Lucene search
K

17379 matches found

NVD
NVD
added 2026/06/30 9:16 p.m.7 views

CVE-2026-13207

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by...

8.7CVSS0.00352EPSS
Exploits0References3
CVE
CVE
added 2026/06/30 9:6 p.m.12 views

CVE-2026-58448

CVE-2026-58448 affects yudao-cloud (BPM module) prior to 2026.06. A broken access control flaw allows any authenticated user to read arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected GET endpoint that lacks the @PreAuthorize annotati...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/30 8:24 p.m.32 views

CVE-2026-13207 Frangoteam FUXA SCADA/HMI Authentication Bypass by Spoofing

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by...

8.7CVSS0.00352EPSS
Exploits0References3
CVE
CVE
added 2026/06/30 7:53 p.m.12 views

CVE-2026-10560

CVE-2026-10560 affects IBM Langflow OSS 1.0.0–1.9.6. The issue is a missing authentication vulnerability in the /api/v1/build_public_tmp/ endpoints, allowing an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier. This leads to information disclosure (sen...

9.1CVSS5.8AI score0.00272EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/30 7:53 p.m.31 views

CVE-2026-10560 Unauthenticated Access to Private Flow Build Events and Cancellation in Langflow OSS

IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/buildpublictmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service...

8.2CVSS0.00272EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.5 views

PT-2026-54067

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description A side-channel information leakage issue exists in the Scroll component. This flaw allows a remote attacker to leak cross-origin data, which is data belonging to a different origin than...

9.6CVSS6AI score0.00413EPSS
Exploits0References440
RedHat Linux
RedHat Linux
added 2026/06/29 10:57 p.m.6 views

mariadb: MariaDB server: SQL injection vulnerability via improper handling of big5 character set with mysql_real_escape_string()

A flaw was found in MariaDB server. An application processing non-validated user input, which then uses mysqlrealescapestring and sends data to the database via text protocol with the big5 character set, is vulnerable to SQL injection. This allows a remote attacker to execute malicious SQL...

9.8CVSS5.9AI score0.00419EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/29 5:21 p.m.7 views

EUVD-2026-40169

Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints c2profileconfigcheckwebhook, c2profileredirectruleswebhook, c2profilegetiocwebhook, c2profilesamplemessagewebhook that fail to verify payload ownership. An operator in one operation can invoke these...

6CVSS5.8AI score0.00171EPSS
Exploits0References4
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-422 MLFlow Path Traversal Vulnerability

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information...

9.8CVSS7.5AI score0.02013EPSS
Exploits1References6
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-290 BackendAI Missing Authentication for Critical Function

Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled...

9.8CVSS5.9AI score0.00375EPSS
Exploits0References9
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-394 llama_index vulnerable to SQL Injection

Multiple vector store integrations in run-llama/llamaindex version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index...

9.8CVSS7.4AI score0.00581EPSS
Exploits1References6
NVD
NVD
added 2026/06/25 8:17 p.m.5 views

CVE-2026-37149

GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN v1.0 was discovered to contain a SQL injection vulnerability in the scost parameter in /grocery/searchproducts.php. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement...

7.7CVSS0.00215EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/25 12:0 a.m.16 views

GitLab 18.6 < 18.11.6 / 19.0 < 19.0.3 / 19.1 < 19.1.1 (CVE-2026-3176)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticate...

3.1CVSS5.9AI score0.00182EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/24 7:24 p.m.16 views

CVE-2026-27708 FOSSBilling: IDOR in Servicecustom Client API allows cross-client data access

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's call method accepts an orderid parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data...

7.1CVSS0.00265EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/24 3:11 p.m.10 views

Astra Linux – Vulnerability in glib2.0

A flaw was discovered in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability enables a local attacker to...

3.7CVSS5.8AI score0.0037EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/24 11:53 a.m.7 views

CVE-2026-56257

Capgo before 12.128.2 allows direct patching of public.apps.ownerorg through PostgREST, bypassing the transferapp workflow and creating split-brain ownership. Attackers can directly update apps.ownerorg while leaving appversions.ownerorg unchanged, enabling old-org keys to retain access to versio...

7.1CVSS5.9AI score0.00182EPSS
Exploits0References3
CVE
CVE
added 2026/06/24 11:53 a.m.9 views

CVE-2026-56257

Capgo (CVE-2026-56257) before 12.128.2 allows an authorization bypass via PostgREST that patches public.apps.owner_org directly, bypassing the transfer_app() workflow and causing split-brain ownership. An attacker can update apps.owner_org while leaving app_versions.owner_org unchanged, allowing ...

7.1CVSS5.9AI score0.00182EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/24 11:53 a.m.5 views

CVE-2026-56223

Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a...

9.3CVSS6AI score0.00244EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/24 11:53 a.m.7 views

EUVD-2026-38737

Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a...

9.3CVSS6AI score0.00244EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 11:53 a.m.33 views

CVE-2025-71332 Flowise - SQL Injection in importChatflows API via chatflow.id Parameter

Flowise through 2.2.7 contains a SQL injection vulnerability in the importChatflows API. Due to insufficient validation of the chatflow.id value, an authenticated user can supply a crafted JSON import file whose id field is concatenated unsanitized into a SQL IN clause, allowing arbitrary SQL to ...

8.5CVSS0.00283EPSS
Exploits1References2
Rows per page
Query Builder