CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 2026/06/10 1:55 p.m.•5 views

CVE-2026-53469 Migration-planner: unprotected delete endpoint wipes all tenant data

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments,...

Cvelist•added 2026/06/10 1:55 p.m.•34 views

CVE-2026-53469 Migration-planner: unprotected delete endpoint wipes all tenant data

9.1CVSS0.00288EPSS

EUVD•added 2026/06/10 1:55 p.m.•7 views

EUVD-2026-36028

CVE•added 2026/06/10 1:55 p.m.•10 views

CVE-2026-53469

Migration-planner is affected. An authenticated user can issue a DELETE to /api/v1/sources that is not properly authorized/filtered, permitting destruction of all tenant data (sources, agents, assessments) and causing critical loss of availability and integrity across the SaaS platform. Affected ...

Exploits0References3Affected Software1

RedhatCVE•added 2026/06/10 1:55 p.m.•6 views

CVE-2026-53473

7.3CVSS5.3AI score0.00187EPSS

RedhatCVE•added 2026/06/10 1:55 p.m.•9 views

CVE-2026-53471

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens JWTs for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the sourceid claim within these tokens against the requested source ID. This oversight allows an...

9.6CVSS5.5AI score0.0028EPSS

RedhatCVE•added 2026/06/10 1:55 p.m.•6 views

CVE-2026-53469

Github Security Blog•added 2026/06/10 1:39 p.m.•9 views

Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data

Private services EnableShowInService: false are enumerable via per-server endpoints, leaking name and timing data CWE: CWE-285 Improper Authorization via CWE-200 Exposure of Sensitive Information to an Unauthorized Actor and CWE-863 Incorrect Authorization — inconsistent gating across data-reader...

5.3CVSS5.7AI score0.0034EPSS

Exploits0References2Affected Software1

OSV•added 2026/06/10 1:39 p.m.•3 views

GHSA-VRMH-5MMX-HJWX Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data

5.3CVSS5.7AI score0.0034EPSS

Exploits0References2

RedhatCVE•added 2026/06/10 1:26 p.m.•5 views

CVE-2026-45446

A flaw was found in OpenSSL. The implementations of AES-SIV Advanced Encryption Standard - SIV and AES-GCM-SIV Advanced Encryption Standard - Galois/Counter Mode - SIV incorrectly process authentication tags for empty messages. This vulnerability allows a remote attacker to forge empty messages...

4.8CVSS5.4AI score0.0021EPSS

EUVD•added 2026/06/10 12:40 p.m.•8 views

EUVD-2026-36013

Ghidra before 12.1 contains an authentication bypass vulnerability in PKIAuthenticationModule.authenticate that allows any user with a valid CA-signed certificate to impersonate other users by presenting their public certificate with a null signature. Attackers can escalate privileges, modify...

8.8CVSS5.5AI score0.00252EPSS

RedHat Linux•added 2026/06/10 12:9 p.m.•5 views

netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion

A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses 103, followed by a 200 with a GET body, then another 200 for a HEAD request when the client pipelines GET the...

9.1CVSS6.8AI score0.00319EPSS

Exploits1References5

RedHat Linux•added 2026/06/10 12:5 p.m.•6 views

netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion

9.1CVSS6.8AI score0.00319EPSS

Exploits1References5

RustSec•added 2026/06/10 12:0 p.m.•8 views

`onering` 1.4.1 was removed from crates.io for malicious code

A new version of the onering crate was published with code that attempted to exfiltrate both metadata and code from the project it was included within. One malicious version was published on 2026-06-10, approximately six hours before removal. This crate has no dependencies on crates.io, and there...

5.6AI score

Exploits0Affected Software1

RedHat Linux•added 2026/06/10 11:41 a.m.•4 views

mysql: DML unspecified vulnerability (CPU Apr 2026)

Oracle CPU describes the issue as following: Vulnerability in the MySQL Server product of Oracle MySQL component: Server: DML. Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access v...

4.9CVSS7AI score0.00242EPSS

Exploits0References6

NVD•added 2026/06/10 10:16 a.m.•14 views

CVE-2026-3018

The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriberid’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

7.5CVSS0.01382EPSS