CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CNNVD•added 2026/05/28 12:0 a.m.•5 views

Oracle REST Data Services 安全漏洞

Oracle REST Data Services is a middleware tool provided by Oracle Corporation in the United States, which exposes features of the Oracle database to applications through RESTful APIs. Versions 24.2.0 to 26.1.0 of Oracle REST Data Services have security vulnerabilities. These vulnerabilities stem...

7.5CVSS5.8AI score0.00047EPSS

Positive Technologies•added 2026/05/28 12:0 a.m.•4 views

PT-2026-44199

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process bulk action function, the...

8.1CVSS6AI score0.00039EPSS

Exploits0References11

Github Security Blog•added 2026/05/27 10:49 p.m.•16 views

Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection

Summary A Server-Side Code Injection vulnerability exists in the Yamcs script evaluation engine for Python algorithms. The application dynamically compiles and evaluates user-controlled algorithm text using Jython via the JSR-223 ScriptEngine API without enforcing a secure sandbox. An authenticat...

6.2AI score

Exploits0References2Affected Software1

OSV•added 2026/05/27 10:49 p.m.•3 views

GHSA-2G95-6X5Q-XJWJ Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection

9.1CVSS6.2AI score

OSV•added 2026/05/27 10:45 p.m.•5 views

GHSA-VMWP-VH32-RJ75 Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override

Remote Code Execution via Mission Database algorithm override Summary The Nashorn ScriptEngine used to evaluate user-supplied algorithm text in MdbOverrideApi.updateAlgorithm is constructed without a ClassFilter, allowing a user with the ChangeMissionDatabase privilege to execute arbitrary Java...

9.8CVSS6.5AI score

Github Security Blog•added 2026/05/27 10:45 p.m.•11 views

Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override

6.5AI score

Exploits0References2Affected Software1

RedhatCVE•added 2026/05/27 8:14 p.m.•6 views

CVE-2026-9342

A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. Impacted is an unknown function of the file /admin/patients/viewhistory.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has be...

6.5CVSS6.5AI score0.00031EPSS

OSV•added 2026/05/27 7:38 p.m.•5 views

GHSA-MXFR-6HCW-J9RQ Langroid has Prompt to SQL Injection, Leading to RCE

Security Vulnerability Report: Prompt to SQL Injection leading to RCE in latest Langroid Affected Scope langroid @localhost:5432/postgres" Create SQL Chat Agent config = SQLChatAgentConfig databaseuri=DATABASEURI, llm=OpenAIGPTConfig apibase=os.getenv"bas...

9.8CVSS6.6AI score0.00079EPSS

Cvelist•added 2026/05/27 7:16 p.m.•39 views

CVE-2026-44886 Pi.Alert: Web Interface Vulnerable to Unauthenticated Blind SQL Injection

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. From 2024-06-29 to before 2026-05-07, the web application endpoint is vulnerable to SQL injection. The /pialert/php/server/devices.php route accepts requests from unauthenticated users when the action URL parameter is set to...

8.7CVSS0.00085EPSS

Vulnrichment•added 2026/05/27 7:16 p.m.•4 views

CVE-2026-44886 Pi.Alert: Web Interface Vulnerable to Unauthenticated Blind SQL Injection

8.7CVSS5.9AI score0.00085EPSS

NVD•added 2026/05/27 7:16 p.m.•8 views

CVE-2026-45046

Gryph provides a security layer for AI coding agents. Prior to 0.7.0, Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard. Source code review shows sensitive...

5.5CVSS0.00014EPSS

NVD•added 2026/05/27 7:16 p.m.•11 views

CVE-2026-44635

Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters ., , , , , ?. When attacker-controlled input flows into eb.refcol, '-$'.keyinput or .atinput — including type-safe code where the JSON column ...

7.5CVSS0.00055EPSS

Vulnrichment•added 2026/05/27 6:28 p.m.•7 views

CVE-2026-42878 FacturaScripts: Unauthenticated phpinfo() Disclosure via Installer Endpoint in FacturaScripts

FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PH...

5.3CVSS5.8AI score0.00049EPSS

EUVD•added 2026/05/27 6:24 p.m.•8 views

EUVD-2026-32624

Vulnrichment•added 2026/05/27 6:24 p.m.•5 views

CVE-2026-45046 Gryph Agents Payload Filter Fails to Strip Tool Payload for Sensitive Content

Cvelist•added 2026/05/27 6:24 p.m.•35 views

CVE-2026-45046 Gryph Agents Payload Filter Fails to Strip Tool Payload for Sensitive Content

5.5CVSS0.00014EPSS

ATTACKERKB•added 2026/05/27 6:24 p.m.•5 views

CVE-2026-45046

Exploits0References2Affected Software1

CVE•added 2026/05/27 6:24 p.m.•8 views

CVE-2026-45046

Gryph Agents vulnerability CVE-2026-45046 affects Gryph’s local logging layer prior to version 0.7.0. The project’s security notes and CVE records indicate that the default standard logging level could include sensitive file content (ContentPreview, OldString, NewString) in payloads stored to a l...