CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Github Security Blog•added last week•10 views

OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens

Impact In OpenBao's Kerberos auth method on the GET handler, or when an Authorization: Negotiate header is supplied, the response is includes a logical.Auth object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity...

5.8AI score

Exploits0References5Affected Software1

OSV•added last week•6 views

GHSA-7J6W-VVW2-5F9C OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens

5.3CVSS5.8AI score

Exploits0References5

NVD•added 2026/05/27 2:16 p.m.•5 views

CVE-2024-40684

IBM Operations Analytics - Log Analysis 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, and 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 IBM SmartCloud Analytics - Log Analysis does not require that users should have strong passwords by default, which makes it easi...

5.9CVSS0.00037EPSS

OSV•added 2026/05/08 12:31 a.m.•2 views

GHSA-MM7J-MHHJ-HJ36 OpenStack Cyborg uses rule:allow (check_str='@') as the default policy for multiple API endpoints

OpenStack Cyborg before 16.0.1 uses rule:allow checkstr='@' as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complet...

Github Security Blog•added 2026/05/08 12:31 a.m.•3 views

Exploits0References5

OpenStack Cyborg uses rule:allow (check_str='@') as the default policy for multiple API endpoints

Exploits0References5Affected Software1

NVD•added 2026/05/07 10:16 p.m.•7 views

CVE-2026-40213

7.4CVSS0.00038EPSS

UbuntuCve•added 2026/05/07 10:16 p.m.•1 views

CVE-2026-40213

7.4CVSS5.8AI score0.00038EPSS

Cvelist•added 2026/05/07 12:0 a.m.•21 views

CVE-2026-40213

7.4CVSS0.00038EPSS

CVE•added 2026/05/07 12:0 a.m.•6 views

CVE-2026-40213

OpenStack Cyborg before 16.0.1 is affected by CVE-2026-40213. The issue arises from a default policy rule (rule:allow with check_str='@') applied to multiple API endpoints, which unconditionally authorizes any request bearing a valid Keystone token regardless of user roles, project membership, or...

Positive Technologies•added 2026/05/07 12:0 a.m.•5 views

PT-2026-38596

OpenStack Cyborg before 16.0.1 uses rule:allow check str='@' as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can comple...

Vulnrichment•added 2026/05/07 12:0 a.m.•4 views

Exploits0References5

CVE-2026-40213

Snyk•added 2026/04/14 8:5 p.m.•1 views

Modification of Assumed-Immutable Data (MAID)

Overview justhtml is an A pure Python HTML5 parser that just works. Affected versions of this package are vulnerable to Modification of Assumed-Immutable Data MAID through the sanitize, sanitizedom, and JustHTML..., sanitize=True paths in src/justhtml/sanitize.py. An attacker can bypass intended...

6.1CVSS5.7AI score

CNVD•added 2026/04/08 12:0 a.m.•2 views

Apache ActiveMQ Broker Jolokia MBeans Remote Code Execution Vulnerability

Apache ActiveMQ Broker is an open source message broker and integration pattern server . A security vulnerability exists in Apache ActiveMQ Broker. The vulnerability stems from the Jolokia JMX-HTTP bridge default policy that allows exec operations on MBeans, which can be exploited by an attacker ...

8.8CVSS7.8AI score0.83461EPSS

Exploits11

RedhatCVE•added 2026/01/09 9:29 a.m.•1 views

CVE-2023-29196

Discourse is an open source platform for community discussion. This vulnerability is not exploitable on the default install of Discourse. A custom feature must be enabled for it to work at all, and the attacker’s payload must pass the CSP to be executed. However, if an attacker succeeds in...

6.1CVSS6.7AI score0.00292EPSS

CNVD•added 2025/10/21 12:0 a.m.•2 views

IBM Transformation Extender Advanced Weak Password Vulnerability

IBM Transformation Extender Advanced A data transformation, validation and standardization tool software from International Business Machines Corporation. IBM Transformation Extender Advanced suffers from a weak password vulnerability that stems from not requiring users to use strong passwords by...

7.5CVSS6.9AI score0.00029EPSS

Cvelist•added 2025/10/12 8:18 a.m.•3 views

CVE-2025-52615 HCL Unica Platform is impacted by misconfigured security related HTTP headers

HCL Unica Platform is impacted by misconfigured security related HTTP headers. This can lead to less secure browser default treatment for the policies controlled by these headers...

3.5CVSS0.00029EPSS

RedHat Linux•added 2025/07/07 6:20 p.m.•1 views

sudo: LPE via host option

A privilege escalation vulnerability was found in Sudo. In certain configurations, unauthorized users can gain elevated system privileges via the Sudo host option -h or --host. When using the default sudo security policy plugin sudoers, the host option is intended to be used in conjunction with t...

8.8CVSS7.2AI score0.30014EPSS

Exploits12References6

OpenVAS•added 2025/05/07 12:0 a.m.•4 views

Ensure That the Security Level of the Global Encryption Policy Is Not Lower than DEFAULT

The global encryption/decryption policy of the system is used to specify the algorithms supported by the encryption and decryption components. You can change the preset security policy level by modifying the /etc/crypto-policies/config configuration file to change the algorithm set that can be us...

6.8AI score