Lucene search
K

218 matches found

EUVD
EUVD
added 4 days ago5 views

EUVD-2026-43138

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generatedocumentshortcode due to missing validation on a user controlled key. This makes it possible for authenticated...

4.3CVSS6.1AI score0.00223EPSS
Exploits0References8
EUVD
EUVD
added 2026/07/06 7:23 p.m.6 views

EUVD-2026-41905

Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an...

6AI score0.00231EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 7:23 p.m.37 views

CVE-2026-14536

Improper enforcement of a mandatory multi-factor authentication policy in Devolutions Server 2026.2.9.0 allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing multi-factor authentication. The problem occurs when DVLS encounters an...

0.00231EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 7:23 p.m.14 views

CVE-2026-14536

CVE-2026-14536 affects Devolutions Server 2026.2.9.0. The issue is improper enforcement of a mandatory multi-factor authentication policy, allowing an attacker with valid credentials to bypass MFA and authenticate without completing MFA due to an invalid default MFA value. The available sources d...

8.8CVSS6AI score0.00231EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.5 views

PT-2026-55970

Name of the Vulnerable Software and Affected Versions Devolutions Server version 2026.2.9.0 Description Improper enforcement of a mandatory multi-factor authentication policy allows an attacker with valid user credentials to bypass the MFA Required policy and authenticate without completing...

8.8CVSS6.1AI score0.00231EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/06/22 1:18 p.m.4 views

CVE-2026-9029

A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard stored cross-site scripting...

7.3CVSS6AI score0.0025EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/22 1:18 p.m.77 views

CVE-2026-9029

CVE-2026-9029 affects Grafana’s Geomap panel (XYZ tile layer) where sanitizeTextPanelContent() runs on the raw template string before variable substitution via getTemplateSrv().replace(), allowing an Editor to inject an XSS payload into a textbox variable default value that executes for all dashb...

7.3CVSS6AI score0.0025EPSS
Exploits0References1Affected Software1
AlpineLinux
AlpineLinux
added 2026/06/22 1:18 p.m.6 views

CVE-2026-9029

A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard stored cross-site scripting...

7.3CVSS6AI score0.0025EPSS
Exploits0
OSV
OSV
added 2026/06/22 1:18 p.m.3 views

CVE-2026-9029 Stored XSS in the Geomap panel tile-layer attribution

A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard stored cross-site scripting...

7.3CVSS6AI score0.0025EPSS
Exploits0References3
NVD
NVD
added 2026/06/17 1:19 p.m.13 views

CVE-2026-0082

In tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

10CVSS0.00165EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/06/13 2:17 a.m.8 views

SUSE CVE-2026-44293

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default...

8.8CVSS5.3AI score0.00392EPSS
Exploits0References3
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.7 views

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: Wifi: rtw89 – fixed the potential zero beacon interval in beacon tracking. During fuzz testing, it was discovered that bssconf-beaconint might be zero, which could lead to a division by zero error in subsequent calculations. If t...

5.5CVSS5.7AI score0.00117EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/18 5:23 p.m.10 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the submission handling process for Hidden fields with the Default value set to Custom. An attacker can execute arbitrary server-side code by submitting crafted...

9.8CVSS6.1AI score0.00475EPSS
Exploits0References4
NVD
NVD
added 2026/05/13 4:16 p.m.27 views

CVE-2026-44293

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default...

8.8CVSS0.00392EPSS
Exploits0References12
CVE
CVE
added 2026/05/13 2:43 p.m.35 views

CVE-2026-44293

CVE-2026-44293 affects protobufjs: prior to versions 7.5.6 and 8.0.2, generated JavaScript for toObject conversion could emit attacker-controlled code from a schema-controlled bytes field default value. A crafted descriptor with a non-string default for a bytes field may cause arbitrary JavaScrip...

8.8CVSS5.9AI score0.00392EPSS
Exploits0References12Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/13 2:43 p.m.8 views

CVE-2026-44293 protobufjs: Code injection through bytes field defaults in generated toObject code

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default...

7.7CVSS5.9AI score0.00392EPSS
Exploits0References1
OSV
OSV
added 2026/05/12 3:6 p.m.70 views

GHSA-66FF-XGX4-VCHM protobuf.js: Code injection through bytes field defaults in generated toObject code

Summary protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generat...

7.7CVSS6.1AI score0.00392EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/12 3:6 p.m.12 views

Arbitrary Code Injection

Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Arbitrary Code Injection in the toObject function when handling a schema-controlled bytes field default value. An attacker can execute arbitrary JavaScript code by providing a...

8.8CVSS6.2AI score0.00392EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:6 p.m.10 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the toObject function when handling a schema-controlled bytes field default value. An attacker can execute arbitrary JavaScript code by providing a crafted descriptor with a malicious default value for a byte...

8.8CVSS6.1AI score0.00392EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/12 3:6 p.m.18 views

protobuf.js: Code injection through bytes field defaults in generated toObject code

Summary protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generat...

8.8CVSS6.1AI score0.00392EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder