Lucene search
K

660 matches found

Github Security Blog
Github Security Blog
added 2026/04/16 9:21 p.m.9 views

Flowise: Weak Default JWT Secrets

Detection Method: Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Severity | Critical | | Location | packages/server/src/enterprise/middleware/passport/index.ts:29-34 | | Practical Exploitability | High | | Developer Approver | [email protected] | Description JWT secrets have weak...

5.8AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/04/16 9:21 p.m.5 views

GHSA-CC4F-HJPJ-G9P8 Flowise: Weak Default JWT Secrets

Detection Method: Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Severity | Critical | | Location | packages/server/src/enterprise/middleware/passport/index.ts:29-34 | | Practical Exploitability | High | | Developer Approver | [email protected] | Description JWT secrets have weak...

5.6CVSS5.8AI score
Exploits0References2
GithubExploit
GithubExploit
added 2026/04/14 12:45 p.m.88 views

Windows-privilege-exploits

Elevation !Windowshttps://img.shields.io/badge/platform-Wi...

5.8AI score
Exploits0
Oracle linux
Oracle linux
added 2026/04/14 12:0 a.m.10 views

firefox security update

140.9.1-1.0.1 - Fix firefox-oracle-default-prefs.js for new nss Orabug: 37079789 140.9.1 - Add debranding patches Mustafa Gezen - Add OpenELA default preferences Louis Abel 140.9.1-1 - Update to 140.9.1 ESR...

9.8CVSS6.2AI score0.01052EPSS
Exploits1
NVD
NVD
added 2026/04/08 1:16 a.m.7 views

CVE-2026-3357

IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component...

8.8CVSS0.00466EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/08 12:5 a.m.3 views

EUVD-2026-19782

File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands...

8.1CVSS5.9AI score0.00383EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/07 5:40 p.m.4 views

CVE-2026-39336

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-adm...

6.1CVSS5.8AI score0.00207EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.7 views

ChurchCRM 跨站脚本漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from stored cross-site scripting in directory report forms, personnel editor default addresses, and external...

6.1CVSS5.7AI score0.00207EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.7 views

PT-2026-30908

File Browser versions prior to 2.63.1 Description: File Browser is a file managing interface. Prior to version 2.63.1, a fix intended to restrict execute permissions for self-registered users was not applied to the proxy authentication handler. This allowed users automatically created on first...

8.8CVSS6.1AI score0.00383EPSS
Exploits1References9
Cvelist
Cvelist
added 2026/04/06 5:26 p.m.50 views

CVE-2026-35209 defu: Prototype pollution via `__proto__` key in defaults argument

defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype...

7.5CVSS0.00398EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/06 5:26 p.m.1 views

CVE-2026-35209 defu: Prototype pollution via `__proto__` key in defaults argument

defu is software that allows uers to assign default properties recursively. Prior to version 6.1.5, applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype...

7.5CVSS5.9AI score0.00398EPSS
Exploits0References4
CVE
CVE
added 2026/04/06 5:26 p.m.49 views

CVE-2026-35209

CVE-2026-35209 affects defu, a recursive defaults merger. Before v6.1.5, the vulnerable code path uses Object.assign({}, defaults) in _defu, which can trigger the proto setter and pollute the Object prototype, allowing attacker-controlled values to appear in the final result. The vulnerability ar...

7.5CVSS5.9AI score0.00398EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/04/04 6:17 a.m.3 views

GHSA-737V-MQG7-C878 defu: Prototype pollution via `__proto__` key in defaults argument

Impact Applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype pollution. A crafted payload containing a proto key can override intended default values in the...

7.5CVSS5.9AI score0.00398EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/04/04 6:17 a.m.14 views

defu: Prototype pollution via `__proto__` key in defaults argument

Impact Applications that pass unsanitized user input e.g. parsed JSON request bodies, database records, or config files from untrusted sources as the first argument to defu are vulnerable to prototype pollution. A crafted payload containing a proto key can override intended default values in the...

7.5CVSS5.9AI score0.00398EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/04/03 4:16 p.m.8 views

UBUNTU-CVE-2026-31393

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAPINFORSP payload length before access l2capinformationrsp checks that cmdlen covers the fixed l2capinforsp header type + result, 4 bytes but then reads rsp-data without verifying that the payload is...

8.1CVSS5.7AI score0.00255EPSS
Exploits0References9
UbuntuCve
UbuntuCve
added 2026/04/03 4:16 p.m.6 views

CVE-2026-31393

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAPINFORSP payload length before access l2capinformationrsp checks that cmdlen covers the fixed l2capinforsp header type + result, 4 bytes but then reads rsp-data without verifying that the payload is...

8.1CVSS5.7AI score0.00255EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/04/03 3:15 p.m.1 views

CVE-2026-31393

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAPINFORSP payload length before access l2capinformationrsp checks that cmdlen covers the fixed l2capinforsp header type + result, 4 bytes but then reads rsp-data without verifying that the payload is...

5.7AI score0.00255EPSS
Exploits0References9Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.5 views

PT-2026-30176

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains a flaw within the Bluetooth L2CAP implementation. Specifically, the l2cap information rsp function does not adequately validate the length of the L2CAP INFO RSP...

8.1CVSS5.3AI score0.00255EPSS
Exploits0
CVE
CVE
added 2026/04/02 6:59 p.m.13 views

CVE-2026-34760

Summary: CVE-2026-34760 concerns vLLM’s audio processing path via Librosa. From version 0.5.5 up to before 0.18.0, Librosa used numpy.mean for mono downmix (to_mono), while ITU-R BS.775-4 specifies a weighted downmix. This mismatch creates inconsistency between audio perceived by humans and audio...

7.1CVSS5.8AI score0.00267EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/01 9:12 p.m.9 views

openssl-encrypt has CORS wildcard with allow_credentials=True in standalone servers

Summary Both standalone servers configure CORS with alloworigins="", allowcredentials=True, allowmethods="", and allowheaders="". Affected Code python server/key-server/app/main.py:86-92 server/telemetry-server/app/main.py:23-29 app.addmiddleware CORSMiddleware, alloworigins=settings.corsorigins,...

5.9AI score
Exploits0References3Affected Software1
Rows per page
Query Builder