Lucene search
+L

1868 matches found

euvd
euvd
added yesterday5 views

EUVD-2026-45005

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The vacation "fcc" feature skips the destination-mailbox ACL. A user whose vacation Sieve script used :fcc to save a copy of the sent message could deliver vacation auto-reply copies into any mailbox the script could name,...

5.4CVSS6.1AI score
Exploits0References3
cve
cve
added yesterday14 views

CVE-2026-45576

Summary: CVE-2026-45576 affects the zrok tool. From versions 0.4.23 through 2.0.3, the zrok2 copy command stores attacker-controlled WebDAV or zrok drive paths (e.g., /../outside.txt) in the source inventory and passes them to FilesystemTarget.WriteStream, enabling writing files outside the selec...

8.3CVSS6.1AI score0.00061EPSS
Exploits0References3
euvd
euvd
added 2 days ago5 views

EUVD-2025-210471

A use of uninitialized value vulnerability exists in the Matter SDK connectedhomeip before 1.4.0, where the GetDestinationGroupId.Value method is called without first checking whether a value exists. This leads to a crash when an InvokeCommand is sent without initializing the destination group ID...

7.5CVSS6AI score0.00346EPSS
Exploits0References4
nvd
nvd
added 3 days ago7 views

CVE-2025-56364

A use of uninitialized value vulnerability exists in the Matter SDK connectedhomeip before 1.4.0, where the GetDestinationGroupId.Value method is called without first checking whether a value exists. This leads to a crash when an InvokeCommand is sent without initializing the destination group ID...

7.5CVSS0.00346EPSS
Exploits0References3
osv
osv
added 3 days ago4 views

DEBIAN-CVE-2026-59732

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-selected destination prefix when extracting a crafted archive containing parent path components such as...

5CVSS6.1AI score0.00144EPSS
Exploits1References1
nvd
nvd
added 3 days ago9 views

CVE-2026-59732

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, rclone archive extract can write extracted files outside the user-selected destination prefix when extracting a crafted archive containing parent path components such as...

5CVSS0.00144EPSS
Exploits1References4
nvd
nvd
added 3 days ago9 views

CVE-2026-54572

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects and recreates them on a local destination without validating the target, allowing an...

8.8CVSS0.00343EPSS
Exploits1References4
cvelist
cvelist
added 3 days ago35 views

CVE-2026-54572 rclone: Unvalidated symlink target in local `--links` — arbitrary file write from an untrusted remote

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Prior to 1.74.4, with -l/--links, rclone serializes symlinks as .rclonelink text objects and recreates them on a local destination without validating the target, allowing an...

7.5CVSS0.00343EPSS
Exploits1References4
nvd
nvd
added 3 days ago6 views

CVE-2026-58478

Sustainable Irrigation Platform SIP through version 5.2.16 contains a server-side request forgery SSRF vulnerability that allows unauthenticated attackers to make the device issue arbitrary HTTP requests by supplying a malicious callback URL when the optional Node-RED plugin is installed. Attacke...

6.5CVSS0.00261EPSS
Exploits2References2
ptsecurity
ptsecurity
added 3 days ago7 views

PT-2026-58848

Name of the Vulnerable Software and Affected Versions Matter SDK connectedhomeip versions prior to 1.4.0 Description A use of uninitialized value occurs when the GetDestinationGroupId.Value method is called without verifying if a value exists. This happens when an InvokeCommand is sent without...

6.1AI score0.00346EPSS
Exploits0References5
cve
cve
added 3 days ago6 views

CVE-2025-56364

The CVE-2025-56364 entry relates to the Matter SDK (connectedhomeip) before 1.4.0, where GetDestinationGroupId().Value() can be accessed without verifying existence, causing a crash (SIGABRT) and denial of service. Root cause: use of an uninitialized value; the affected component is the Matter SD...

7.5CVSS6AI score0.00346EPSS
Exploits0References3Affected Software1
nvd
nvd
added 4 days ago10 views

CVE-2026-49970

Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader::toDestination. Attackers can exploit the permissive...

8.8CVSS0.00771EPSS
Exploits0References3
cve
cve
added 4 days ago12 views

CVE-2026-49970

Vulnerability summary: Laravel-Mediable before 7.0.0 contains a path traversal flaw in File::sanitizePath() that lets attackers write uploaded files to arbitrary locations via MediaUploader::toDestination(), due to a permissive regex allowing dot/slash and a weak trailing trim. This can enable re...

8.8CVSS6.3AI score0.00771EPSS
Exploits0References3
snyk
snyk
added 2026/07/08 10:38 p.m.5 views

Incorrect Authorization

Overview github.com/nats-io/nats-server/v2/server is an A simple, secure and performant communications system for digital systems, services and devices. Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient enforcement of destination permission checks for...

6.5CVSS6.1AI score0.00308EPSS
Exploits0References2
nvd
nvd
added 2026/07/08 10:17 p.m.11 views

CVE-2026-44161

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd outhttp output plugin allows placeholders such as $tag in the endpoint configuration parameter, and if a placeholder value is derived from untrusted...

7.2CVSS0.00442EPSS
Exploits0References4
cve
cve
added 2026/07/08 9:25 p.m.52 views

CVE-2026-44161

Fluentd’s out_http plugin (pre-1.19.3) allows placeholders such as ${tag} in the endpoint configuration. If a placeholder comes from untrusted input, an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services (SSRF). Affected versi...

7.2CVSS7.3AI score0.00442EPSS
Exploits0References4Affected Software1
osv
osv
added 2026/07/08 9:25 p.m.3 views

CVE-2026-44161 Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd outhttp output plugin allows placeholders such as $tag in the endpoint configuration parameter, and if a placeholder value is derived from untrusted...

7.2CVSS7.1AI score0.00442EPSS
Exploits0References6
cvelist
cvelist
added 2026/07/08 7:56 p.m.38 views

CVE-2026-58254 NATS Server: Incomplete fix for CVE-2026-33249: Leaf node connections bypass Nats-Trace-Dest permission check

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode...

5.3CVSS0.00308EPSS
Exploits0References4
osv
osv
added 2026/07/08 7:56 p.m.3 views

CVE-2026-58254 NATS Server: Incomplete fix for CVE-2026-33249: Leaf node connections bypass Nats-Trace-Dest permission check

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode...

5.3CVSS6.1AI score0.00308EPSS
Exploits0References6
euvd
euvd
added 2026/07/08 1:49 p.m.5 views

EUVD-2026-42254

Capgo before 12.128.2 contains an authorization flaw in transferapp that fails to update deployhistory.ownerorg when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cause...

5.4CVSS6AI score0.00143EPSS
Exploits0References2
Rows per page
Query Builder