Lucene search
+L

382 matches found

Nuclei
Nuclei
added yesterday21 views

Langflow - Broken Access Control

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories...

9.3CVSS8.3AI score0.20655EPSS
Exploits1References2
Cvelist
Cvelist
added 3 days ago31 views

CVE-2026-61736 LightRAG: CORS Wildcard + Credentials Enables Any-Origin Credentialed Requests

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORSORIGINS= combined with allowcredentials=True in lightrag/api/lightragserver.py, causing Starlette CORSMiddleware to effectively whitelist every origin for credentialed cross-origin request...

9.3CVSS0.00305EPSS
Exploits0References6
NVD
NVD
added 3 days ago6 views

CVE-2026-60085

PraisonAI before 4.6.78 contains an unenforced security policy vulnerability in the default Subprocess Sandbox backend where blockedcommands, blockedpaths, blockedimports, allowsubprocess, and allowfilewrite restrictions are completely ignored. Attackers can execute arbitrary subprocess commands,...

8.7CVSS0.00241EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-44636

PraisonAI before 4.6.78 contains an unenforced security policy vulnerability in the default Subprocess Sandbox backend where blockedcommands, blockedpaths, blockedimports, allowsubprocess, and allowfilewrite restrictions are completely ignored. Attackers can execute arbitrary subprocess commands,...

8.7CVSS6.3AI score0.00241EPSS
Exploits0References2
OSV
OSV
added 3 days ago4 views

CVE-2026-60085 PraisonAI before 4.6.78 Unenforced Security Policy in Subprocess Sandbox

PraisonAI before 4.6.78 contains an unenforced security policy vulnerability in the default Subprocess Sandbox backend where blockedcommands, blockedpaths, blockedimports, allowsubprocess, and allowfilewrite restrictions are completely ignored. Attackers can execute arbitrary subprocess commands,...

8.7CVSS6.3AI score0.00241EPSS
Exploits0References4
NVD
NVD
added 2026/07/08 2:17 p.m.6 views

CVE-2026-56246

Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key limitedtoorgs inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mod...

8.1CVSS0.00223EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/08 1:48 p.m.32 views

CVE-2026-56246 Capgo - Cross-Organization Authorization Bypass via Scoped API Key Privilege Inheritance

Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key limitedtoorgs inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mod...

8.1CVSS0.00223EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/08 1:48 p.m.5 views

EUVD-2026-42249

Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key limitedtoorgs inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mod...

8.1CVSS6AI score0.00223EPSS
Exploits0References2
CVE
CVE
added 2026/07/08 1:48 p.m.14 views

CVE-2026-56246

Capgo prior to 12.128.2 contains a broken access control in the organization management API. A scoped API key (limited_to_orgs) inherits its owner-user’s permissions, enabling cross‑organization destructive actions (e.g., DELETE /organization, DELETE /organization/members) when an admin belongs t...

8.1CVSS6AI score0.00223EPSS
Exploits0References2
OSV
OSV
added 2026/07/08 1:48 p.m.3 views

CVE-2026-56246 Capgo - Cross-Organization Authorization Bypass via Scoped API Key Privilege Inheritance

Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key limitedtoorgs inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mod...

7.2CVSS6.1AI score0.00223EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/07/08 6:55 a.m.6 views

CVE-2026-46592

A flaw was found in the Apache Camel CXF SOAP component. A remote attacker can exploit this vulnerability by manipulating the operationName header in an unauthenticated HTTP request. This improper input validation allows the attacker to force the CxfProducer to invoke unintended SOAP operations o...

7.5CVSS6AI score0.00396EPSS
Exploits1References4
NVD
NVD
added 2026/07/08 1:16 a.m.7 views

CVE-2026-55433

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, perform...

5.4CVSS0.00394EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/08 12:22 a.m.9 views

EUVD-2026-42148

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, perform...

5.4CVSS6AI score0.00394EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/07/06 9:9 p.m.6 views

Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers

Summary The devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, performed no ActionUpdate check before triggering the destructive rebuild. Note: Exploitation requires an existing low-privilege role with...

5.4CVSS6AI score0.00394EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.10 views

PT-2026-56077

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.29.17 Coder versions prior to 2.32.7 Coder versions prior to 2.33.8 Coder versions prior to 2.34.2 Description An authorization bypass exists in the devcontainer recreate endpoint. The endpoint relied on route...

5.4CVSS6AI score0.00394EPSS
Exploits0References9
Snyk
Snyk
added 2026/06/26 9:29 p.m.4 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the web UI handlers responsible for managing hosts and networks. An attacker can gain unauthorized access to sensitive information and perform destructive actions across resources owned by other operators by...

8.8CVSS6AI score
Exploits0References3
OSV
OSV
added 2026/06/24 11:53 a.m.7 views

CVE-2026-56262 Crawl4AI - Unauthenticated Access to Monitor Endpoints via Docker API Server

Crawl4AI before 0.8.7 contains an authentication bypass vulnerability in the monitor router endpoints that allows unauthenticated attackers to access destructive operations. Remote attackers can invoke the /monitor/actions/cleanup endpoint and manipulate monitoring state without authentication,...

6.9CVSS6AI score0.00421EPSS
Exploits0References5
NVD
NVD
added 2026/06/24 7:16 a.m.9 views

CVE-2026-10552

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel blcapmainpage and on the Hall of Shame and Log subpages, which accept a 'blcapaction' / 'action'...

4.3CVSS0.00146EPSS
Exploits0References6
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/11 2:51 a.m.15 views

Malicious code in @my_name_is_khn/express-security-tool-v3 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42987119346b57a7014465a5a7bec3c00d1928e7e41d999152aa4e2f814c298e On npm install, the package's postinstall runs scripts/inject.js, which walks up from the current working directory to locate the consumer project's...

5.5AI score
Exploits0References1
GithubExploit
GithubExploit
added 2026/06/10 8:33 a.m.100 views

Exploit for CVE-2026-10520

CVE-2026-10520 — Ivanti Sentry Mass Scanner Detection scanner...

10CVSS5.5AI score0.99041EPSS
Exploits6
Rows per page
Query Builder