Lucene search
+L

396 matches found

Cvelist
Cvelist
added 6 days ago34 views

CVE-2026-61503 Rejetto HFS < 3.2.1 Username Enumeration via Login Response Differences

Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and...

6.9CVSS0.00343EPSS
Exploits0References2
OSV
OSV
added 6 days ago5 views

CVE-2026-61503 Rejetto HFS < 3.2.1 Username Enumeration via Login Response Differences

Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and...

6.9CVSS6.1AI score0.00343EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/09 12:0 a.m.41 views

CVE-2026-51926

An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid...

0.0036EPSS
Exploits0References2
NVD
NVD
added 2026/07/08 8:16 p.m.7 views

CVE-2026-44332

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username...

5.3CVSS0.00517EPSS
Exploits1References4
NVD
NVD
added 2026/07/07 9:17 p.m.7 views

CVE-2026-53751

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the H2 database JDBC URL validation logic can be bypassed with special Unicode characters whose case-conversion behavior differs between DataEase validation and H2 parsing, allowing attackers to smuggle dangerous...

8.7CVSS0.00375EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/07 8:31 p.m.34 views

CVE-2026-53751 DataEase: H2 JDBC URL Filter Bypass Leads to Remote Code Execution (RCE)

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the H2 database JDBC URL validation logic can be bypassed with special Unicode characters whose case-conversion behavior differs between DataEase validation and H2 parsing, allowing attackers to smuggle dangerous...

8.7CVSS0.00375EPSS
Exploits0References3
CVE
CVE
added 2026/07/07 8:31 p.m.23 views

CVE-2026-53751

CVE-2026-53751 affects DataEase prior to 2.10.24. The vulnerability arises from the H2 database JDBC URL validation being bypassable by Unicode characters whose case-conversion behavior differs between DataEase’s validation and H2 parsing, enabling an attacker to smuggle dangerous parameters (e.g...

8.7CVSS6.2AI score0.00375EPSS
Exploits0References3
OSV
OSV
added 2026/06/30 10:8 p.m.4 views

CVE-2026-56318 Capgo - Information Disclosure via /private/validate_password_compliance Endpoint

Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validatepasswordcompliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observi...

6.9CVSS5.9AI score0.00261EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/25 5:24 a.m.40 views

CVE-2026-12490 Bypass of client certificate verification with transfer over TLS

When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port and not the tls-auth-port or over over TCP over the regular...

8.2CVSS0.00139EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/21 1:26 p.m.10 views

EUVD-2026-38172

Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/ endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to...

6.9CVSS5.9AI score0.00241EPSS
Exploits0References2
CVE
CVE
added 2026/06/21 1:26 p.m.20 views

CVE-2026-56316

Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs by observing response discrepancies. Attackers can probe without authentication to distinguish valid job ...

6.9CVSS5.9AI score0.00241EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/20 3:24 p.m.11 views

EUVD-2026-38125

Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:appid endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by...

5.3CVSS5.9AI score0.00187EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.11 views

CVE-2026-41259

Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted...

8.2CVSS5.5AI score0.00213EPSS
Exploits0References1
CVE
CVE
added 2026/06/05 1:49 p.m.19 views

CVE-2026-6207

CVE-2026-6207 is rejected and not an active vulnerability entry.

5.5AI score
Exploits0
CNNVD
CNNVD
added 2026/06/03 12:0 a.m.11 views

Django daphne 输入验证错误漏洞

Daphne is an open-source ASGI protocol server developed by Django, which supports HTTP, HTTP2, and WebSocket. Versions of Daphne prior to 4.2.2 contained security vulnerabilities. These vulnerabilities were due to differences in the parser, which could allow attackers to inject additional headers...

5.3CVSS5.9AI score0.00172EPSS
Exploits0References1
CVE
CVE
added 2026/05/29 7:52 p.m.23 views

CVE-2026-45294

FreeScout (PHP/Laravel) before version 1.8.219 is vulnerable. The password reset endpoint returns visually distinct responses based on whether the submitted email belongs to an existing user, enabling unauthenticated enumeration of valid helpdesk agent email addresses. Root cause: inadequate obfu...

5.3CVSS5.8AI score0.0021EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 5:58 p.m.39 views

CVE-2026-46526

CVE-2026-46526 concerns Local Deep Research. Before version 1.6.10, the URL validation flow had a logical flaw that could bypass SSRF protections because parsing differed between urlparse and the HTTP request library. The code first runs SSRF checks via validate_url and then uses requests.get to ...

5CVSS5.8AI score0.00247EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.21 views

PT-2026-44472

Name of the Vulnerable Software and Affected Versions local-deep-research versions prior to 1.6.10 Description A logical flaw in the URL checking logic allows attackers to bypass security filters, leading to Server-Side Request Forgery SSRF. The software uses the validate url function to perform...

5CVSS6.1AI score0.00247EPSS
Exploits0References16
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.16 views

PT-2026-44135

Name of the Vulnerable Software and Affected Versions symfony/html-sanitizer versions prior to 5.4 Description Three bypasses allow content authors to smuggle URLs that are not on the allowlist past sanitization checks. The first bypass occurs because UrlSanitizer::parse follows RFC-3986, whereas...

2.3CVSS6.1AI score0.0029EPSS
Exploits0References17
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in ntfs-3g

NTFS-3G versions prior to 2021.8.22 may experience a stack buffer overflow when correcting differences between the MFT Mounted File Table and MFTMirror. This can lead to code execution or an escalation of privileges when using the setuid-root account...

7.8CVSS7.4AI score0.00488EPSS
Exploits0References2
Rows per page
Query Builder