Lucene search
K

1466 matches found

OSV
OSV
added 2026/05/15 6:30 p.m.5 views

GHSA-CH4J-VCF5-58X5 Cockpit CMS: Stored cross-site scripting vulnerability in the Set field type's Display template option

Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function and rendered via Vue's v-html directive witho...

5.4CVSS5.8AI score0.00138EPSS
Exploits0References4
OSV
OSV
added 2026/05/15 3:28 p.m.22 views

CLSA-2026-1778858907 mod_proxy_cluster: Fix of 2 CVEs

CVE-2023-6710: stored XSS in modcluster-manager HTML output via virtual host and context names rendered without HTML escaping - CVE-2024-10306: unauthorized MCMP requests due to directive being ignored for protocol-handler filtering; runtime guard now refuses siblings of EnableMCPMReceive, and...

5.4CVSS6.4AI score0.02242EPSS
Exploits5References1
CISA
CISA
added 2026/05/15 12:0 p.m.15 views

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added one new vulnerability to its Known Exploited Vulnerabilities KEV Catalog, based on evidence of active exploitation. CVE-2026-42897link is external Microsoft Exchange Server Cross-Site Scripting Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber...

8.1CVSS5.8AI score0.0564EPSS
In wildExploits1References6
Snyk
Snyk
added 2026/05/14 8:18 p.m.8 views

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of user-uploaded Office files as HTML using the Svelte @html directive without proper sanitization. An attacker can execute arbitrary JavaScript in the context of oth...

5.4CVSS5.8AI score0.00209EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/05/14 7:58 p.m.9 views

CVE-2026-44218

ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2...

3CVSS5.8AI score0.00122EPSS
Exploits0References1
OSV
OSV
added 2026/05/14 4:36 p.m.6 views

GHSA-CCFX-MFMX-2FX9 Mistune Image Directive CSS Injection Vulnerability

Summary The Image directive plugin validates the :width: and :height: options with a regex compiled as numre = re.compiler"^\d+?:.\d?". This pattern is applied via re.match which anchors only at the start of the string, not the end. Any value that begins with one or more digits passes validation,...

4.7CVSS6AI score0.00228EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/14 4:36 p.m.12 views

Mistune Image Directive CSS Injection Vulnerability

Summary The Image directive plugin validates the :width: and :height: options with a regex compiled as numre = re.compiler"^\d+?:.\d?". This pattern is applied via re.match which anchors only at the start of the string, not the end. Any value that begins with one or more digits passes validation,...

6.1CVSS6AI score0.00228EPSS
Exploits1References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 2:23 p.m.7 views

CVE-2026-41933

Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset path...

6.9CVSS5.8AI score0.00247EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/14 1:8 p.m.11 views

Absinthe: Unbounded atom creation from parsed directive name

Summary When Absinthe parses a GraphQL SDL document, every directive @ definition is converted into a freshly created atom without any allow-list or length cap. Because atoms are never garbage-collected and the BEAM has a hard 1,048,576 atom-table limit, any application that feeds...

8.2CVSS6AI score0.00613EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2026/05/14 1:8 p.m.6 views

GHSA-QF4G-9FQQ-MMM7 Absinthe: Unbounded atom creation from parsed directive name

Summary When Absinthe parses a GraphQL SDL document, every directive @ definition is converted into a freshly created atom without any allow-list or length cap. Because atoms are never garbage-collected and the BEAM has a hard 1,048,576 atom-table limit, any application that feeds...

8.2CVSS6AI score0.00613EPSS
Exploits1References6
CISA
CISA
added 2026/05/14 12:0 p.m.25 views

CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems

Update May 14, 2026: CISA has updated this Alert to include additional vulnerabilities, CVE-2026-20133 and CVE-2026-20182 and associated resources. The purpose of this Alert is to provide resources for organizations with Cisco Software-Defined Wide-Area Networking SD-WAN systems, including Federa...

10CVSS7.4AI score0.88496EPSS
In wildExploits14References18
GithubExploit
GithubExploit
added 2026/05/14 11:43 a.m.136 views

Exploit for CVE-2026-42945

nginx-rift-scanner Scans your nginx installation for CVE-202...

9.2CVSS6.3AI score0.61469EPSS
Exploits40
GithubExploit
GithubExploit
added 2026/05/14 11:3 a.m.354 views

Exploit for CVE-2026-42945

cve-2026-42945-scan Static scanner for NGINX configuration fi...

9.2CVSS6.1AI score0.61469EPSS
Exploits40
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.15 views

PT-2026-41147

Name of the Vulnerable Software and Affected Versions mistune affected versions not specified Description The Image directive plugin fails to properly validate the :width: and :height: options. The validation uses a regular expression that only checks if the value starts with a digit, rather than...

4.7CVSS5.9AI score0.00228EPSS
Exploits1References6
NVD
NVD
added 2026/05/13 9:16 p.m.10 views

CVE-2026-45228

Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders pushconfig key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the...

5.4CVSS0.00183EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/13 6:30 p.m.8 views

EUVD-2026-29999

When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel TMM process to terminate. Note: Software versions which have reached End of Technical Support EoTS are...

8.7CVSS5.8AI score0.00263EPSS
Exploits0References2
NVD
NVD
added 2026/05/12 11:16 p.m.16 views

CVE-2026-44245

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses...

6.1CVSS0.00183EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/12 10:46 p.m.9 views

CVE-2026-44245

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses...

6.1CVSS5.9AI score0.00183EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/05/12 10:46 p.m.38 views

CVE-2026-44245 Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses...

6.1CVSS0.00183EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/12 8:21 p.m.13 views

CVE-2026-42213

SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, the inc "filename" directive in GPPL postprocessor files is resolved by GpplDocumentLinkHandler into a clickable link VS Code textDocument/documentLin...

5.1CVSS5.9AI score0.00454EPSS
Exploits0References1
Rows per page
Query Builder