Lucene search
K

4016 matches found

alpinelinux
alpinelinux
added 2026/06/23 4:14 p.m.16 views

CVE-2026-56117

dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use-after-free vulnerability in the control socket handling within src/control.c that allows local unprivileged attackers to trigger memory corruption when privilege separation is disabled. Attackers can connect to the control socket...

5.7CVSS5.8AI score0.00093EPSS
Exploits0References2
github
github
added 2026/06/22 11:19 p.m.12 views

@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens

Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the account. Details The...

8.3CVSS5.9AI score0.00441EPSS
Exploits0References2Affected Software1
nvd
nvd
added 2026/06/22 10:16 p.m.8 views

CVE-2026-55409

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attack...

7.6CVSS0.00168EPSS
Exploits0References1
cvelist
cvelist
added 2026/06/22 9:47 p.m.24 views

CVE-2026-55409 Filament: Disabled RichEditor field state can be used for XSS

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.53, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attack...

7.6CVSS0.00168EPSS
Exploits0References1
cve
cve
added 2026/06/22 9:47 p.m.33 views

CVE-2026-55409

Filament (Laravel) v3 contains a vulnerability where a disabled RichEditor field renders its raw HTML state without sanitization. If the form state data isn’t sanitized when populated, an attacker could inject malicious HTML/JavaScript, causing XSS to execute for users viewing the form. Affected ...

7.6CVSS5.8AI score0.00168EPSS
Exploits0References1
osv
osv
added 2026/06/22 5:47 a.m.4 views

BIT-NGINX-2026-42530 NGINX Open-Source ngx_http_v3_module vulnerability

NGINX Open Source has a vulnerability in the ngxhttpv3module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This m...

9.2CVSS6.1AI score0.03225EPSS
Exploits3References5
osv
osv
added 2026/06/20 12:0 p.m.16 views

MAL-2026-6256 Malicious code in @withgoogle/stitch-sdk (npm)

@withgoogle/stitch-sdk is a scope-squatting package on npm that impersonates Google's Stitch AI design tool SDK. The attacker registered the @withgoogle scope to mimic Google's withgoogle.com domain and published versions 0.1.1 and 0.1.2 under the account maximus-mcmillan on June 19, 2026. The...

6AI score
Exploits0References6
github
github
added 2026/06/19 10:10 p.m.11 views

Cloudflare Quiche: Use-after-free in connection ID iterator FFI functions

Impact Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions. The quicheconnectioniditernext and quicheconnretiredscidnext functions would return a pointer to a ConnectionId to the applications via function arguments, but the the owned...

5.6CVSS5.8AI score0.0017EPSS
Exploits0References3Affected Software1
cve
cve
added 2026/06/19 4:31 a.m.20 views

CVE-2026-12430

The CVE-2026-12430 entry concerns the Blocksy Companion WordPress plugin (

4.4CVSS5.9AI score0.00208EPSS
Exploits0References8
cvelist
cvelist
added 2026/06/19 4:31 a.m.32 views

CVE-2026-12430 Blocksy Companion <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and...

4.4CVSS0.00208EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/19 12:0 a.m.24 views

PT-2026-50838

Name of the Vulnerable Software and Affected Versions Blocksy Companion versions prior to 2.1.46 Description The Blocksy Companion plugin for WordPress contains a Stored Cross-Site Scripting issue within the admin settings caused by insufficient input sanitization and output escaping. This allows...

4.4CVSS5.9AI score0.00208EPSS
Exploits0References15
euvd
euvd
added 2026/06/18 2:35 p.m.11 views

EUVD-2026-37901

In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files e.g. .theia/tasks.json, .vscode/tasks.json could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to execution of arbitra...

8.4CVSS5.7AI score0.00231EPSS
Exploits0References1
cve
cve
added 2026/06/18 5:34 a.m.34 views

CVE-2026-11358

The CVE concerns the Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress (versions up to 3.0.6). The vulnerability is a Stored Cross-Site Scripting flaw arising from insufficient input sanitization and output escaping in admin settings. It a...

4.4CVSS5.5AI score0.00203EPSS
Exploits0References6
cvelist
cvelist
added 2026/06/18 5:34 a.m.29 views

CVE-2026-11358 Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it...

4.4CVSS0.00203EPSS
Exploits0References6
osv
osv
added 2026/06/18 3:55 a.m.10 views

MAL-2026-6091 Malicious code in datacamp-light (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4dbdcc4ef12aca6461f8e765976a7b2b33099a1791a7aee7e353371b7954a91c Package impersonates the DataCamp brand while shipping near-empty stub exports index.js init/helper return trivial constants. The postinstall lifecyc...

5.8AI score
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/18 12:0 a.m.18 views

PT-2026-50726

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.4 Kirby versions prior to 5.4.4 Description Missing authorization in the content management system allows authenticated users to retrieve information for arbitrary published pages. By knowing or guessing page IDs or...

7.1CVSS6AI score0.00269EPSS
Exploits0References8
nessus
nessus
added 2026/06/18 12:0 a.m.10 views

Mattermost Desktop 5.13.x < 5.13.6 / 6.x < 6.2.0 Multiple Vulnerabilities (MMSA-2026-00651 / MMSA-2026-00652)

The version of Mattermost Desktop installed on the remote host is affected by multiple vulnerabilities: - Mattermost Desktop App versions =6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a...

7.7CVSS6AI score0.00199EPSS
Exploits0References3
github
github
added 2026/06/17 6:41 p.m.13 views

Filament: Disabled RichEditor field state can be used for XSS

In Filament v3, a disabled RichEditor field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the...

7.6CVSS5.2AI score0.00168EPSS
Exploits0References4Affected Software1
osv
osv
added 2026/06/17 6:1 p.m.4 views

GHSA-9RPJ-V7HF-VV2W Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter

Summary Several direct, index-addressed Ollama proxy routes accept a caller-supplied urlidx path parameter and use it as a raw index into the admin-configured OLLAMABASEURLS list. Access control on these routes validates only whether the user may use the requested model, never which backend the...

6.3CVSS5.7AI score0.0021EPSS
Exploits0References2
nvd
nvd
added 2026/06/17 3:16 p.m.16 views

CVE-2026-42530

NGINX Open Source has a vulnerability in the ngxhttpv3module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream. This m...

9.2CVSS0.03225EPSS
Exploits3References4
Rows per page
Query Builder