Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

337 matches found

NVD
NVDadded 2 hours ago4 views

CVE-2026-50076

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...

Exploits0References1
Cvelist
Cvelistadded 3 hours ago5 views

CVE-2026-50076 Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...

Exploits0References1
CVE
CVEadded 3 hours ago5 views

CVE-2026-50076

CVE-2026-50076 details : Deserialization of untrusted data in the Java replace-resolve path of Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and to invoke classpath-present readResolv...

5.8AI score
Exploits0References1
Positive Technologies
Positive Technologiesadded 19 hours ago4 views

PT-2026-46269

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...

9.1CVSS
Exploits0References3
Snyk
Snykadded 6 days ago3 views

Incomplete List of Disallowed Inputs

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the NodeVM builtin allowlist in lib/builtin.js. An attacker can read host-process state by supplying a sandb...

8.2CVSS5.9AI score
Exploits0References2
OSV
OSVadded 2026/05/28 4:16 p.m.3 views

DEBIAN-CVE-2026-48523

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

5.4CVSS5.8AI score0.00014EPSS
Exploits1References1
NVD
NVDadded 2026/05/28 4:16 p.m.9 views

CVE-2026-48523

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

5.4CVSS0.00014EPSS
Exploits1References1
OSV
OSVadded 2026/05/28 4:16 p.m.2 views

UBUNTU-CVE-2026-48523

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

5.4CVSS5.8AI score0.00014EPSS
Exploits1References3
CVE
CVEadded 2026/05/28 3:10 p.m.25 views

CVE-2026-48523

PyJWT vulnerability affecting versions 2.9.0–2.12.1 where verifier-side algorithm allow-list bypass occurs when decoding with a PyJWK/PyJWKClient key. The token header’s alg is checked against the caller-supplied allow-list, but the signature is verified using the algorithm bound to the PyJWK obj...

5.4CVSS5.8AI score0.00014EPSS
Exploits1References1Affected Software1
Debian CVE
Debian CVEadded 2026/05/28 3:10 p.m.8 views

CVE-2026-48523

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

5.4CVSS5.8AI score0.00014EPSS
Exploits1
Cvelist
Cvelistadded 2026/05/28 3:10 p.m.25 views

CVE-2026-48523 PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

5.4CVSS0.00014EPSS
Exploits1References1
SUSE Linux
SUSE Linuxadded 2026/05/18 1:19 p.m.6 views

Security update for PackageKit

This update for PackageKit fixes the following issue: CVE-2026-41651: Do not allow re-invoking methods on non-new transactions bsc1262220. Special Instructions and Notes: Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zyppe...

9.3CVSS5.8AI score0.00153EPSS
Exploits10References4
Github Security Blog
Github Security Blogadded 2026/05/14 6:26 p.m.16 views

Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

Summary Under the default configuration, sanitize-html can turn attacker-controlled content inside a disallowed xmp element into live HTML or JavaScript. This is a sanitizer bypass in the default disallowedTagsMode: 'discard' path and can lead to stored XSS in applications that render sanitized...

6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blogadded 2026/05/14 1:12 p.m.3 views

Strapi Upload Plugin MIME Validation Bypass via Content API

Summary of CVE-2026-22707 Vulnerability Details - CVE: CVE-2026-22707 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N 5.3 — Medium - Affected Versions: @strapi/upload =5.33.3 Description of CVE-2026-22707 In Strapi versions prior to 5.33.3, the Upload plugin's...

5.4CVSS5.8AI score0.00034EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologiesadded 2026/05/14 12:0 a.m.8 views

PT-2026-41152

Name of the Vulnerable Software and Affected Versions sanitize-html version 2.17.3 Description A sanitizer bypass exists in the default configuration where the disallowedTagsMode: 'discard' path fails to properly handle the xmp element. Because xmp is not included in the nonTextTags list, its...

9.3CVSS5.7AI score
Exploits0References4
RedhatCVE
RedhatCVEadded 2026/05/08 8:21 p.m.5 views

CVE-2026-41654

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

8.1CVSS5.7AI score0.00021EPSS
Exploits0References1
SUSE CVE
SUSE CVEadded 2026/05/08 2:21 a.m.6 views

SUSE CVE-2026-41654

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

8.1CVSS5.7AI score0.00021EPSS
Exploits0References3
Snyk
Snykadded 2026/05/07 12:55 a.m.5 views

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the metadata process. An attacker can rename, move, or create links to files within the container by submitting specially crafted metadata values that bypass the intended blocklist. This may also...

8.8CVSS5.8AI score0.00069EPSS
Exploits1References2
Snyk
Snykadded 2026/05/07 12:55 a.m.5 views

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the metadata process. An attacker can rename, move, or create links to files within the container by submitting specially crafted metadata values that bypass the intended blocklist. This may also...

8.8CVSS5.9AI score0.00069EPSS
Exploits1References2
OSV
OSVadded 2026/05/05 8:29 p.m.4 views

GHSA-J4RJ-2JR5-M439 ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs

Summary ssrfcheck v1.3.0 latest fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address e.g. http://::ffff:127.0.0.1/. The WHATWG URL parser built into Node.js silently normalizes the IPv4 notation inside the brackets to...

8.2CVSS5.8AI score0.00051EPSS
Exploits0References3
Rows per page
Query Builder