Lucene search
K

375 matches found

CVE
CVE
added yesterday8 views

CVE-2026-61858

CVE-2026-61858 concerns ImageMagick prior to 7.1.2-26, where a policy bypass vulnerability exists in the APNG encoder and external delegates due to missing validation checks. Attackers can bypass policy restrictions during APNG encoding and write files to disallowed paths. The provided documents ...

4.8CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added yesterday8 views

EUVD-2026-43187

ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and external delegates due to missing validation checks. Attackers can write files to disallowed paths by bypassing configured policy restrictions through the APNG encoding process...

4.8CVSS6.1AI score
Exploits0References2
OSV
OSV
added 5 days ago7 views

PYSEC-2026-1448 libsodium has Incomplete List of Disallowed Inputs

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to cryptocoreed25519isvalidpoint, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. This advisoory...

4.5CVSS6AI score0.00166EPSS
Exploits0References16
OSV
OSV
added 2026/07/01 7:16 p.m.2 views

DEBIAN-CVE-2026-55628

In versions prior to 7.1.2-26he, the -concatenate operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26...

5.5CVSS5.7AI score0.00098EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/07/01 6:16 p.m.4 views

CVE-2026-55628

In versions prior to 7.1.2-26he, the -concatenate operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26...

5.5CVSS5.7AI score0.00098EPSS
Exploits0
EUVD
EUVD
added 2026/07/01 12:34 a.m.10 views

EUVD-2026-40450

ImageMagick before 7.1.2-24 contains an incorrect policy check that allows attackers to create or truncate files disallowed by security policies. Remote attackers can bypass path policy restrictions in sandboxed conversion services to write arbitrary files outside intended boundaries...

4.8CVSS5.9AI score0.00164EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.7 views

PT-2026-54857

Name of the Vulnerable Software and Affected Versions ImageMagick versions prior to 7.1.2-26 Description The -concatenate operation lacks necessary policy checks. This flaw allows the software to read from and write to file paths that are explicitly disallowed by the security policy, enabling a...

5.5CVSS6AI score0.00111EPSS
Exploits0References22
OSV
OSV
added 2026/06/25 9:53 p.m.2 views

GHSA-XCJM-WQFF-M669 ImageMagick: Policy Bypass can read disallowed files via symlink

An incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink...

5.5CVSS5.8AI score0.00128EPSS
Exploits0References3
OSV
OSV
added 2026/06/25 9:31 p.m.4 views

GHSA-QHMF-XW27-6RQR MessagePack-CSharp: Typeless deserialization type restrictions do not recurse into arrays or generic arguments

Summary MessagePack-CSharp's typeless deserialization includes MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowedType as a safety check for dangerous types. The default implementation checks the outer type name, but it does not recursively inspect array element types or generic typ...

6.3CVSS5.9AI score0.00246EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/25 7:0 p.m.4 views

CVE-2026-44990

A flaw was found in the sanitize-html library. Under its default configuration, an attacker can embed malicious content within a disallowed xmp element. This vulnerability allows the attacker to bypass the HTML sanitization process, leading to stored Cross-Site Scripting XSS. Successful...

9.3CVSS6.3AI score0.00397EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/25 4:5 p.m.5 views

EUVD-2026-39468

Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create...

2.3CVSS5.8AI score0.0017EPSS
Exploits0References1
NVD
NVD
added 2026/06/24 8:16 p.m.6 views

CVE-2026-46348

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make...

8.7CVSS0.00337EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 7:39 p.m.15 views

CVE-2026-46348 Mastodon: SSRF Bypass via IPv6 Unspecified Address (::)

Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.10, 4.4.17, and 4.3.23, the list of disallowed IP address ranges was lacking an IP address range that can be used to reach local IP addresses. An attacker can use an IP address in the affected range to make...

8.7CVSS0.00337EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 7:39 p.m.33 views

CVE-2026-46348

CVE-2026-46348 affects Mastodon servers prior to 4.5.10, 4.4.17, and 4.3.23. The issue stems from the disallowed IP range list lacking an IPv6 unspecified address (::), allowing an attacker to induce HTTP requests to loopback interfaces and potentially access private resources and services. Impac...

8.7CVSS5.9AI score0.00337EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.12 views

PT-2026-52077

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.5.10 Mastodon versions prior to 4.4.17 Mastodon versions prior to 4.3.23 Description Mastodon is a free, open-source social network server based on ActivityPub. The software fails to include a specific IP address...

8.7CVSS5.8AI score0.00337EPSS
Exploits0References5
Snyk
Snyk
added 2026/06/18 1:2 p.m.5 views

Incomplete List of Disallowed Inputs

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via insufficient sanitization of environment variables in the process. An attacker can influence the behavior of a Node.js child process or alter...

8.1CVSS5.9AI score0.00246EPSS
Exploits0References2
OSV
OSV
added 2026/06/16 9:31 p.m.5 views

GHSA-3V3J-737J-7G74 Duplicate Advisory: Linux and macOS exec allowlists skipped configured argument patterns

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v2ww-5rh7-2h5v. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers ...

8.3CVSS5.5AI score0.00347EPSS
Exploits0References3
NVD
NVD
added 2026/06/16 7:17 p.m.11 views

CVE-2026-53853

OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted...

8.3CVSS0.00347EPSS
Exploits0References2
OSV
OSV
added 2026/06/16 2:6 p.m.12 views

GHSA-8RFP-98V4-MMR6 Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output

Impact A possible XSS bypass affects users calling bleach.clean with all of: a in the allowed tags href in allowed attributes The bleach.clean sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme...

5.5AI score
Exploits0References3
OSV
OSV
added 2026/06/15 7:27 p.m.7 views

GHSA-JQ35-7PRP-9V3F PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys

!NOTE Scored assuming a deployment where algorithm policy functions as an authentication/authorization boundary. In deployments where the algorithm policy enforces crypto agility only, the practical confidentiality impact is lower and the issue is closer to an integrity-of-policy-enforcement bug...

5.4CVSS5.5AI score0.00127EPSS
Exploits1References4
Rows per page
Query Builder