Lucene search
+L

397 matches found

NVD
NVD
added 2026/06/12 9:16 p.m.21 views

CVE-2026-44990

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...

9.3CVSS0.00478EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/06/12 8:39 p.m.43 views

CVE-2026-44990 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...

9.3CVSS0.00478EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 8:39 p.m.9 views

CVE-2026-44990 Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...

9.3CVSS5.1AI score0.00478EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 8:39 p.m.78 views

CVE-2026-44990

CVE-2026-44990 affects the sanitize-html package used with ApostropheCMS. Under default configuration (disallowedTagsMode: 'discard'), versions before 2.17.4 allow attacker-controlled content inside a disallowed xmp element to bypass sanitization and render as live HTML/JS, enabling stored XSS. T...

9.3CVSS5.2AI score0.00478EPSS
Exploits0References11
OSV
OSV
added 2026/06/10 11:16 p.m.6 views

DEBIAN-CVE-2026-49219

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue has been patched i...

5.5CVSS5.4AI score0.00128EPSS
Exploits0References1
OSV
OSV
added 2026/06/10 11:16 p.m.9 views

UBUNTU-CVE-2026-49219

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue has been patched i...

5.5CVSS5.2AI score0.00128EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/10 11:12 p.m.11 views

Directory Traversal

Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.8CVSS6.2AI score0.00128EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/10 10:0 p.m.35 views

CVE-2026-49219 ImageMagick: Policy Bypass can read disallowed files

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue has been patched i...

5.5CVSS0.00128EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/10 10:0 p.m.11 views

CVE-2026-49219 ImageMagick: Policy Bypass can read disallowed files

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue has been patched i...

5.5CVSS5.4AI score0.00128EPSS
Exploits0References1
CVE
CVE
added 2026/06/10 10:0 p.m.48 views

CVE-2026-49219

Technical details are not publicly available in the provided documents. Monitor for updates.

5.5CVSS5.4AI score0.00128EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/06/10 10:0 p.m.3 views

CVE-2026-49219 ImageMagick: Policy Bypass can read disallowed files

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue has been patched i...

5.5CVSS5.9AI score0.00128EPSS
Exploits0References3
AlpineLinux
AlpineLinux
added 2026/06/10 10:0 p.m.27 views

CVE-2026-49219

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue has been patched i...

5.5CVSS5.4AI score0.00128EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/09 9:59 p.m.12 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the handleTokenExchange function. An attacker can gain unauthorized access to restricted resources by exploiting the lack of enforcement of allowed connectors when exchanging tokens. This is only exploitable i...

8.7CVSS5.4AI score
Exploits0References2
NVD
NVD
added 2026/06/04 5:16 p.m.17 views

CVE-2026-50076

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...

9.1CVSS0.0052EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/04 4:9 p.m.41 views

CVE-2026-50076 Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...

0.0052EPSS
Exploits0References1
CVE
CVE
added 2026/06/04 4:9 p.m.45 views

CVE-2026-50076

CVE-2026-50076 affects the Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM. The issue is a deserialization flaw in the Java replace-resolve path that allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and to invoke classpath-present readResolve/r...

9.1CVSS5.8AI score0.0052EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/06/04 12:0 a.m.12 views

Apache Fory 安全漏洞

Apache Fory is a serialization framework developed by the Apache Foundation in the United States. Versions of Apache Fory prior to 1.1.0 contained security vulnerabilities. These vulnerabilities stemmed from the deserialization of untrusted data in the Java replace-resolve path, which could allow...

9.1CVSS5.6AI score0.0052EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.28 views

PT-2026-46269

Name of the Vulnerable Software and Affected Versions Apache Fory fory-core versions prior to 1.1.0 Description Deserialization of untrusted data in the Java replace-resolve path on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks. B...

9.1CVSS5.5AI score0.0052EPSS
Exploits0References8
Snyk
Snyk
added 2026/05/29 6:20 p.m.9 views

Incomplete List of Disallowed Inputs

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the NodeVM builtin allowlist in lib/builtin.js. An attacker can read host-process state by supplying a sandb...

8.2CVSS5.9AI score0.00308EPSS
Exploits0References2
OSV
OSV
added 2026/05/28 4:16 p.m.9 views

DEBIAN-CVE-2026-48523

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

5.4CVSS5.8AI score0.00127EPSS
Exploits1References1
Rows per page
Query Builder