CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added last week•5 views

EUVD-2026-33070

TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before...

5.3CVSS5.8AI score0.00036EPSS

Vulnrichment•added 2026/05/26 8:9 p.m.•5 views

CVE-2026-42335 MaxKB: SSRF Bypass in MaxKB OSS URL Fetch due to URL Parsing Discrepancy

MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch chat/api/oss/geturl endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse...

6.3CVSS5.8AI score0.00049EPSS

Exploits0References1

Tenable Nessus•added 2026/05/21 12:0 a.m.•6 views

Apache Tomcat 11.0.0.M1 < 11.0.22 multiple vulnerabilities

The version of Tomcat installed on the remote host is prior to 11.0.22. It is, therefore, affected by multiple vulnerabilities as referenced in the fixedinapachetomcat11.0.22security-11 advisory. - DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat...

9.8CVSS5.8AI score0.00253EPSS

Exploits0References18

EUVD•added 2026/05/19 11:1 a.m.•5 views

EUVD-2026-30890

A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further...

8.1CVSS5.7AI score0.00013EPSS

Github Security Blog•added 2026/05/14 8:27 p.m.•2 views

Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url`

Summary In the open-webui project, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability. Details In the current project, URL validation is performed using the function validateurl. The current checking logic uses urlparse to parse the hostname part ...

8.5CVSS5.9AI score0.00033EPSS

Exploits1References4Affected Software1

Positive Technologies•added 2026/05/14 12:0 a.m.•4 views

PT-2026-41195

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.5 Description A parsing discrepancy between the urlparse and requests libraries allows for a Server-Side Request Forgery SSRF bypass. The validate url function uses urlparse to verify the hostname; however,...

8.5CVSS5.8AI score0.00033EPSS

Exploits1References6

Vulnrichment•added 2026/05/13 3:8 p.m.•1 views

CVE-2026-42266 JupyterLab has an Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request.

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager allowedextensionsuris is not correctly enforced by JupyterLab. The Py...

8.8CVSS5.8AI score0.00029EPSS

Exploits0References4

CVE•added 2026/05/13 3:8 p.m.•12 views

CVE-2026-42266

JupyterLab prior to 4.5.7 is affected: from 4.0.0 to 4.5.6 the allow-list for PyPI Extension Manager extensions could be bypassed, as allowed_extensions_uris was not properly enforced and not confined to the default PyPI index. This could allow an authenticated attacker to install unapproved/mali...

8.8CVSS5.8AI score0.00029EPSS

Exploits0References4Affected Software1

SUSE CVE•added 2026/05/13 2:21 p.m.•4 views

SUSE CVE-2026-43514

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versio...

5.3CVSS5.7AI score0.001EPSS

Tenable Nessus•added 2026/05/13 12:0 a.m.•2 views

Linux Distros Unpatched Vulnerability : CVE-2026-43514

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from...

3.7CVSS5.8AI score0.001EPSS

EUVD•added 2026/05/12 6:30 p.m.•5 views

EUVD-2026-29518

5.7AI score0.001EPSS

OSV•added 2026/05/12 4:16 p.m.•3 views

DEBIAN-CVE-2026-43514

NVD•added 2026/05/12 4:16 p.m.•3 views

Exploits0References1

CVE-2026-43514

3.7CVSS0.001EPSS

OSV•added 2026/05/12 4:16 p.m.•3 views

UBUNTU-CVE-2026-43514

Debian CVE•added 2026/05/12 3:32 p.m.•5 views

CVE-2026-43514

Vulnrichment•added 2026/05/12 3:32 p.m.•3 views

Exploits0

CVE-2026-43514 Apache Tomcat: AJP secret compared in non-constant time

5.7AI score0.001EPSS

Exploits0References1

CVE•added 2026/05/12 3:32 p.m.•13 views

CVE-2026-43514

CVE-2026-43514 describes an observable timing discrepancy in comparing the AJP secret in Apache Tomcat. Affected are Tomcat 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109 (older unsupported versions may also be affe...