Lucene search
K

2977 matches found

NVD
NVD
added 4 days ago6 views

CVE-2026-56763

Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve...

6.3CVSS0.00177EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-43173

Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve...

6.3CVSS6.1AI score0.00177EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago33 views

CVE-2026-56763 Hono - Prototype Pollution via __proto__ Key in parseBody with dot Option

Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve...

6.3CVSS0.00177EPSS
Exploits0References2
CVE
CVE
added 4 days ago13 views

CVE-2026-56763

CVE-2026-56763 affects Hono prior to 4.12.7. The parseBody function with dot option enabled accepts proto in field names, allowing prototype pollution when parsed results are merged into regular objects via unsafe merge patterns. Impacted behavior includes modification of object prototypes and po...

6.3CVSS6.1AI score0.00177EPSS
Exploits0References2
NVD
NVD
added 5 days ago8 views

CVE-2026-56329

Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can register app IDs with underscores that collide with other tenants' dotted app IDs, causing preview...

6.4CVSS0.00237EPSS
Exploits0References2
NVD
NVD
added 5 days ago6 views

CVE-2026-13430

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the importmediafilesecure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass, where the extension...

7.2CVSS0.00615EPSS
Exploits0References7
EUVD
EUVD
added 5 days ago7 views

EUVD-2026-42785

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the importmediafilesecure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass, where the extension...

7.2CVSS6.6AI score0.00615EPSS
Exploits0References7
CVE
CVE
added 5 days ago10 views

CVE-2026-13430

The WordPress plugin Post Export Import with Media (versions up to 1.13.1) is vulnerable to Arbitrary File Upload. The root cause is insufficient file extension validation during ZIP import: the extension allow-list check in ajax_import_media_start() uses pathinfo() on the raw ZIP entry name, so ...

7.2CVSS6.6AI score0.00615EPSS
Exploits0References7
Cvelist
Cvelist
added 5 days ago35 views

CVE-2026-13430 Post Export Import with Media <= 1.13.1 - Authenticated (Administrator+) Arbitrary File Upload via Trailing-Dot Filename Bypass in ZIP Media Import

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the importmediafilesecure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass, where the extension...

7.2CVSS0.00615EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added 6 days ago4 views

fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies

A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by providing a specially crafted Uniform Resource Locator URL containing percent-encoded path separators and dot segments. Due to incorrect processing, fast-uri would decode these elements before proper normalization...

7.5CVSS7.2AI score0.00521EPSS
Exploits0References6
Cvelist
Cvelist
added last week31 views

CVE-2026-55849 @cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized `--workspace` Argument

@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npmexecpath is unset or empty, allowing arbitrary OS command execution with the privileg...

8.5CVSS0.0016EPSS
Exploits0References4
NVD
NVD
added last week7 views

CVE-2026-59946

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...

6.1CVSS0.00136EPSS
Exploits0References5
NVD
NVD
added last week7 views

CVE-2026-55874

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side...

7.7CVSS0.00327EPSS
Exploits0References4
Cvelist
Cvelist
added last week36 views

CVE-2026-49145 App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc

App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include...

0.00329EPSS
Exploits0References1
EUVD
EUVD
added last week6 views

EUVD-2026-42285

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side...

7.7CVSS6AI score0.00327EPSS
Exploits0References4
CVE
CVE
added last week16 views

CVE-2026-14489

The WHMCS Bridge WordPress plugin (affected: all versions up to and including 6.9) is vulnerable to an arbitrary file upload due to missing file type validation in connect(). Exploitation requires authenticated access with Custom-level permissions or higher, enabling upload of arbitrary files on ...

8.8CVSS6.7AI score0.00561EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.9 views

PT-2026-56549

Name of the Vulnerable Software and Affected Versions Composer versions prior to 2.2.29 Composer versions prior to 2.10.2 Description A flaw in the binary installation flow allows a package bin entry containing .. path segments to resolve outside the package installation directory. This can lead ...

6.1CVSS6.2AI score0.00136EPSS
Exploits0References10
OSV
OSV
added 2026/07/07 4:2 p.m.6 views

PYSEC-2026-1926 Skops may allow MethodNode to access unexpected object fields through dot notation, leading to arbitrary code execution at load time

Summary An inconsistency in MethodNode can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3, it i...

8.7CVSS6.6AI score0.00138EPSS
Exploits0References10
RedHat Linux
RedHat Linux
added 2026/07/07 7:1 a.m.8 views

Important: Red Hat Security Advisory: ruby:3.3 security update

An update for the ruby:3.3 module is now available for Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

7.6CVSS6AI score0.00813EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/07/07 4:27 a.m.5 views

CVE-2026-8924

A flaw was found in curl's cookie parsing logic. A malicious HTTP server can exploit this by setting 'super cookies' that bypass the Public Suffix List check. This allows an attacker-controlled origin to inject cookies that curl then transmits to unrelated third-party domains, leading to...

9.1CVSS5.9AI score0.00649EPSS
Exploits1References6
Rows per page
Query Builder