Lucene search
K

7819 matches found

Vulnrichment
Vulnrichment
added 3 days ago6 views

CVE-2026-48947 Joomla! Core - [20260701] - Incorrect Access Control in com_media webservice endpoints

An improper access check allows privileged users to overwrite media files without editing permissions...

6.4CVSS6AI score0.0025EPSS
Exploits0References1
Cvelist
Cvelist
added 3 days ago34 views

CVE-2026-48958 Joomla! Core - [20260712] - Incorrect Access Control in com_fields webservice endpoints

An improper access check allows unauthorized users to create custom fields via webservices endpoints...

6.4CVSS0.00273EPSS
Exploits0References1
CVE
CVE
added 3 days ago10 views

CVE-2026-48958

In Joomla! Core, the CVE-2026-48958 issue is due to improper access control in the com_fields webservice endpoints, enabling unauthorized users to create custom fields via web services. Affected versions include Joomla! 4.0.x (before 5.4.7) and 6.0.x (before 6.1.2). The underlying impact is eleva...

8.8CVSS6AI score0.00273EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-42068

An improper access check allows unauthorized users to create custom fields via webservices endpoints...

6.4CVSS6AI score0.00273EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 3 days ago3 views

CVE-2026-48958

An improper access check allows unauthorized users to create custom fields via webservices endpoints...

6.4CVSS6AI score0.00273EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 3 days ago7 views

CVE-2026-48958 Joomla! Core - [20260712] - Incorrect Access Control in com_fields webservice endpoints

An improper access check allows unauthorized users to create custom fields via webservices endpoints...

6.4CVSS6AI score0.00273EPSS
Exploits0References1
Nuclei
Nuclei
added 3 days ago289 views

OpenMetadata - Authentication Bypass

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The JwtFilter handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request...

9.8CVSS7.4AI score0.73255EPSS
Exploits5References5
OSV
OSV
added 3 days ago7 views

PYSEC-2026-1803 pretix has Broken Access Control Allowing Cross-User File Access via UUID

Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only...

7CVSS5.9AI score0.00226EPSS
Exploits0References6
OSV
OSV
added 3 days ago6 views

PYSEC-2026-1192 arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Summary The arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This...

6.5CVSS6.1AI score0.00281EPSS
Exploits0References8
OSV
OSV
added 3 days ago9 views

PYSEC-2026-1842 pyspider Cross-Site Request Forgery (CSRF) via the Flask endpoints

binux pyspider up to v0.3.10 was discovered to contain a Cross-Site Request Forgery CSRF via the Flask endpoints...

8.8CVSS5.9AI score0.00223EPSS
Exploits0References6
OSV
OSV
added 3 days ago3 views

PYSEC-2026-1687 Unauthenticated views may expose information to anonymous users

Impact A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated anonymous users, including the following: - /api/graphql/ 1 - /api/users/users/session/ Nautobot 2.x only; the only information exposed to an anonymous user is which authentication backend classes...

3.7CVSS5.8AI score0.00628EPSS
Exploits0References11
OSV
OSV
added 3 days ago4 views

PYSEC-2026-2005 vantage6 vulnerable to a username timing attack on recover password/MFA token

Impact Much like https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes /recover/lost and /2fa/lost, which send emails to users if they have lost their password or MFA token. Usernames can be...

5.3CVSS6.1AI score0.00394EPSS
Exploits0References7
Cvelist
Cvelist
added 3 days ago32 views

CVE-2026-34170 Coolify: Server-Side Request Forgery via attacker-controlled GitHub App API URL

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp apiurl field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a...

4.3CVSS0.00171EPSS
Exploits0References1
EUVD
EUVD
added 3 days ago4 views

EUVD-2026-41997

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp apiurl field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a...

4.3CVSS6AI score0.00171EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 3 days ago5 views

CVE-2026-34170

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GithubApp apiurl field is used as the base URL for server-side HTTP requests without allowlisting or private IP blocking, allowing an authenticated user to configure a...

4.3CVSS6AI score0.00171EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56280

Name of the Vulnerable Software and Affected Versions mem0 openmemory/api affected versions not specified Description The openmemory/api component allows unauthenticated access to API routers that lack authentication middleware. This enables attackers to read, write, and delete arbitrary user...

9.8CVSS6AI score0.00498EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 3 days ago3 views

Joomla 4.0.x < 5.4.7 / 6.0.x < 6.1.2 Joomla 6.1.2 & 5.4.7 Security & Bugfix Release (5955-joomla-6-1-2-5-4-7-security-bugfix-release)

According to its self-reported version, the instance of Joomla! running on the remote web server is 4.0.x prior to 5.4.7 or 6.0.x prior to 6.1.2. It is, therefore, affected by a vulnerability. - An improper access check allows unauthorized users to create custom fields via webservices endpoints...

8.8CVSS6AI score0.00273EPSS
Exploits0References14
OSV
OSV
added 4 days ago3 views

BIT-MLFLOW-2026-8147 Authorization Bypass in mlflow/mlflow

In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying trac...

8.1CVSS7.2AI score0.00348EPSS
Exploits1References3
NVD
NVD
added 4 days ago8 views

CVE-2026-53640

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, low-privileged staff accounts may read sensitive data via admin API endpoints that lack permission checks. While sibling write endpoints correctly enforce fine-grained permissions, the corresponding...

2.3CVSS0.00226EPSS
Exploits0References1
Cvelist
Cvelist
added 4 days ago33 views

CVE-2026-53640 FOSSBilling missing authorization checks on read-only admin API endpoints expose sensitive staff, client, and redirect data

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, low-privileged staff accounts may read sensitive data via admin API endpoints that lack permission checks. While sibling write endpoints correctly enforce fine-grained permissions, the corresponding...

2.3CVSS0.00226EPSS
Exploits0References1
Rows per page
Query Builder