Lucene search
K

19692 matches found

Nuclei
Nuclei
added 2 hours ago114 views

Vendure - Arbitrary File Read

Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data...

9.1CVSS7.3AI score0.59798EPSS
Exploits1References5
Nuclei
Nuclei
added 2 hours ago16 views

MagicMirror <= 2.35.0 - Server-Side Request Forgery

An unauthenticated Server-Side Request Forgery SSRF vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment...

9.2CVSS6.1AI score0.01623EPSS
Exploits1References4
NVD
NVD
added yesterday5 views

CVE-2026-59148

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: with write methods...

8.8CVSS
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday3 views

Malicious code in vite-pwa-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bab1e251883a8eceecc27c935ed05352375d438c1efbbd8727f2b13a766409d0 Package vite-pwa-config impersonates the popular vite-plugin-pwa antfu — the README instructs users to import configJson from vite-plugin-pwa, and...

6.6AI score
Exploits0References2
EUVD
EUVD
added yesterday4 views

EUVD-2026-42683

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: with write methods...

8.8CVSS6AI score
Exploits0References5
Cvelist
Cvelist
added yesterday9 views

CVE-2026-59148 Mockoon: Unauthenticated admin API + wildcard CORS allows mock-state hijack and secret theft

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: with write methods...

8.8CVSS
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday3 views

Malicious code in nonenull1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 162cd9e0496d35e0500fe084f6011a3e6893182b0fa209502c5d6017ab1138ac The package declares gypfile: true with no native C/C++ sources, and its binding.gyp abuses GYP command-expansion syntax in the sources list — !node...

6.1AI score
Exploits0References8
RedhatCVE
RedhatCVE
added yesterday4 views

CVE-2026-59819

A flaw was found in LiteLLM, a proxy server for Large Language Model LLM APIs. A privileged caller, such as a proxy administrator, with permissions to test model connections, could exploit the /health/testconnection endpoint. By supplying specific environment or OIDC OpenID Connect file reference...

4.9CVSS6AI score0.00278EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added yesterday5 views

podman: Podman: Information disclosure via malicious container image environment variables

A flaw was found in Podman, a tool for managing OCI containers and pods. A malicious container image can be crafted with an environment variable that has a key but no value, or an asterisk , to trick Podman. This vulnerability causes Podman to pass host environment variables into the container...

7.5CVSS5.9AI score0.0026EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-47828

During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network...

8.9CVSS7.1AI score0.00088EPSS
Exploits0References2
CVE
CVE
added yesterday13 views

CVE-2026-47828

The CVE affects bosh-cli versions prior to 7.10.4. During bosh create-env/delete-env, the CLI uploads CPI packages and rendered job templates to the VM’s DAV blobstore over HTTPS without verifying the server certificate, despite a CA certificate being present in the manifest. This enables a netwo...

8.9CVSS7.1AI score0.00088EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added yesterday5 views

podman: Podman: Information disclosure via malicious container image environment variables

A flaw was found in Podman, a tool for managing OCI containers and pods. A malicious container image can be crafted with an environment variable that has a key but no value, or an asterisk , to trick Podman. This vulnerability causes Podman to pass host environment variables into the container...

7.5CVSS5.9AI score0.0026EPSS
Exploits0References6
CVE
CVE
added 2 days ago5 views

CVE-2026-54590

AsyncSSH (Python, v2.23.0) contains an incomplete fix for CVE-2026-45309 in SSHServerConfig._set_tokens that blocks /, , and .. before %u substitution in AuthorizedKeysFile but fails to block a leading ~ or ${ENV}. This allows later expansion in _expand_val and Path(filename).expanduser() to esca...

5.9CVSS6AI score0.00285EPSS
Exploits0References3
CVE
CVE
added 2 days ago9 views

CVE-2026-59819

LiteLLM (proxy server AI Gateway) prior to 1.83.10-stable allows a privileged caller via /health/test_connection to resolve request-supplied litellm_params environment and OIDC file references, enabling potential local file reads through an oidc/file/ reference. This is fixed in version 1.83.10-s...

2.1CVSS5.9AI score0.00278EPSS
Exploits0References3
Cvelist
Cvelist
added 2 days ago29 views

CVE-2026-59821 LiteLLM: Custom Code Guardrails production endpoints bypass code safety checks

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.82.0-stable, LiteLLM's Custom Code Guardrails production create and update paths did not apply the same sandboxing and validation used by the test endpoint, allowing a privileged user with access to creat...

2.1CVSS0.00288EPSS
Exploits0References3
Chainguard
Chainguard
added 2 days ago5 views

GHSA-4RJ2-PR7F-CMPG vulnerabilities

Vulnerabilities for packages: linux-gcp, linux-aws, linux-vmware...

5.9AI score
Exploits0
NVD
NVD
added 2 days ago4 views

CVE-2026-55433

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, perform...

5.4CVSS0.00394EPSS
Exploits0References6
OSV
OSV
added 3 days ago3 views

DEBIAN-CVE-2026-14380

DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package...

6.3AI score0.00237EPSS
Exploits0References1
NVD
NVD
added 3 days ago6 views

CVE-2026-14380

DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile. When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package...

8.8CVSS0.00237EPSS
Exploits0References4
NVD
NVD
added 3 days ago6 views

CVE-2026-46354

Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature...

9.1CVSS0.0026EPSS
Exploits0References8
Rows per page
Query Builder