Lucene search
K

154 matches found

RedhatCVE
RedhatCVE
added 5 days ago5 views

CVE-2026-59819

A flaw was found in LiteLLM, a proxy server for Large Language Model LLM APIs. A privileged caller, such as a proxy administrator, with permissions to test model connections, could exploit the /health/testconnection endpoint. By supplying specific environment or OIDC OpenID Connect file reference...

4.9CVSS6AI score0.00278EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/07/01 11:20 p.m.5 views

CVE-2026-55792

Craft CMS is a content management system CMS. In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission ...

6CVSS5.8AI score0.00268EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/06/24 2:17 p.m.19 views

CVE-2026-12537

Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI versions prior to 0.39.1 and run-gemini-cli GitHub Action versions prior to 0.1.22 on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously...

10CVSS0.00134EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 1:37 p.m.38 views

CVE-2026-12537 Unauthenticated Remote Code Execution in Gemini CLI CI/CD Workflows

Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI versions prior to 0.39.1 and run-gemini-cli GitHub Action versions prior to 0.1.22 on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously...

10CVSS0.00134EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 1:37 p.m.83 views

CVE-2026-12537

Summary (CVE-2026-12537) : The vulnerability affects Google Gemini CLI container launcher (versions prior to 0.39.1) and the run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms. It stems from improper neutralization in an OS command, enabling an unprivileged attacker ...

10CVSS6.3AI score0.00134EPSS
Exploits0References1Affected Software2
OSV
OSV
added 2026/06/16 7:4 p.m.5 views

GHSA-4C8G-JVCX-V4HV Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access

Summary In Deno, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env. process.loadEnvFile the Node-compatible...

5.2CVSS5.4AI score0.00098EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.15 views

PT-2026-50155

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.8.1 Description Environment access is managed by the env permission, which can be restricted via --deny-env or an allowlist using --allow-env=FOO,BAR. The process.loadEnvFile function, a Node-compatible API for loading...

5.2CVSS5.8AI score0.00098EPSS
Exploits0References6
GithubExploit
GithubExploit
added 2026/06/12 9:36 p.m.83 views

exploitGuard

Run and deploy your AI Studio app This contains everything yo...

5.3AI score
Exploits0
OSV
OSV
added 2026/06/11 12:44 p.m.5 views

SUSE-SU-2026:22118-1 Security update for python-python-dotenv

This update for python-python-dotenv fixes the following issue: - CVE-2026-28684: Prior to version 1.2.2, setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink bsc1262423...

6.6CVSS5.5AI score0.00236EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:12 p.m.13 views

CVE-2026-39394

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which...

9.8CVSS5.7AI score0.00516EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/01 10:3 p.m.11 views

CVE-2026-45344

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup...

8.1CVSS6AI score0.00456EPSS
Exploits0References1
CVE
CVE
added 2026/05/29 5:7 p.m.29 views

CVE-2026-47125

CVE-2026-47125 — Arcane global variables endpoint lacks admin authorization Affected: Arcane interface for Docker management (before 1.19.2) via PUT /api/environments/{id}/templates/variables that writes the system-wide .env.global. Root cause: missing admin check in the UpdateGlobalVariables han...

8.8CVSS5.8AI score0.00245EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 10:17 p.m.14 views

CVE-2026-45344

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup...

8.1CVSS0.00456EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 8:41 p.m.21 views

CVE-2026-45344

LinkAce suffers a pre-auth RCE via setup flow on uninitialized instances. Before version 2.5.6, the setup database configuration flow accepts attacker-controlled database credentials and writes them into the .env file without proper escaping. A remote attacker who can reach the setup endpoints an...

8.1CVSS6AI score0.00456EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/28 8:41 p.m.14 views

EUVD-2026-33054

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup...

8.1CVSS6AI score0.00456EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/22 1:55 a.m.12 views

Malicious code in mev-shield (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9783d5e48d62da6de516b1cf5d36474143528a9c6f33a86892ee558266a4e5ec The package advertises itself as an 'MEV protection layer for Ethereum trading bots' but does the opposite. On npm install, a postinstall script...

5.8AI score
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/08 8:21 p.m.12 views

CVE-2026-39918

Vvveb prior to 1.0.8.1 contains a code injection vulnerability in the installation endpoint where the subdir POST parameter is written unsanitized into the env.php configuration file without escaping or validation. Attackers can inject arbitrary PHP code by breaking out of the string context in t...

9.8CVSS6.5AI score0.00665EPSS
Exploits0References1
OSV
OSV
added 2026/05/01 11:13 a.m.8 views

MAL-2026-3210 Malicious code in graphicsctxr (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 10408decaf8cace14b8124fa392ee96996c3c91358cb454cbfcd45790d18cdf9 Package contains code to exfiltrate .env to a remote target. Prior to version 2.1.1, it also created a persistent backdoor via embedding a hardcoded SSH key...

5.9AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.16 views

PT-2026-35780

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.31 Description Workspace .env files can override the OPENCLAW BUNDLED PLUGINS DIR environment variable, which compromises the verification of plugin trust. This allows attackers who have control over the...

8.5CVSS5.8AI score0.00126EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/04/24 12:31 a.m.9 views

Duplicate Advisory: OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-3qpv-xf3v-mm45. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAWBUNDLEDHOOKSDIR environment variable,...

8.5CVSS6AI score0.00133EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder