Lucene search
+L

961 matches found

ATTACKERKB
ATTACKERKB
added 2026/02/24 5:12 p.m.3 views

CVE-2026-27468

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content...

8.3CVSS5.9AI score0.00244EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/24 5:12 p.m.3 views

CVE-2026-27468 Mastodon may allow unconfirmed FASP to make subscriptions

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content...

8.3CVSS6AI score0.00244EPSS
Exploits0References2
CVE
CVE
added 2026/02/24 5:12 p.m.18 views

CVE-2026-27468

CVE-2026-27468 (Mastodon) affects Mastodon servers that have enabled the experimental FASP feature via EXPERIMENTAL_FEATURES including “fasp”. In versions 4.4.0–4.4.13 and 4.5.0–4.5.6, actions by a FASP to subscribe to account/content lifecycle events or to backfill content did not verify adminis...

8.3CVSS5.5AI score0.00244EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/02/24 5:12 p.m.6 views

CVE-2026-27468 Mastodon may allow unconfirmed FASP to make subscriptions

Mastodon is a free, open-source social network server based on ActivityPub. FASP registration requires manual approval by an administrator. In versions 4.4.0 through 4.4.13 and 4.5.0 through 4.5.6, actions performed by a FASP to subscribe to account/content lifecycle events or to backfill content...

8.3CVSS5.6AI score0.00244EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/02/24 12:0 a.m.10 views

PT-2026-21779

Name of the Vulnerable Software and Affected Versions Mastodon versions 4.4.0 through 4.4.13 Mastodon versions 4.5.0 through 4.5.6 Description Mastodon is a free, open-source social network server based on ActivityPub. The issue relates to FASP Federated Actor Subscription Protocol registration,...

8.3CVSS5.3AI score0.00244EPSS
Exploits0References11
Packet Storm
Packet Storm
added 2026/02/23 12:0 a.m.204 views

📄 Tactical RMM 1.3.1 Jinja2 Server-Side Template Injection

This Metasploit module targets a server-side template injection vulnerability in Tactical RMM's template preview endpoint. The implementation is clearly marked as experimental and manually ranked due to the inherently unstable exploitation technique it relies on. The module attempts to achieve...

5.8AI score
Exploits0
Snyk
Snyk
added 2026/02/19 8:30 p.m.4 views

Access of Resource Using Incompatible Type ('Type Confusion')

Overview @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via the remote form deserialization. An attacker can cause the server to become unresponsive and exhaust CPU resources by...

6.9CVSS5.7AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/02/19 8:29 p.m.8 views

Memory exhaustion in SvelteKit remote form deserialization (experimental only)

Versions of @sveltejs/kit prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the server process to crash due to excessive memory allocation, resulting in denial of service. Only applications using both experimental.remoteFunctions a...

5.6AI score
Exploits0References4Affected Software1
Fedora
Fedora
added 2026/02/10 1:34 a.m.7 views

[SECURITY] Fedora 43 Update: envision-3.2.0-7.fc43

UI for building, configuring, and running Monado, the open source OpenXR runtime. This is still highly experimental software, while it's unlikely that anything bad will happen, it's still unstable and there is no guarantee that it will work on your system, with your particular hardware. If you...

7.5CVSS5.4AI score0.00443EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2026/01/28 3:20 p.m.53 views

Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...

7.5CVSS5.9AI score0.00363EPSS
Exploits0References4Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/01/28 12:0 a.m.6 views

NewStart CGSL MAIN 6.06 : nodejs Multiple Vulnerabilities (NS-SA-2025-0241)

The remote NewStart CGSL host, running version MAIN 6.06, has nodejs packages installed that are affected by multiple vulnerabilities: - The use of Module.load can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects...

9.8CVSS7.2AI score0.87806EPSS
Exploits26References105
OSV
OSV
added 2026/01/27 5:25 p.m.8 views

OPENSUSE-RU-2026:20161-1 Recommended update for hauler

This update for hauler fixes the following issues: Changes in hauler: - Update to version 1.4.1 bsc1256546, CVE-2026-22772: fixed typos for containerd imports 493 fix and support containerd imports of hauls 492 bump github.com/sigstore/fulcio 489 - Update to version 1.4.0: added/updated logging f...

5.8CVSS6.7AI score0.0022EPSS
Exploits1References2
NVD
NVD
added 2026/01/26 10:15 p.m.9 views

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...

7.5CVSS0.00363EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/01/22 12:0 a.m.4 views

Azure Linux 3.0 Security Update: nodejs (CVE-2024-21890)

The version of nodejs installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-21890 advisory. - The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the...

6.5CVSS5.7AI score0.00945EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/01/22 12:0 a.m.6 views

Azure Linux 3.0 Security Update: nodejs (CVE-2024-21891)

The version of nodejs installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-21891 advisory. - Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, whi...

8.8CVSS5.6AI score0.01245EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/01/22 12:0 a.m.2 views

Azure Linux 3.0 Security Update: nodejs (CVE-2024-21896)

The version of nodejs installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-21896 advisory. - The permission model protects itself against path traversal attacks by calling path.resolve on any paths giv...

9.8CVSS5.5AI score0.01262EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/01/20 8:41 p.m.6 views

CVE-2026-21636

A flaw in Node.js's permission model allows Unix Domain Socket UDS connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs such as URLs or socketPath options can connect to arbitrary local sockets via net, tls, or undici/fetch...

5.8CVSS5.8AI score0.00663EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/01/20 8:41 p.m.8 views

CVE-2026-21636

A flaw in Node.js's permission model allows Unix Domain Socket UDS connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs such as URLs or socketPath options can connect to arbitrary local sockets via net, tls, or undici/fetch...

10CVSS5.7AI score0.00663EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/01/20 8:41 p.m.37 views

CVE-2026-21636

CVE-2026-21636 describes a security flaw in Node.js’s Permissions model where Unix Domain Socket (UDS) connections can bypass network restrictions even when --allow-net is not enabled. Attacker-controlled inputs (e.g., URLs or socketPath) could reach arbitrary local sockets via net, tls, or undic...

10CVSS5.8AI score0.00663EPSS
Exploits1References1Affected Software1
Veracode
Veracode
added 2026/01/20 11:31 a.m.7 views

Denial Of Service (DoS)

SvelteKit is vulnerable to a Denial-Of-Service DoS. The vulnerability is due to unbounded memory allocation when processing crafted binary form payloads in the experimental form remote function, allowing attackers to exhaust server memory and disrupt service availability...

8.2CVSS5.9AI score0.00527EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder