Lucene search
K

58 matches found

OSV
OSV
added 2026/06/30 9:6 p.m.3 views

CVE-2026-58449 txtai - Unauthenticated Remote Code Execution via Unsafe Reflection in API /reindex function Parameter

txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs import and getattr on the caller-supplied dotted path with no allowlist. When the API is exposed with no TOKEN configured...

9.3CVSS6.7AI score0.00725EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.14 views

PT-2026-52109

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0 Description The /api/icon/getDynamicIcon endpoint is excluded from authentication. When this endpoint is called with type=8 and a valid block id parameter, it invokes the RenderDynamicIconContentTemplate function...

5.9CVSS6.3AI score0.00239EPSS
Exploits0References8
OSV
OSV
added 2026/06/12 6:44 p.m.2 views

CVE-2026-50287 Missing Authentication for Critical Function in @agenticmail/mcp

AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCPHTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can...

8.7CVSS6AI score0.00359EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/12 6:17 p.m.32 views

CVE-2026-42932 Naxclow IoT Platform Generation of Predictable Numbers or Identifiers

Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endpoint that reveals the current identifier high-water mark, the active fleet can be enumerated...

6.9CVSS0.00233EPSS
Exploits0References2
NVD
NVD
added 2026/04/02 10:16 a.m.11 views

CVE-2026-33617

An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials...

5.3CVSS0.00266EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/02 9:0 a.m.7 views

CVE-2026-33617

An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials...

5.3CVSS6AI score0.00266EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/17 7:48 p.m.3 views

Information Exposure

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Information Exposure via the encryptPass.json.php process. An attacker can obtain hashed equivalents of arbitrary passwords by submitting them to the exposed...

6.9CVSS5.9AI score0.00327EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/11 6:37 p.m.2 views

CVE-2026-31881

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

7.7CVSS5.9AI score0.0043EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/03/11 6:37 p.m.3 views

EUVD-2026-11294

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

7.7CVSS5.9AI score0.0043EPSS
Exploits1References1
Snyk
Snyk
added 2026/03/11 6:31 a.m.3 views

Exposure of Private Personal Information to an Unauthorized Actor

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor via the...

6.9CVSS5.8AI score0.00332EPSS
Exploits0References2
NVD
NVD
added 2026/03/09 7:16 p.m.5 views

CVE-2026-30140

An incorrect access control vulnerability exists in Tenda W15E V02.03.01.26cn. An unauthenticated attacker can access the /cgi-bin/DownloadCfg/RouterCfm.jpg endpoint to download the configuration file containing plaintext administrator credentials, leading to sensitive information disclosure and...

7.5CVSS0.00327EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/12/03 8:1 p.m.7 views

CVE-2025-13658

A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges...

9.3CVSS8.1AI score0.00628EPSS
Exploits0References1
EUVD
EUVD
added 2025/12/02 9:31 p.m.8 views

EUVD-2025-200299

A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges...

9.3CVSS7.6AI score0.00628EPSS
Exploits0References2
NVD
NVD
added 2025/12/02 8:15 p.m.6 views

CVE-2025-13658

A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges...

9.3CVSS0.00628EPSS
Exploits0References1
CVE
CVE
added 2025/12/02 7:35 p.m.20 views

CVE-2025-13658

CVE-2025-13658 affects Industrial Video & Control Longwatch devices. The root cause is the absence of code signing and execution controls on an exposed endpoint, allowing unauthenticated HTTP GET requests to inject and execute arbitrary code. Exploitation leads to SYSTEM-level privileges and pote...

9.3CVSS7.8AI score0.00628EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/12/02 7:35 p.m.4 views

CVE-2025-13658 Industrial Video & Control Longwatch has a Code Injection vulnerability

A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges...

9.3CVSS7.8AI score0.00628EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/12/02 12:0 a.m.10 views

Industrial Video & Control Longwatch 代码注入漏洞

Industrial Video & Control Longwatch is an industrial-grade video surveillance and management platform from Industrial Video & Control, Inc. Industrial Video & Control Longwatch suffers from a code injection vulnerability that originates from an unauthenticated HTTP GET request that can execute...

9.3CVSS8.4AI score0.00628EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/11/18 3:5 a.m.21 views

CVE-2025-10460

A SQL Injection vulnerability on an endpoint in BEIMS Contractor Web, a legacy product that is no longer maintained or patched by the vendor, allows an unauthorised user to retrieve sensitive database contents via unsanitized parameter input. This vulnerability occurs due to improper input...

9.4CVSS8.2AI score0.00251EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/11/18 12:0 a.m.10 views

PT-2025-48772

Name of the Vulnerable Software and Affected Versions Longwatch version 6.309 Description A flaw in Longwatch devices permits unauthenticated HTTP GET requests to execute arbitrary code through an exposed endpoint. This is due to the lack of code signing and execution controls, leading to...

10CVSS8.2AI score0.00628EPSS
Exploits0References16
Veracode
Veracode
added 2025/11/09 8:59 a.m.9 views

OS Command Injection

@react-native-community/cli is vulnerable to OS Command Injection. The vulnerability is due to an exposed endpoint that accepts attacker-controlled POST data and passes it to system execution paths without proper sanitization, which allows an unauthenticated network attacker to run arbitrary...

9.8CVSS7.6AI score0.62378EPSS
Exploits5References13Affected Software2
Rows per page
Query Builder