Lucene search
K

5021 matches found

OSV
OSV
added 2026/06/12 7:16 p.m.6 views

UBUNTU-CVE-2026-12143

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormDataappend and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return CR, line feed LF, or double-quote "...

8.7CVSS5.4AI score0.00409EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/06/12 6:50 p.m.30 views

CVE-2026-47260 Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs

Koel is a free, open-source music streaming solution. Prior to version 9.3.5, Koel validates the podcast feed URL via the SafeUrl rule DNS resolution + public IP check, but the individual episode values extracted from the RSS XML are stored directly into the database without any SSRF validation...

7.7CVSS0.00263EPSS
Exploits0References2
OSV
OSV
added 2026/06/12 3:8 p.m.10 views

GHSA-4PX2-PW77-VC85 SwiftNIO HTTP/2: HTTP/2-to-HTTP/1 Request Smuggling via unvalidated :path pseudo-header in HTTP2ToHTTP1Codec

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec HTTP2FramePayloadToHTTP1ServerCodec / HTTP2ToHTTP1ServerCodec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. A remote attacker could send an HTTP/2 request containing CR \r, LF \n, o...

5.5AI score0.00192EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 8:58 a.m.29 views

CVE-2026-50630

The CVE-2026-50630 issue affects Apache CXF’s OAuth2 implementation, where the AuthorizationUtils class concatenates the realm parameter into the WWW-Authenticate header without sanitizing CR/LF characters. This can enable header injection or HTTP response splitting if an attacker controls the re...

6.5CVSS5.5AI score0.00404EPSS
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/06/12 12:0 a.m.13 views

SwiftNIO HTTP/2: HTTP/2-to-HTTP/1 Request Smuggling via unvalidated :path pseudo-header in HTTP2ToHTTP1Codec

swift-nio-http2's HTTP/2-to-HTTP/1.1 codec HTTP2FramePayloadToHTTP1ServerCodec / HTTP2ToHTTP1ServerCodec did not validate pseudo-header values for control characters before placing them into the translated HTTP/1.1 message. A remote attacker could send an HTTP/2 request containing CR \r, LF \n, o...

5.3CVSS5.4AI score0.00192EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/06/11 8:16 p.m.12 views

CVE-2026-53781

Summarize before 0.17.0 contains a resource exhaustion vulnerability that allows remote attackers to cause disk exhaustion by serving media responses that bypass the enforced size limit through missing or misreported Content-Length headers, chunked transfer encoding, or failed HEAD requests...

5.3CVSS0.00329EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/11 7:49 p.m.10 views

EUVD-2026-36310

Brickcom cameras ship with default credentials that allows any unauthenticated remote attacker to silently access camera feeds...

8.3CVSS5.5AI score0.00197EPSS
Exploits0References3
CVE
CVE
added 2026/06/11 7:11 p.m.20 views

CVE-2026-53781

The CVE affects the Summarize utility prior to version 0.17.0. Vulnerable path is the temp-file-based media download, where an unbounded response can be streamed via the download/response path, causing disk and resource exhaustion. Root cause: responses bypass the enforced size limit due to missi...

5.3CVSS5.5AI score0.00329EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/11 12:38 p.m.41 views

CVE-2026-49214 guzzlehttp/psr7 has CRLF Injection via URI Host Component

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to...

5.3CVSS5.5AI score0.00189EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/11 12:32 a.m.13 views

EUVD-2026-36138

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads...

6.1CVSS5.5AI score0.00158EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.12 views

PT-2026-48735

Name of the Vulnerable Software and Affected Versions Brickcom cameras affected versions not specified Description Unauthenticated access to live snapshot images is possible via the '/ONVIF' endpoint, allowing the retrieval of still images from the camera feed without requiring authentication...

8.3CVSS5.2AI score0.00156EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.17 views

Summarize 代码问题漏洞

Summarize is a multi-source rapid summarization tool developed by Peter Steinberger. Versions of Summarize prior to 0.17.0 contained code vulnerabilities. These vulnerabilities were caused by server-side request forgeing attacks. Attackers could exploit these vulnerabilities by providing maliciou...

7.4CVSS5.4AI score0.00265EPSS
Exploits0References1
NVD
NVD
added 2026/06/10 10:17 p.m.14 views

CVE-2026-53737

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads...

6.1CVSS0.00158EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/10 8:39 p.m.33 views

CVE-2026-53737 Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads...

6.1CVSS0.00158EPSS
Exploits0References2
CVE
CVE
added 2026/06/10 8:39 p.m.24 views

CVE-2026-53737

CVE-2026-53737 affects Juicer (through 1.12.18). The vulnerability is a Stored Cross-Site Scripting (XSS) due to unescaped remote feed API response fields on the admin settings page; when the page loads, an attacker controlling the connected feed data can inject script that runs in an administrat...

6.1CVSS5.5AI score0.00158EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/10 8:39 p.m.8 views

CVE-2026-53737 Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads...

6.1CVSS5.5AI score0.00158EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.22 views

PT-2026-48551

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads...

6.1CVSS5.5AI score0.00158EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.14 views

WordPress plugin Juicer 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

6.1CVSS5.3AI score0.00158EPSS
Exploits0References1
The Hacker News
The Hacker News
added 2026/06/09 5:3 p.m.27 views

Meta to Use Off-Site Business Data for Feed and AI Personalization

Meta on Tuesday announced that it will use information shared by other businesses to personalize users' feed and responses from its artificial intelligence AI chatbot, expanding its scope beyond targeted ads. "Businesses often share information about people's activity on their sites with us to ma...

5.7AI score
Exploits0
CVE
CVE
added 2026/06/08 4:34 p.m.31 views

CVE-2026-43966

CVE-2026-43966 describes a HTTP Response Splitting flaw in the Erlang/cowlib component, where cow_http_struct_hd:escape_string/2 only escapes backslash and quote, allowing CRLF injection into structured HTTP header values. The mismatch between the encoder (allows any byte) and the parser (accepts...

6.3CVSS5.6AI score0.00313EPSS
Exploits0References4
Rows per page
Query Builder