Lucene search
K

154 matches found

EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42922

A user with Editor permissions can craft a dashboard whose table TableNG panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard stored cross-site scripting...

6.8CVSS6AI score0.00221EPSS
Exploits0References1
CVE
CVE
added 4 days ago6 views

CVE-2026-8595

CVE-2026-8595 describes a stored XSS in Grafana's TableNG panel. An Editor can craft a dashboard with a malicious field name, causing script execution in the browser for any viewer of that dashboard. Affected component: the TableNG panel in dashboards. Root cause: stored cross-site scripting via ...

6.8CVSS6AI score0.00221EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-8595 Stored XSS in the table panel (TableNG)

A user with Editor permissions can craft a dashboard whose table TableNG panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard stored cross-site scripting...

6.8CVSS0.00221EPSS
Exploits0References1
NVD
NVD
added 2026/07/05 2:16 p.m.7 views

CVE-2026-14751

A weakness has been identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The impacted element is the function Notescontroller::searchscratchdata of the file application/PHP/objects/notes/searchscratchdata.php. This manipulation of the argument fieldname causes sql...

6.5CVSS0.00204EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/07/05 1:15 p.m.10 views

CVE-2026-14751

A weakness has been identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The impacted element is the function Notescontroller::searchscratchdata of the file application/PHP/objects/notes/searchscratchdata.php. This manipulation of the argument fieldname causes sql...

6.5CVSS6.4AI score0.00204EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/24 6:49 a.m.40 views

CVE-2026-7761 Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: 1 an MD5 hash fallback in getdirectorybyhash that allows any post to be used as a member directory ...

8.8CVSS0.00499EPSS
Exploits0References10
OSV
OSV
added 2026/06/22 6:16 p.m.4 views

DEBIAN-CVE-2026-53537

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

5.3CVSS5.9AI score0.00177EPSS
Exploits0References1
NVD
NVD
added 2026/06/22 6:16 p.m.13 views

CVE-2026-53537

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

5.3CVSS0.00177EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/15 8:20 p.m.19 views

python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters

Summary parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=..., and the filename0/filename1 continuation form is decoded and surfaced...

5.3CVSS5.3AI score0.00177EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/12 7:16 p.m.8 views

UBUNTU-CVE-2026-12143

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormDataappend and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return CR, line feed LF, or double-quote "...

8.7CVSS5.4AI score0.00409EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.14 views

PT-2026-47230

WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the fieldnameDomain parameter. Attackers can inject JavaScript payloads through the plugin settings form at...

6.4CVSS5.3AI score0.00187EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/29 1:40 p.m.10 views

CVE-2026-46510

form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys e.g. namesub into nested objects without filtering proto, constructor, or prototype. A single HTTP form field whose name starts with proto... causes the library to mutate...

8.2CVSS5.8AI score0.00282EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/05/18 5:35 p.m.13 views

Uncaught Exception

Overview multiparty is a multipart/form-data parser which supports streaming Affected versions of this package are vulnerable to Uncaught Exception through the parsing of multipart/form-data requests containing field names that collide with inherited Object.prototype properties. An attacker can...

8.7CVSS5.8AI score0.00473EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/18 5:35 p.m.12 views

Uncaught Exception

Overview org.webjars.npm:multiparty is a multipart/form-data parser which supports streaming Affected versions of this package are vulnerable to Uncaught Exception through the parsing of multipart/form-data requests containing field names that collide with inherited Object.prototype properties. A...

8.7CVSS5.8AI score0.00473EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/05/12 11:59 p.m.7 views

CVE-2026-8053

An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process. The issue results from an inconsistency in the internal field-name-to-index mapping within the time-series...

8.8CVSS6.1AI score0.0057EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/05/12 10:16 a.m.8 views

DEBIAN-CVE-2026-8161

[email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as proto, constructor, or toString, the parser invokes .push on the inherited...

7.5CVSS5.8AI score0.00473EPSS
Exploits1References1
Debian CVE
Debian CVE
added 2026/05/12 8:50 a.m.38 views

CVE-2026-8161

[email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as proto, constructor, or toString, the parser invokes .push on the inherited...

7.5CVSS5.8AI score0.00473EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.13 views

PT-2026-40540

Name of the Vulnerable Software and Affected Versions protobufjs versions prior to 7.5.6 protobufjs versions prior to 8.0.2 Description protobufjs generates JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped befor...

5.3CVSS5.9AI score0.00431EPSS
Exploits0References8
OSV
OSV
added 2026/05/11 5:39 a.m.16 views

BIT-GDAL-2026-8087 OSGeo gdal GDapi.c GDnentries heap-based overflow

A security flaw has been discovered in OSGeo gdal up to 3.13.0. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The exploi...

7.8CVSS5.9AI score0.00223EPSS
Exploits1References9
SUSE CVE
SUSE CVE
added 2026/05/09 2:46 a.m.11 views

SUSE CVE-2026-8087

A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The...

7.8CVSS5.8AI score0.00223EPSS
Exploits1References3
Rows per page
Query Builder