Lucene search
K

10285 matches found

CNNVD
CNNVD
added 2026/04/15 12:0 a.m.11 views

ApostropheCMS 安全漏洞

ApostropheCMS is a full-stack content management system open source by Apostrophe Technologies. Versions of ApostropheCMS 4.28.0 and earlier contained security vulnerabilities. These vulnerabilities were caused by an authorization bypass in the getRestQuery method of the @apostrophecms/piece-type...

5.3CVSS5.8AI score0.00512EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.10 views

PT-2026-33003

Name of the Vulnerable Software and Affected Versions Advanced Custom Fields ACF plugin for WordPress versions prior to 6.7.1 Description The plugin contains a flaw where AJAX field query endpoints accept user-supplied filter parameters that override field-configured restrictions without proper...

5.3CVSS5.1AI score0.00625EPSS
Exploits0References20
NOZOMI
NOZOMI
added 2026/04/15 12:0 a.m.7 views

Stored Cross-Site Scripting (XSS) in Assets and Nodes in Guardian/CMC before 26.0.0

Summary A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. Impact An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victi...

8.9CVSS5.8AI score0.00288EPSS
Exploits0Affected Software2
EUVD
EUVD
added 2026/04/14 6:30 p.m.5 views

EUVD-2026-22665

Adobe Experience Manager versions FP11.7 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...

5.4CVSS5.8AI score0.00189EPSS
Exploits0References2
NVD
NVD
added 2026/04/14 6:16 p.m.3 views

CVE-2026-27288

Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting XSS vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of thi...

5.4CVSS0.00189EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/14 6:0 p.m.25 views

CVE-2026-27288 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)

Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting XSS vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of thi...

5.4CVSS0.00189EPSS
Exploits0References1
CVE
CVE
added 2026/04/14 6:0 p.m.15 views

CVE-2026-27288

Adobe Experience Manager (AEM) is affected by a DOM-based XSS in versions 6.5.24 and FP11.7 and earlier. The issue arises from manipulating the DOM environment to execute malicious JavaScript in the victim’s browser, with exploitation requiring user interaction (the victim visits a crafted page)....

5.4CVSS5.8AI score0.00189EPSS
Exploits0References1Affected Software2
ATTACKERKB
ATTACKERKB
added 2026/04/14 6:0 p.m.3 views

CVE-2026-27288

Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting XSS vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of thi...

5.4CVSS5.8AI score0.00189EPSS
Exploits0References2
NVD
NVD
added 2026/04/14 4:16 p.m.7 views

CVE-2026-38533

An improper authorization vulnerability in the /api/v1/users/id endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request...

6.5CVSS0.00311EPSS
Exploits2References3
OSV
OSV
added 2026/04/14 9:31 a.m.5 views

CLSA-2026-1776159098 Fix CVE(s): CVE-2025-30258

SECURITY UPDATE: signature verification DoS via malicious subkey - debian/patches/CVE-2025-30258.patch: require signing usage when looking up public key for signature verification, filtering out subkeys without valid backsig. Include upstream regression fixes to preserve verification of signature...

4.7CVSS5.8AI score0.00179EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/14 1:5 a.m.6 views

graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation

The OverlappingFieldsCanBeMerged validation rule exhibits quadratic time complexity when processing queries with many repeated fields sharing the same response name. An attacker can send a crafted query like hello hello hello ... with thousands of repeated fields, causing excessive CPU usage duri...

7.5CVSS5.9AI score0.00485EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/04/14 1:5 a.m.4 views

Inefficient Algorithmic Complexity

Overview Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the OverlappingFieldsCanBeMerged validation process. An attacker can cause excessive CPU usage and resource exhaustion by submitting queries containing thousands of repeated fields with the sam...

7.5CVSS5.8AI score0.00485EPSS
Exploits0References2
OSV
OSV
added 2026/04/14 1:5 a.m.3 views

GHSA-68JQ-C3RV-PCRR graphql-php is affected by a Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation

The OverlappingFieldsCanBeMerged validation rule exhibits quadratic time complexity when processing queries with many repeated fields sharing the same response name. An attacker can send a crafted query like hello hello hello ... with thousands of repeated fields, causing excessive CPU usage duri...

7.5CVSS5.9AI score0.00485EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/14 12:0 a.m.9 views

MaxKB 安全漏洞

MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Versions of MaxKB prior to 2.7.1 contained a security vulnerability. This vulnerability stemmed from the use of storage-oriented cross-site scripting in the application name or icon...

6.9CVSS5.9AI score0.00216EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/14 12:0 a.m.28 views

CVE-2026-38533

An improper authorization vulnerability in the /api/v1/users/id endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request...

0.00311EPSS
Exploits2References2
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.7 views

PT-2026-33213

Name of the Vulnerable Software and Affected Versions graphql-go versions prior to 15.31.5 Description The OverlappingFieldsCanBeMerged validation rule exhibits quadratic time complexity when processing queries containing numerous repeated fields that share the same response name. Specifically, t...

7.5CVSS5.9AI score0.00485EPSS
Exploits0References8
CVE
CVE
added 2026/04/14 12:0 a.m.13 views

CVE-2026-38533

CVE-2026-38533 : In Snipe-IT v8.4.0, an improper authorization flaw in the /api/v1/users/{id} endpoint lets authenticated users with the users.edit permission modify sensitive authentication and account-state fields of other non-admin users via a crafted PUT request. Public details show the impac...

6.5CVSS5.8AI score0.00311EPSS
Exploits2References3Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/13 9:49 p.m.3 views

Security Bulletin: vulerability in IBM Spectrum Symphony with spring framework

Summary vulerability in IBM Spectrum Symphony with spring framework Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale dependent exceptions that could...

5.3CVSS5.8AI score0.05666EPSS
Exploits2Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/13 7:23 p.m.6 views

CVE-2026-5809

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topicadd and topicedit action handlers accept arbitrary user-supplied data arrays from $REQUEST and store them as postmeta without...

7.1CVSS5.9AI score0.00499EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/13 6:30 p.m.6 views

EUVD-2026-21998

Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields. This issue affects Pandora FMS: from 777 through 800...

8.7CVSS5.9AI score0.00249EPSS
Exploits0References2
Rows per page
Query Builder