Lucene search
K

292 matches found

Schneier on Security
Schneier on Security
added 2026/05/13 11:3 a.m.18 views

OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities

The UK's AI Security Institute evaluated GPT-5.5's ability to find security vulnerabilities, and found that it is comparable to Claude Mythos. Note that the OpenAI model is generally available. Here is the Institute's evaluation of Mythos. And here is an analysis of a smaller, cheaper model. It...

5.8AI score
Exploits0
Circl
Circl
added 2026/05/10 3:11 p.m.33 views

CVE-2022-50955

creationtimestamp| type| source ---|---|--- 2026-05-10 15:11:49+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mlj2ackmlb2r...

5.3CVSS5.8AI score0.0013EPSS
Exploits0References1
Oracle linux
Oracle linux
added 2026/05/05 12:0 a.m.13 views

python-tornado security update

6.5.5-1.1 - Update to 6.5.5 Resolves: RHEL-160934...

8.7CVSS7.3AI score0.00375EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/04/30 12:0 a.m.10 views

Amazon Linux 2023 : python3-tornado (ALAS2023-2026-1587)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1587 advisory. In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters. CVE-2026-35536...

7.2CVSS5.8AI score0.00237EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/08 8:30 a.m.2 views

CVE-2026-39635 WordPress Grand Magazine theme <= 3.5.5 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.This issue affects Grand Magazine: from n/a through = 3.5.5...

5.4CVSS5.9AI score0.00098EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/24 6:18 p.m.20 views

CVE-2026-33498 Parse Server: Query condition depth bypass via pre-validation transform pipeline

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server...

8.7CVSS0.00452EPSS
Exploits0References5
OSV
OSV
added 2026/03/20 2:25 p.m.6 views

OESA-2026-1675 python-tornado security update

Tornado is an open source version of the scalable, non-blocking web server and tools. Security Fixes: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setti...

8.7CVSS5.8AI score0.00375EPSS
Exploits0References2
CVE
CVE
added 2026/03/20 5:17 a.m.54 views

CVE-2026-33036

CVE-2026-33036 concerns the fast-xml-parser library. A bypass vulnerability in versions 4.0.0-beta.3 through 5.5.5 allows numeric character references (&#NNN;, &#xHH;) and standard XML entities to evade entity expansion limits (maxTotalExpansions, maxExpandedLength) intended to fix CVE-2026-26278...

7.5CVSS5.8AI score0.00576EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/03/18 8:37 p.m.11 views

CVE-2026-32321

ClipBucket v5.x prior to 5.5.3 #80 contains an authenticated time-based blind SQL injection in the actions/ajax.php endpoint. The vulnerability arises from insufficient input sanitization of the userid parameter, enabling an authenticated attacker to execute arbitrary SQL queries, leading to full...

8.8CVSS6.1AI score0.00432EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/03/18 12:0 a.m.9 views

Jenkins 安全漏洞

Jenkins is an open-source application developed by Jenkins Project. The open-source automation server Jenkins offers hundreds of plugins to support building, deploying, and automating any project. Jenkins versions 2.554 and earlier, as well as LTS 2.541.2 and earlier, have security vulnerabilitie...

8.8CVSS6.1AI score0.01161EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.8 views

PT-2026-26167

Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch server-side, and returns the...

8.6CVSS5.8AI score0.10069EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/03/15 5:2 a.m.4 views

CVE-2026-4165

A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. The attack can be initiated remotely. The exploit ha...

4.8CVSS3.9AI score0.00199EPSS
Exploits0References4Affected Software1
CNNVD
CNNVD
added 2026/03/12 12:0 a.m.7 views

Progress Flowmon ADS 跨站脚本漏洞

Progress Flowmon ADS is a network traffic analysis and anomaly detection system developed by the American company Progress. Versions of Progress Flowmon ADS prior to 12.5.5 and 13.0.3 contained a cross-site scripting vulnerability. This vulnerability could lead to unexpected operations when...

8.6CVSS5.7AI score0.00286EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/11 7:27 p.m.29 views

CVE-2026-31958 Tornado has a DoS due to too many multipart parts

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

8.7CVSS0.00375EPSS
Exploits0References1
OSV
OSV
added 2026/03/11 7:27 p.m.4 views

CVE-2026-31958 Tornado has a DoS due to too many multipart parts

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

8.7CVSS5.8AI score0.00375EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/03/11 12:0 a.m.5 views

Tornado 资源管理错误漏洞

Tornado is a Python web framework and asynchronous networking library from Tornado China. This library can scale to thousands of open connections by using non-blocking network I/O, making it ideal for applications that require long-term polling, WebSocket, and other scenarios where long-term...

8.7CVSS7.2AI score0.00375EPSS
Exploits0References2
NVD
NVD
added 2026/03/10 8:16 p.m.5 views

CVE-2026-29175

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any...

8.6CVSS0.00204EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/10 7:59 p.m.5 views

CVE-2026-29176 Craft Commerce has Stored XSS in Inventory Location Name

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an...

4.8CVSS6AI score0.00234EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/10 7:54 p.m.6 views

CVE-2026-29173 Craft Commerce has Stored XSS while updating Order Status from Orders Table

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...

4.8CVSS5.9AI score0.00318EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/10 7:54 p.m.5 views

EUVD-2026-10815

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...

4.8CVSS5.9AI score0.00318EPSS
Exploits1References3
Rows per page
Query Builder