Lucene search
K

6954 matches found

OSV
OSV
added 4 days ago16 views

ROOT-APP-PYPI-CVE-2026-34515 CVE-2026-34515 in rootio-aiohttp - Patched by Root

Root has patched CVE-2026-34515 in the rootio-aiohttp package for Root:PyPI. Multiple fixed versions available...

5.3CVSS5.2AI score0.00433EPSS
Exploits0
CVE
CVE
added 4 days ago9 views

CVE-2026-41878

Vulnerability (CVE-2026-41878) in R-SOFT DMS: Insecure Direct Object Reference (IDOR) affecting multiple file download endpoints. The app fetches files from the database by ID and serves them to any request, relying solely on session authentication, enabling a valid user to access any file. Repor...

7.1CVSS6.1AI score0.0047EPSS
Exploits0References1
EUVD
EUVD
added 5 days ago9 views

EUVD-2026-39007

Mistune: Potential DoS via quadratic-time parsing in parselinktext...

8.7CVSS7.1AI score0.0035EPSS
Exploits0References5
NVD
NVD
added 5 days ago6 views

CVE-2026-55689

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...

8.1CVSS0.00298EPSS
Exploits0References5
CVE
CVE
added 5 days ago10 views

CVE-2026-55212

CVE-2026-55212 affects Pimcore’s Studio API: the class definition creation endpoint POST /pimcore-studio/api/class/definition/configuration-view/detail/create validates permissions against the objects permission instead of the classes permission, enabling a standard editor-level user to create cl...

7.1CVSS6AI score0.00199EPSS
Exploits0References5
NVD
NVD
added 5 days ago7 views

CVE-2026-59213

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, getallmodels handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of keybuilder, causing permission-filtered per-user model lists to share a stat...

5CVSS0.00273EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 5 days ago8 views

CVE-2026-50644

SOPlanning is vulnerable to SQL injection in the audit retention configuration. An attacker holding parametersall rights can inject SQL commands into the audit configuration form which is then saved. The execution is triggered when the audit functionality is accessed by the attacker or another...

8.6CVSS6.2AI score0.00277EPSS
Exploits0References3
NVD
NVD
added 5 days ago9 views

CVE-2026-59269

A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all the following conditions were true: the Pinniped Supervisor server is running with an ActiveDirectoryIdentityProvider resource configured; the...

3.8CVSS0.0017EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 5 days ago5 views

Linux Distros Unpatched Vulnerability : CVE-2026-59927

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the Include directive in src/mistune/directives/include.py detects only direct...

5.3CVSS6.1AI score0.00307EPSS
Exploits1References3
Snyk
Snyk
added 6 days ago5 views

Incorrect Authorization

Overview github.com/nats-io/nats-server/server is an A simple, secure and performant communications system for digital systems, services and devices. Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient enforcement of destination permission checks for...

6.5CVSS6.1AI score0.00428EPSS
Exploits0References2
CVE
CVE
added 6 days ago22 views

CVE-2026-54777

CoreWCF.NetNamedPipe transport is vulnerable to a local TOCTOU race where an attacker can race a NamedPipeListener between the shared-memory GUID publication and the creation of the service pipe, enabling interception of NetNamedPipe traffic by attaching to a pre-existing named pipe instance. Aff...

6.5CVSS6AI score0.00088EPSS
Exploits0References5
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-35210 OpenCTI: Authorization Bypass via `synchronized-upsert` HTTP Header Injection

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGEKNUPDATE permission to bypass Confidence Level validation and Object Marking...

7.1CVSS0.00269EPSS
Exploits0References4
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-58192 Appium: Unauthenticated arbitrary file/directory deletion in @appium/storage-plugin

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.joinstorageRoot, name and fs.rimraf witho...

8.6CVSS0.00345EPSS
Exploits0References4
Cvelist
Cvelist
added 6 days ago32 views

CVE-2026-59935 pypdf: Possible infinite loop for not terminated inline images (ASCII85 and ASCIIHex filter)

pypdf is a free and open-source pure-python PDF library. Prior to 6.14.2, an attacker can craft a PDF with a page content stream containing a not terminated inline image that uses the ASCII85 or ASCIIHex filters, causing an infinite loop during parsing such as when extracting page text. This issu...

8.7CVSS0.00352EPSS
Exploits0References4
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-59946 Composer: Path traversal in package bin field lets dependencies chmod arbitrary host files

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...

6.1CVSS0.00136EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-59924

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files outside that directory wh...

5.9CVSS6AI score0.0034EPSS
Exploits1References4Affected Software1
RedhatCVE
RedhatCVE
added 6 days ago4 views

CVE-2026-11856

A flaw was found in curl. When libcurl performs a transfer to an HTTP origin using Digest authentication and then reuses the same connection handle for a subsequent transfer to a different origin, it may incorrectly send the authentication header intended for the first origin to the second. This...

9.8CVSS5.8AI score0.01064EPSS
Exploits1References6
Cvelist
Cvelist
added 6 days ago31 views

CVE-2026-59876 protobufjs: Text Format string map parsing can mutate returned map object prototype

protobufjs compiles protobuf definitions into JavaScript JS functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key proto to change the prototype of the returned map object instead of...

4.8CVSS0.00221EPSS
Exploits0References4
CVE
CVE
added 6 days ago7 views

CVE-2026-57439

CyberChef’s CVE-2026-57439 affects the Series Chart operation prior to version 11.2.0. The vulnerability arises when parsing user-supplied CSV, where proto can be used as a key, enabling prototype pollution. This can be chained with other operations (e.g., Parse UDP) to inject malicious JavaScrip...

5CVSS5.9AI score0.00094EPSS
Exploits0References5
CVE
CVE
added 6 days ago9 views

CVE-2026-58654

The Grav API plugin (getgrav/grav-plugin-api) 1.0.0 suffers an unrestricted file upload in /api/v1/users/user/avatar: it validates only the client-declared MIME type and allows arbitrary content to be stored under user/accounts/avatars/ with predictable filenames. Although direct HTTP access is b...

5.3CVSS6.7AI score0.00261EPSS
Exploits0References2
Rows per page
Query Builder