CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

761 matches found

CVE-2026-11941

Cloudflare Quiche contains two use-after-free flaws in the FFI path for connection IDs. The issues affect the quiche_connection_id_iter_next and quiche_conn_retired_scid_next functions, where a owned ConnectionId is returned to the application via an argument but is dropped at the end of the func...

5.6CVSS5.8AI score

Exploits0References1

NVD•added 2 days ago•9 views

CVE-2026-55198

Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The handlesessionexport handler in api/routes.py fails to verify active-profile ownership before serializing session...

7.1CVSS0.00272EPSS

Exploits0References5

NVD•added 2 days ago•6 views

CVE-2026-55197

Hermes WebUI before 0.51.443 contains a broken access control vulnerability in the /api/session endpoint that allows authenticated users to disclose cross-profile session transcripts. Attackers can bypass profile boundary checks by directly querying session IDs belonging to other profiles via GET...

7.1CVSS0.00272EPSS

Exploits0References5

Github Security Blog•added 4 days ago•8 views

DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks

Cross-realm INPLACE sanitization leaves executable markup intact via realm-bound instanceof checks CWE: CWE-79 XSS — Improper Neutralization of Input During Web Page Generation via CWE-693 Protection Mechanism Failure — realm-bound instanceof checks fail-open on foreign-realm DOM nodes and CWE-50...

5.8AI score0.00055EPSS

Exploits0References2Affected Software1

OSV•added 4 days ago•2 views

GHSA-HPCV-96WG-7VJ8 DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks

6.1CVSS5.8AI score0.00055EPSS

Exploits0References2

Positive Technologies•added 4 days ago•9 views

PT-2026-49557

Cross-realm IN PLACE sanitization leaves executable markup intact via realm-bound instanceof checks CWE: CWE-79 XSS — Improper Neutralization of Input During Web Page Generation via CWE-693 Protection Mechanism Failure — realm-bound instanceof checks fail-open on foreign-realm DOM nodes and CWE-5...

6.1CVSS5.7AI score0.00055EPSS

Exploits0References3

The Hacker News•added 6 days ago•13 views

U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals

Anthropic said on Friday it will "abruptly disable" its most advanced artificial intelligence AI models, Claude Fable 5 and Mythos 5 , for all users after the U.S. government ordered it to suspend access to the models for foreign nationals, whether inside or outside the U.S., citing national...

5.6AI score

Exploits0

CNNVD•added 2026/06/09 12:0 a.m.•6 views

SEMCMS 访问控制错误漏洞

SEMCMS is an open-source content management system CMS for foreign trade websites that supports multiple languages. Version SEMCMS 5.0 has a access control vulnerability, which stems from an unauthorized access vulnerability in the SEMCMScopy.php file...

7.5CVSS5.3AI score0.00232EPSS

Exploits0References1

Github Security Blog•added 2026/06/04 7:33 p.m.•10 views

Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment

Summary The Shopware Store API endpoint /store-api/handle-payment contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign orderId. The affected...

5.7AI score0.0005EPSS

Exploits0References4Affected Software2

OSV•added 2026/06/04 7:33 p.m.•7 views

GHSA-9V5M-39WH-5CHQ Shopware: Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment

4.3CVSS5.7AI score0.0005EPSS

Exploits0References4

RustSec•added 2026/06/04 12:0 p.m.•7 views

`pqcrypto-internals` is unmaintained: upstream PQClean project being archived

This crate provides internal FFI utilities for the pqcrypto- ecosystem, directly wrapping C implementations from PQClean. The PQClean project is being archived in or after July 2026 see PQClean/PQClean604, after which no further security patches or bug fixes will be applied to the upstream...

5.8AI score

Exploits0

Positive Technologies•added 2026/06/04 12:0 a.m.•7 views

PT-2026-46892

4.3CVSS5.7AI score0.0005EPSS

Exploits0References5

Positive Technologies•added 2026/06/04 12:0 a.m.•10 views

PT-2026-46856

4.3CVSS5.7AI score

Exploits0References5

RedhatCVE•added 2026/05/30 2:12 a.m.•9 views

CVE-2026-44794

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables,...

5.4CVSS5.8AI score0.00177EPSS

Exploits0References1

NVD•added 2026/05/28 6:16 p.m.•8 views

CVE-2026-44794

5.4CVSS0.00177EPSS

Exploits0References5

EUVD•added 2026/05/28 5:1 p.m.•6 views

EUVD-2026-32955

5.4CVSS5.8AI score0.00177EPSS

Exploits0References5

Vulnrichment•added 2026/05/28 5:1 p.m.•6 views

CVE-2026-44794 Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference

5.4CVSS5.8AI score0.00177EPSS

Exploits0References5

CNNVD•added 2026/05/28 12:0 a.m.•8 views

Nautobot 安全漏洞

Nautobot is a web automation platform developed by the Nautobot team. Versions prior to Nautobot 2.4.33 and 3.1.2 contained security vulnerabilities. These vulnerabilities stemmed from a flaw in the REST API, which failed to enforce user viewing permissions when creating or updating objects using...

5.4CVSS5.8AI score0.00177EPSS

Exploits0References6