Lucene search
+L

753 matches found

Nuclei
Nuclei
added yesterday23 views

Cedar Gate EZ-NET <= 6.8.0 - Cross-Site Scripting

The Cedar Gate EZ-NET portal 6.5.5 6.8.0 Internet portal has a call to display messages to users which does not properly sanitize data sent in through a URL parameter. This leads to a Reflected Cross-Site Scripting vulnerability. id: CVE-2022-23397 info: name: Cedar Gate EZ-NET = 6.8.0 - Cross-Si...

6.1CVSS6.1AI score0.00913EPSS
Exploits0References2
CVE
CVE
added 3 days ago37 views

CVE-2026-49353

Summary (CVE-2026-49353): 9Router before 0.4.46 has a local‑only access gate in src/dashboardGuard.js that relies on Host and Origin headers to classify requests as local. In proxied/tunneled deployments (reverse proxy, Cloudflare Tunnel, Tailscale), these headers are attacker‑controlled, enablin...

7.5CVSS6.1AI score0.00357EPSS
Exploits0References4
OSV
OSV
added 3 days ago3 views

CVE-2026-49353 9Router: Local-Only Access Gate Bypass in 9router via Host Header SpoofING

9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest to protect /api/mcp/, /api/tunnel/, and /api/cli-tools/, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP...

7.5CVSS6.1AI score0.00357EPSS
Exploits0References6
CVE
CVE
added 2026/07/10 3:38 p.m.10 views

CVE-2026-55638

9router prior to version 0.5.2 exposed an unauthenticated access path via /codex that bypassed the API-key gate due to an incomplete rewrite handling. An attacker could send requests to /codex/* and trigger upstream provider calls using operator-stored LLM provider credentials. The vulnerability ...

8.6CVSS6.1AI score0.00372EPSS
Exploits0References3
NVD
NVD
added 2026/07/03 9:17 p.m.8 views

CVE-2026-58424

Permanent Fork PR Workflow Approval Gate Bypass...

8.9CVSS0.00201EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/03 8:54 p.m.35 views

CVE-2026-58424 Permanent Fork PR Workflow Approval Gate Bypass

Permanent Fork PR Workflow Approval Gate Bypass...

8.9CVSS0.00201EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/03 8:54 p.m.6 views

CVE-2026-58424

Permanent Fork PR Workflow Approval Gate Bypass...

8.9CVSS5.9AI score0.00201EPSS
Exploits0References5
CVE
CVE
added 2026/07/03 8:54 p.m.34 views

CVE-2026-58424

Technical details about CVE-2026-58424 are not publicly available in the provided documents. No product, vector, or impact specifics are included. Monitor for updates in official advisories.

8.9CVSS5.9AI score0.00201EPSS
Exploits0References4
OSV
OSV
added 2026/07/03 8:54 p.m.5 views

CVE-2026-58424 Permanent Fork PR Workflow Approval Gate Bypass

Permanent Fork PR Workflow Approval Gate Bypass...

8.9CVSS5.9AI score0.00201EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.13 views

PT-2026-55657

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description A flaw exists that allows for a permanent fork pull request workflow approval gate bypass. This issue enables an attacker to circumvent the required approval...

8.9CVSS6AI score0.00201EPSS
Exploits0References13
Github Security Blog
Github Security Blog
added 2026/07/02 9:13 p.m.13 views

9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING

Summary The fix for CVE-2026-46339 unauthenticated RCE via unprotected MCP plugin routes introduced a local-only access gate in src/dashboardGuard.js that restricts spawn-capable routes /api/mcp/, /api/tunnel/, /api/cli-tools/ to loopback requests. The gate determines "local" by inspecting the Ho...

10CVSS6.6AI score0.04572EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/07/02 4:18 p.m.10 views

GHSA-WV26-J37Q-2G7P OpenClaw's Slack plugin approvals used the exec approver gate for plugin actions

Summary Slack plugin approvals used the exec approver gate for plugin actions. In affected versions, a Slack user authorized only for exec approvals could resolve a plugin approval through the exec approver gate. This advisory is scoped to the named feature and configuration. It does not change...

4.3CVSS6AI score0.00173EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.15 views

PT-2026-55457

9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest to protect /api/mcp/, /api/tunnel/, and /api/cli-tools/, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP...

7.5CVSS6.1AI score0.00357EPSS
Exploits0References7
GitLab Advisory Database
GitLab Advisory Database
added 2026/07/02 12:0 a.m.14 views

9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING

The fix for CVE-2026-46339 unauthenticated RCE via unprotected MCP plugin routes introduced a local-only access gate in src/dashboardGuard.js that restricts spawn-capable routes /api/mcp/, /api/tunnel/, /api/cli-tools/ to loopback requests. The gate determines "local" by inspecting the Host and...

10CVSS5.8AI score0.04572EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/07/01 9:15 p.m.7 views

MAL-2026-6723 Malicious code in electron-orbit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7faf51a6c9d6ed9fce8cf9de9ea8afee0e9c3dc1fb254e8cd0c3c2a8ca61323f On require'electron-orbit', the module unconditionally fires an auto-prefetch pipeline in Node contexts when no document is present that opens a raw...

5.8AI score
Exploits0References32
CVE
CVE
added 2026/07/01 7:24 p.m.36 views

CVE-2026-49858

API Platform Core contains a cross-user attribute leak in JSON:API and HAL item normalizers due to a missing isCacheKeySafe gate. Affected versions: 2.6.0 up to 4.1.28, 4.2.25, and 4.3.11 (i.e., before 4.1.29, 4.2.26, 4.3.12). Root cause: componentsCache arrays are keyed on $context['cache_key'] ...

5.9CVSS5.7AI score0.00197EPSS
Exploits0References1
OSV
OSV
added 2026/07/01 5:22 p.m.4 views

DRUPAL-CONTRIB-2026-068

This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently re-evaluate a human-in-the-loop approval gate where the workflow iterates more than once. This may result in execution of workflows that were not intended by the use...

5.4CVSS6AI score0.0023EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/01 12:34 a.m.11 views

EUVD-2026-40414

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication AUTHUSERNAME/AUTHPASSWORD, is reachable unauthenticated at /mcp because the nginx front-end does not apply the authrequest gate to that path and the MCP server auto-mints a...

6.9CVSS5.8AI score0.00437EPSS
Exploits0References6
CVE
CVE
added 2026/06/30 9:5 p.m.25 views

CVE-2026-58446

CVE-2026-58446 affects Presenton before 0.8.8-beta. The MCP server deployed with session authentication in server/Docker setups is reachable unauthenticated at /mcp because the nginx front-end does not apply the auth gate to that path, and the MCP server auto-mints a valid internal session token ...

6.9CVSS5.8AI score0.00437EPSS
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/30 8:38 p.m.9 views

Malicious code in cursed-modules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45b6aab954f9b8edbc759c97eabe39d7a070c4dbe852586422761ad0f8c7ad95 [email protected] executes attacker-controlled code on three separate triggers and operates a bidirectional command channel against a hardcoded...

6AI score
Exploits0References19
Rows per page
Query Builder