CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CNNVD•added 2026/05/27 12:0 a.m.•4 views

MB Connect Line mbCONNECT24和MB Connect Line mymbCONNECT24 SQL注入漏洞

MB Connect Line mbCONNECT24 and MB Connect Line mymb CONNECTION24 are products of the German company MB Connect Line. MB Connect Line mbCONNECT24 is a remote service portal. This product supports features such as remote access, data recording, and alerts. MB Connect Line mymb CONNECTION24 is an...

8.7CVSS5.9AI score0.00064EPSS

AstraLinux•added 2026/05/20 5:53 a.m.•4 views

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: Tracing: Limit access to parser-buffer when tracegetuser fails. When the length of the string written to setftracefilter exceeds FTRACEBUFFMAX, the following KASAN alarm will be triggered: BUG: KASAN: Slab-out-of-bounds in...

7.1CVSS6.5AI score0.00024EPSS

AstraLinux•added 2026/05/20 5:53 a.m.•3 views

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix NULL page-mapping dereference in pageissecretmem Check for a NULL page-mapping before dereferencing the mapping in pageissecretmem, as the page’s mapping can be nullified while gup is running, e.g., by reclaimin...

5.5CVSS6.3AI score0.00031EPSS

AstraLinux•added 2026/05/20 5:53 a.m.•5 views

Astra Linux - уязвимость в linux-5.10, linux-5.15, linux-6.1

In the Linux kernel, the following vulnerability has been resolved: net: core: The unnecessary framesz check in bpfxdpadjusttail has been removed. Syzkaller reported the following issue: ======================================= “Too big” – xdp-framesz = 131072 WARNING: CPU: 0, PID: 5020 at...

5.7AI score0.00028EPSS

AstraLinux•added 2026/05/20 5:53 a.m.•2 views

Astra Linux - уязвимость в linux-6.1

In the Linux kernel, the following vulnerability has been resolved: parisc: Revised getuser to probe user read access rights. Due to the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so...

5.5CVSS6.6AI score0.0002EPSS

EUVD•added 2026/05/19 12:0 a.m.•7 views

EUVD-2026-30949

API endpoints in LalanaChami Pharmacy Management System commit 5c3d028 lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records including bcrypt password hashes via /api/user/getUserData, modify drug inventory, and access private medical...

5.8AI score0.00059EPSS

Snyk•added 2026/05/06 4:12 a.m.•6 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GetUserRoles API endpoint. An attacker can access ACL policies for any user across all organizations by supplying specific Name and Org parameters in a network request. Remediatio...

OSV•added 2026/05/06 3:33 a.m.•2 views

GHSA-3C93-G9G6-P5J4 Velocidex Velociraptor has an authorization bypass vulnerability

An authorization bypass CWE-639 in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy roles and permissions for any user across all organizations by supplying targeted Name and Org...

UbuntuCve•added 2026/05/06 3:15 a.m.•3 views

Exploits0References3

CVE-2026-7573

ATTACKERKB•added 2026/05/06 2:15 a.m.•2 views

CVE-2026-7573

EUVD•added 2026/05/06 2:15 a.m.•3 views

EUVD-2026-27517

CVE•added 2026/05/06 2:15 a.m.•7 views

CVE-2026-7573

Velocidex Velociraptor (GetUserRoles gRPC API) is affected in versions below 0.76.5, due to an authorization bypass (CWE-639) that allows any authenticated low-privilege user to retrieve the complete ACL policy (roles/permissions) for any user across all organizations by supplying specific Name a...

Exploits0References1Affected Software1

Vulnrichment•added 2026/05/06 2:15 a.m.•4 views

CVE-2026-7573 GetUserRoles API endpoint allows any authenticated user to enumerate ACL policies across all organizations

Positive Technologies•added 2026/05/06 12:0 a.m.•6 views

PT-2026-37339

Name of the Vulnerable Software and Affected Versions Velocidex Velociraptor versions prior to 0.76.5 Description An authorization bypass in the 'GetUserRoles' gRPC API endpoint allows any authenticated low-privilege user to retrieve the complete Access Control List ACL policy, including roles an...

Cvelist•added 2026/04/22 8:39 p.m.•24 views

Exploits0References7

CVE-2026-41167 Jellystat has SQL Injection that leads to to Remote Code Execution

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

9.1CVSS0.00111EPSS

CVE•added 2026/04/22 8:39 p.m.•9 views

CVE-2026-41167

Jellystat prior to 1.1.10 exposes SQL injection via POST /api/getUserDetails and POST /api/getLibrary, where unsanitized request-body fields are interpolated into raw SQL. This allows an authenticated user to read any table (including app_config) and, due to node-postgres simple query usage, enab...

9.1CVSS6.1AI score0.00111EPSS