Lucene search
K

780187 matches found

Cvelist
Cvelist
added 35 minutes ago4 views

CVE-2026-63175 Cross-Capture Session Data Leakage Due to Shared Mutable State in Looklyloo - PlaywrightCapture

PlaywrightCapture stored capture-specific configuration and runtime data as mutable class-level variables rather than instance-level variables. Consequently, multiple Capture objects running within the same Python process could share state, including HTTP headers, cookies, browser storage, HTTP...

7.1CVSS
Exploits0References1
CVE
CVE
added 35 minutes ago3 views

CVE-2026-63175 Cross-Capture Session Data Leakage Due to Shared Mutable State in Looklyloo - PlaywrightCapture

PlaywrightCapture stored capture-specific configuration and runtime data as mutable class-level variables rather than instance-level variables. Consequently, multiple Capture objects running within the same Python process could share state, including HTTP headers, cookies, browser storage, HTTP...

7.1CVSS
Exploits0References1
CVE
CVE
added 40 minutes ago3 views

CVE-2026-45313 Sandboxie-Plus: Sandboxie APC Injection Sandbox Escape

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. Prior to 1.17.6, GuiServer::WndHookRegisterSlave in Sandboxie/core/svc/GuiServer.cpp stores attacker-supplied hthread and hproc fields from a GUIWNDHOOKREGISTER request without validating that the thread belongs to the...

7.7CVSS0.00014EPSS
Exploits0References2
Cvelist
Cvelist
added 40 minutes ago3 views

CVE-2026-45313 Sandboxie-Plus: Sandboxie APC Injection Sandbox Escape

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. Prior to 1.17.6, GuiServer::WndHookRegisterSlave in Sandboxie/core/svc/GuiServer.cpp stores attacker-supplied hthread and hproc fields from a GUIWNDHOOKREGISTER request without validating that the thread belongs to the...

7.7CVSS0.00014EPSS
Exploits0References2
NVD
NVD
added 45 minutes ago3 views

CVE-2026-56679

9Router is an AI router & token saver. Prior to 0.5.4, the PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist, allowing an authenticated user to set security-critical fields such as requireLogin and disable authentication for the whole...

8.7CVSS
Exploits0References1
NVD
NVD
added 45 minutes ago3 views

CVE-2026-56678

9Router is an AI router & token saver. Prior to 0.5.6, the Kiro API-key validation endpoint POST /api/oauth/kiro/api-key builds an upstream URL using a user-controlled region value, allowing an authenticated attacker to supply a crafted region such as kiro-canary.local:8443 and cause 9Router to...

6.4CVSS
Exploits0References3
NVD
NVD
added 45 minutes ago2 views

CVE-2026-33684

WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The setapisignUp method in the...

5.3CVSS
Exploits0References1
CVE
CVE
added 48 minutes ago16 views

CVE-2026-50183 WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section

WWBN AVideo is an open source video platform. Versions 29.0 and below contain a stored Cross-Site Scripting vulnerability in the YouTubeAPI plugin. The plugin renders the snippet.title field returned by the YouTube Data API into the homepage gallery markup with no HTML encoding. The title is set ...

4.7CVSS0.00031EPSS
Exploits0References2
Cvelist
Cvelist
added 48 minutes ago4 views

CVE-2026-50183 WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section

WWBN AVideo is an open source video platform. Versions 29.0 and below contain a stored Cross-Site Scripting vulnerability in the YouTubeAPI plugin. The plugin renders the snippet.title field returned by the YouTube Data API into the homepage gallery markup with no HTML encoding. The title is set ...

4.7CVSS0.00031EPSS
Exploits0References2
Cvelist
Cvelist
added 51 minutes ago4 views

CVE-2026-53446 Wekan: Server-Side Request Forgery (SSRF) via webhook integration URLs

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan webhook integration URLs in models/integrations.js are stored from user input and later fetched by server/notifications/outgoing.js without applying the existing validateAttachmentUrl private-network checks from...

6.2CVSS0.00018EPSS
Exploits0References3
CVE
CVE
added 51 minutes ago3 views

CVE-2026-53446 Wekan: Server-Side Request Forgery (SSRF) via webhook integration URLs

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan webhook integration URLs in models/integrations.js are stored from user input and later fetched by server/notifications/outgoing.js without applying the existing validateAttachmentUrl private-network checks from...

6.2CVSS0.00018EPSS
Exploits0References3
CVE
CVE
added 1 hour ago4 views

CVE-2026-56678

9Router is an AI router & token saver. Prior to 0.5.6, the Kiro API-key validation endpoint POST /api/oauth/kiro/api-key builds an upstream URL using a user-controlled region value, allowing an authenticated attacker to supply a crafted region such as kiro-canary.local:8443 and cause 9Router to...

6.4CVSS6.1AI score
Exploits0References3
Cvelist
Cvelist
added 1 hour ago3 views

CVE-2026-56678 9Router: Kiro region injection allows authenticated SSRF with Authorization header forwarding

9Router is an AI router & token saver. Prior to 0.5.6, the Kiro API-key validation endpoint POST /api/oauth/kiro/api-key builds an upstream URL using a user-controlled region value, allowing an authenticated attacker to supply a crafted region such as kiro-canary.local:8443 and cause 9Router to...

6.4CVSS
Exploits0References3
CVE
CVE
added 1 hour ago3 views

CVE-2026-56679

9Router is an AI router & token saver. Prior to 0.5.4, the PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist, allowing an authenticated user to set security-critical fields such as requireLogin and disable authentication for the whole...

8.7CVSS6.1AI score
Exploits0References1
Cvelist
Cvelist
added 1 hour ago4 views

CVE-2026-56679 9Router: Mass assignment in PATCH /api/settings allows authenticated authorization downgrade

9Router is an AI router & token saver. Prior to 0.5.4, the PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist, allowing an authenticated user to set security-critical fields such as requireLogin and disable authentication for the whole...

8.7CVSS
Exploits0References1
CVE
CVE
added 1 hour ago11 views

CVE-2026-33684

WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The setapisignUp method in the...

5.3CVSS6.1AI score
Exploits0References1
Cvelist
Cvelist
added 1 hour ago4 views

CVE-2026-33684 AVideo's Privilege AVideo: Escalation via Unguarded Permission Parameters in signUp API Allows Self-Granting Upload/Stream/Meet Permissions

WWBN AVideo is an open source video platform. Prior to version 29.0, Privilege Escalation is possible through unguarded permission parameters in signUp API, which allows any user who can solve a CAPTCHA to self-grant elevated permissions during account registration. The setapisignUp method in the...

5.3CVSS
Exploits0References1
GithubExploit
GithubExploit
added 1 hour ago6 views

labs

Security Labs !Licensehttps://img.shields.io/github/licen...

10CVSS7AI score0.96184EPSS
Exploits36
NVD
NVD
added 1 hour ago4 views

CVE-2026-49867

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase template static resources let authenticated users submit TemplateManageRequest.staticResource through POST /de2api/templateManage/save or DataVisualizationServer.decompression, after which...

6.3CVSS0.00032EPSS
Exploits0References3
NVD
NVD
added 1 hour ago3 views

CVE-2026-45419

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase template saves call TemplateManageServicesave, StaticResourceServersaveFilesToServe, and the /de2api/templateManage/save endpoint with attacker-controlled staticResource names and Base64 content, allowing...

8.5CVSS0.00024EPSS
Exploits0References3
Rows per page
Query Builder