CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

466 matches found

EUVD•added 2 days ago•8 views

EUVD-2026-32606

Budibase: Unanchored Regex in matchers.ts Allows CSRF Bypass via Query String Injection in Budibase Worker...

6.5CVSS5.2AI score0.00014EPSS

Exploits0References2

CVE•added 2026/06/01 10:0 p.m.•13 views

CVE-2026-24782

Kiteworks users are affected by multiple SQL injection flaws in Secure Data Forms prior to version 9.3.0. An authenticated attacker with the FormBuilder role can retrieve information on or modify other users’ form definitions and some global configuration parameters. The fix is to upgrade to Kite...

8.8CVSS5.9AI score0.00031EPSS

Exploits0References1Affected Software1

EUVD•added 2026/06/01 10:0 p.m.•7 views

EUVD-2026-33842

Kiteworks is a private data network PDN. Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global...

7.6CVSS5.9AI score0.00031EPSS

Exploits0References1

Vulnrichment•added 2026/05/27 5:14 p.m.•6 views

CVE-2026-48147 Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker

Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex / matches functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the full query string. Th...

6.5CVSS5.8AI score0.00014EPSS

Exploits0References1

OSSF Malicious Packages•added 2026/05/21 12:28 p.m.•6 views

Malicious code in finup-mongo-library (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d9d0b210938322b805e1c8d94db07f45ca029fc4e69fb3a57f424eb885c1a39 dist/common/instrument.js calls Sentry.init at module top level with a hardcoded DSN pointing at the author's Sentry project...

5.8AI score

Exploits0References9

NVD•added 2026/05/05 8:16 p.m.•3 views

CVE-2026-34458

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions EditAdminOnly and ConfigPassword and inject arbitrary directives into the global...

9.3CVSS0.0002EPSS

Exploits0References2

CVE•added 2026/04/17 9:39 p.m.•5 views

CVE-2026-40474

CVE-2026-40474 - wger : In versions 2.5 and below, GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but uses WgerFormMixin (which enforces ownership checks) instead of the permission-enforcing mixin. Since GymConfig is a singleton without get_owner_object(), the permis...

7.6CVSS5.8AI score0.00015EPSS

Exploits1References3Affected Software1

Github Security Blog•added 2026/04/16 1:35 a.m.•2 views

wger has Broken Access Control in Global Gym Configuration Update Endpoint

Summary wger exposes a global configuration edit endpoint at /config/gym-config/edit implemented by GymConfigUpdateView. The view declares permissionrequired = 'config.changegymconfig' but does not enforce it because it inherits WgerFormMixin ownership-only checks instead of the project’s...

7.6CVSS5.8AI score0.00015EPSS

Exploits1References5Affected Software1

OSV•added 2026/04/16 1:35 a.m.•1 views

GHSA-XPPV-4JRX-QF8M wger has Broken Access Control in Global Gym Configuration Update Endpoint

7.6CVSS5.8AI score0.00015EPSS

Exploits1References5

RedhatCVE•added 2026/01/09 10:56 a.m.•4 views

CVE-2022-38665

Jenkins CollabNet Plugins Plugin 2.0.8 and earlier stores a RabbitMQ password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system...

6.5CVSS6.9AI score0.00465EPSS

Exploits0References1

Veracode•added 2025/12/13 4:22 a.m.•4 views

Sensitive Information Disclosure

Jenkins Statistics Gatherer Plugin is vulnerable to Sensitive Information Disclosure. The vulnerability is due to storing the AWS Secret Key in plaintext in the global configuration file, allowing users with access to the Jenkins controller file system to read and misuse the credential...

6.5CVSS6.8AI score0.00134EPSS

Exploits0References2Affected Software1

NVD•added 2025/12/12 8:15 p.m.•2 views

CVE-2025-14572

A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This affects an unknown part of the file /goform/formWebAuthGlobalConfig. Performing manipulation of the argument hidcontact results in memory corruption. Remote exploitation of the attack is possible. The exploit has been made public a...

9CVSS0.00416EPSS

Exploits1References4

NVD•added 2025/11/17 6:15 p.m.•3 views

CVE-2025-34322

Nagios Log Server versions prior to 2026R1.0.1 contain an authenticated command injection vulnerability in the experimental 'Natural Language Queries' feature. When this feature is configured, certain user-controlled settings—including model selection and connection parameters—are read from the...

8.6CVSS0.00529EPSS

Exploits0References4

EUVD•added 2025/10/03 8:7 p.m.•2 views

EUVD-2022-3863

Malicious code in bioql PyPI...

6.5CVSS6.5AI score0.00107EPSS

Exploits0References4

EUVD•added 2025/10/03 8:7 p.m.•3 views

EUVD-2022-4778

Malicious code in bioql PyPI...

8.8CVSS8.4AI score0.00078EPSS

Exploits0References6