Lucene search
K

4214 matches found

Nuclei
Nuclei
added yesterday32 views

Apache NiFi - Information Disclosure

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases wher...

5.4CVSS6.2AI score0.03095EPSS
Exploits0
NVD
NVD
added 4 days ago6 views

CVE-2026-22660

FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares...

8.6CVSS0.00328EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-22660 FlaskBB Logic Flaw Authorization Group Deletion via Bulk AJAX Endpoint

FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares...

8.6CVSS0.00328EPSS
Exploits0References3
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-42877

FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares...

8.6CVSS6AI score0.00328EPSS
Exploits0References3
NVD
NVD
added 5 days ago8 views

CVE-2026-44787

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primarygroupid and gain whisper-group privileges without legitimate group membership on sites with whispersallowedgroups configured. This...

8.2CVSS0.00309EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 5 days ago7 views

CVE-2026-44787

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, the signup flow could allow newly registered users to set primarygroupid and gain whisper-group privileges without legitimate group membership on sites with whispersallowedgroups configured. This...

8.2CVSS6AI score0.00309EPSS
Exploits0References10Affected Software1
CVE
CVE
added 5 days ago12 views

CVE-2026-44787

Discourse exposes a flaw in signup: before versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a new user could set primary_group_id and gain whisper-group privileges when whispers_allowed_groups is configured. This is fixed in 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. The CVSS 3.1 base score ...

8.2CVSS6AI score0.00309EPSS
Exploits0References9
NVD
NVD
added 5 days ago6 views

CVE-2026-31983

A Missing Authentication vulnerability was discovered in the SSH keys synchronization endpoint. An unauthenticated attacker can send a request to the SSH keys synchronization endpoint and obtain the list of users that have uploaded their public SSH keys, their groups, and the uploaded public SSH...

6.9CVSS0.00235EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 5 days ago6 views

CVE-2026-31983

A Missing Authentication vulnerability was discovered in the SSH keys synchronization endpoint. An unauthenticated attacker can send a request to the SSH keys synchronization endpoint and obtain the list of users that have uploaded their public SSH keys, their groups, and the uploaded public SSH...

6.9CVSS6AI score0.00235EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-31983 Missing authentication in SSH keys synchronization endpoint in Guardian/CMC before 26.2.0

A Missing Authentication vulnerability was discovered in the SSH keys synchronization endpoint. An unauthenticated attacker can send a request to the SSH keys synchronization endpoint and obtain the list of users that have uploaded their public SSH keys, their groups, and the uploaded public SSH...

6.9CVSS0.00235EPSS
Exploits0References1
EUVD
EUVD
added 5 days ago7 views

EUVD-2026-42533

A Missing Authentication vulnerability was discovered in the SSH keys synchronization endpoint. An unauthenticated attacker can send a request to the SSH keys synchronization endpoint and obtain the list of users that have uploaded their public SSH keys, their groups, and the uploaded public SSH...

6.9CVSS6AI score0.00235EPSS
Exploits0References1
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-42518

A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselv...

9.3CVSS6AI score0.00132EPSS
Exploits0References1
CVE
CVE
added 5 days ago11 views

CVE-2026-47840

CVE-2026-47840 concerns LDAP StartTLS with UAA: a network attacker between UAA and its LDAP directory can impersonate the directory using any trusted certificate, harvest LDAP bind passwords and end-user passwords during simple-bind, and return forged group memberships that grant admin scopes. Af...

9.3CVSS6AI score0.00132EPSS
Exploits0References1
Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-47840 LDAP StartTLS unconditionally disables hostname verification

A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselv...

9.3CVSS0.00132EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56994

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.6.0 Discourse versions prior to 2026.5.1 Discourse versions prior to 2026.4.2 Discourse versions prior to 2026.1.5 Description The EventSerializer could expose invited group names, sample invitees, and attendan...

5.3CVSS6.1AI score0.00399EPSS
Exploits0References12
Tenable Nessus
Tenable Nessus
added 5 days ago7 views

Google Chrome < 150.0.7871.114 Multiple Vulnerabilities

The version of Google Chrome installed on the remote macOS host is prior to 150.0.7871.114. It is, therefore, affected by multiple vulnerabilities as referenced in the 202607stable-channel-update-for-desktop01162222768 advisory. - Use after free in InterestGroups in Google Chrome prior to...

9.6CVSS6.4AI score0.00306EPSS
Exploits0References55
NVD
NVD
added 6 days ago14 views

CVE-2026-15133

Use after free in InterestGroups in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

8.8CVSS0.00247EPSS
Exploits0References2
Debian CVE
Debian CVE
added 6 days ago4 views

CVE-2026-15133

Use after free in InterestGroups in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

8.8CVSS6.3AI score0.00247EPSS
Exploits0
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-15133

Use after free in InterestGroups in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

0.00247EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added last week6 views

CVE-2026-46672

Actual is a local-first personal finance app. Prior to 26.6.0, @actual-app/cli ships a hand-rolled CSV serializer in packages/cli/src/output.ts used whenever the global --format csv option is passed, whose escapeCsv helper only handles RFC 4180 delimiter, quote, and newline escaping and does not...

4.6CVSS6.1AI score0.00188EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder