CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedHat Linux•added 3 days ago•6 views

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

7.5CVSS7.3AI score0.00044EPSS

Exploits0References8

3.1CVSS5.1AI score0.00046EPSS

Linux Distros Unpatched Vulnerability : CVE-2026-10705

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw has been found in dask up to 3.0. Affected by this issue is the function nuniqueapprox of the file dask/dataframe/hyperloglog.py of the component HLL...

Positive Technologies•added 3 days ago•5 views

PT-2026-46086

Summary The HTTP handler / log in lib/server.js lines 491–515 of browserstack-runner passes unauthenticated user-supplied data to vm.runInNewContext combined with eval, enabling a sandbox escape and arbitrary code execution on the host system. Details When browserstack-runner starts, it creates a...

8.8CVSS6.5AI score0.00151EPSS

Exploits0References5

Cvelist•added 3 days ago•33 views

CVE-2026-36604

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...

0.00032EPSS

7.7CVSS5.5AI score0.00024EPSS

Linux Distros Unpatched Vulnerability : CVE-2026-46447

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driverinfo or node.instanceinfo. CVE-2026-46447 Note...

Exploits0References3

Vulnrichment•added 3 days ago•6 views

CVE-2026-36604

5.8AI score0.00032EPSS

CVE•added 3 days ago•7 views

CVE-2026-36604

Mercusys AC12G (EU) V1 router vulnerable to DNS rebinding due to HTTP Host header validation failure in firmware AC12G(EU)_V1_200909. An external attacker could rebound a domain to the router’s internal IP, taking advantage of an existing CORS wildcard weakness (Access-Control-Allow-Origin: *). C...

6.5CVSS5.8AI score0.00032EPSS

EUVD•added 3 days ago•5 views

EUVD-2026-34143

6.5CVSS5.8AI score0.00032EPSS

Tenable Nessus•added 3 days ago•8 views

Linux Distros Unpatched Vulnerability : CVE-2026-44728

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically...

8.2CVSS6AI score0.0002EPSS

ATTACKERKB•added 3 days ago•3 views

CVE-2026-36604

6.5CVSS5.8AI score0.00032EPSS

Positive Technologies•added 3 days ago•6 views

PT-2026-45992

Mercusys AC12G EU V1 router with firmware AC12GEU V1 200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability Access-Control-Allow-Origin: to...

5.8AI score0.00032EPSS

Tenable Nessus•added 3 days ago•7 views

RockyLinux 10 : yggdrasil (RLSA-2026:19126)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19126 advisory. net/url: Incorrect parsing of IPv6 host literals in net/url CVE-2026-25679 crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 ke...

7.5CVSS7.3AI score0.00044EPSS

Exploits0References5

Positive Technologies•added 3 days ago•8 views

PT-2026-46088

Summary The HTTP server in browserstack-runner serves files from the project directory via the default handler. This handler uses path.joinprocess.cwd, uri to resolve file paths but does not validate that the resulting path stays within the project root. Combined with the server binding on 0.0.0....

7.1CVSS6AI score0.00024EPSS

Exploits0References5

Linux Distros Unpatched Vulnerability : CVE-2026-46239

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - media: i2c: ov5647: Fix runtime PM refcount leak in sctrl Three control cases AUTOGAIN, EXPOSUREAUTO, ANALOGUEGAIN directly return without calling pmruntimeput,...

5.8AI score0.00024EPSS

Tenable Nessus•added 3 days ago•5 views

Linux Distros Unpatched Vulnerability : CVE-2026-10294

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability has been found in PackageKit up to 1.3.5. Affected is the function gfiletest of the file src/pk-transaction.c of the component API. Such...

5.3CVSS5.4AI score0.0003EPSS

Exploits0References3

8.8CVSS5.8AI score0.00025EPSS

Linux Distros Unpatched Vulnerability : CVE-2026-28955

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5, iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe...