Lucene search
K

3829 matches found

Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.7 views

Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs

Overview Craft CMS is vulnerable to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the...

6.9CVSS6.1AI score0.0033EPSS
Exploits0References3Affected Software1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.6 views

Astra Linux – Vulnerability in Firefox and Thunderbird

Additional techniques that built upon the slipstream research, combined with a malicious web page, could have exposed both hosts within an internal network as well as services running on the user’s local machine. This vulnerability affects Firefox versions earlier than 85...

7.4CVSS7.8AI score0.01323EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.10 views

Astra Linux – Vulnerability in rabbitMQ-server

Pivotal RabbitMQ versions prior to v3.7.18, as well as RabbitMQ for PCF versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components: the virtual host limits page and the federation management UI. These components do not properly...

4.8CVSS6.2AI score0.01165EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.3 views

Astra Linux – Vulnerability in cups

OpenPrinting CUPS is a standards-based, open-source printing system for Linux and other Unix-like operating systems. Starting from version 2.0.0 and before version 2.4.6, CUPS logged data to the logging service after the connection was closed, when it should have logged the data just before that...

7.1CVSS7AI score0.01395EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.16 views

PT-2026-51113

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.9 Craft CMS versions 5.0.0-RC1 through 5.9.9 Description Craft CMS is subject to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection via the '/actions/app/resource-js' endpoint. The iss...

9.2CVSS6AI score0.0033EPSS
Exploits0References8
Snyk
Snyk
added 2026/06/17 1:55 p.m.5 views

Creation of Temporary File in Directory with Insecure Permissions

Overview @mariozechner/pi-coding-agent is a Coding agent CLI with read, bash, edit, write tools and session management Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions in the process handling temporary extension package installs...

7.3CVSS6.3AI score0.00115EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/17 1:55 p.m.4 views

Creation of Temporary File in Directory with Insecure Permissions

Overview @earendil-works/pi-coding-agent is a Coding agent CLI with read, bash, edit, write tools and session management Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions in the process handling temporary extension package instal...

7.3CVSS6.3AI score0.00115EPSS
Exploits0References2
OSV
OSV
added 2026/06/17 4:58 a.m.6 views

MAL-2026-6013 Malicious code in @mastra/cursor (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ac742321cf72f2fa4cb958772f032eeb2a3ac062d31237ef0699b9de6ac0bc41 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.4AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/17 3:12 a.m.15 views

Malicious code in @mastra/sentry (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08da35ae5d7bc21a7de70c2ed41f52a7a399a58fc26577835f8577fd0053136d The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...

5.9AI score
Exploits0References2
OSV
OSV
added 2026/06/16 9:4 p.m.4 views

GHSA-9CR8-Q42Q-G8M7 Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts

Summary There is a critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact,...

7.8CVSS5.8AI score0.0024EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/06/16 9:4 p.m.10 views

Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts

Summary There is a critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact,...

10CVSS5.7AI score0.0024EPSS
Exploits1References3Affected Software3
OSV
OSV
added 2026/06/16 3:3 p.m.11 views

GHSA-M557-WRGG-6RP4 phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access

Summary When an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature reads a URL out of that certificate's Authority Information Access AIA extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connectio...

5.8CVSS5.7AI score0.00133EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/06/16 2:37 p.m.9 views

@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config

Summary @astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN images.remoteimages regular expressions with broader semantics than Astro's canonical matcher. A single wildcard hostname such as .example.com is converted to an optional subdomain regex, so the apex host matches....

5.3CVSS5.5AI score0.00187EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/16 12:5 a.m.8 views

MAL-2026-5851 Malicious code in epm-service-module-v2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f7b0de1b676618a68f5707692c33cef713882df9ef3ecdb5c73391837669af7b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.4AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.16 views

PT-2026-49773

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.4.23 through 2026.4.23 Description An insecure file permissions issue exists in the config recovery process that restores the OpenClaw.json file with overly broad permissions. Local attackers on shared hosts can exploit...

5.7CVSS5.2AI score0.00094EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.13 views

PT-2026-49741

Name of the Vulnerable Software and Affected Versions @astrojs/netlify versions prior to 7.0.13 Description The adapter converts image.remotePatterns into Netlify Image CDN images.remote images regular expressions using semantics broader than the canonical matcher. This occurs because a single...

5.3CVSS5.9AI score0.00187EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/15 12:0 a.m.24 views

Linux Distros Unpatched Vulnerability : CVE-2026-52719

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the...

7.1CVSS6AI score0.00301EPSS
Exploits0References4
OSV
OSV
added 2026/06/13 9:38 p.m.26 views

MAL-2026-5753 Malicious code in @gbrlxvi/ts-form-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 20e77262ebb59497687fabfba394959da9ce6afbaf436aa5fcf654b2c8a44a32 Package advertises trivial form-validation helpers notEmpty/isEmail/isPhone/maxLen/minLen but on require/import of the main module performs an...

5.9AI score
Exploits0References14
NVD
NVD
added 2026/06/13 10:16 a.m.15 views

CVE-2026-11624

The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced...

9.4CVSS0.00153EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/13 8:38 a.m.15 views

EUVD-2026-36650

The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced...

9.4CVSS5.3AI score0.00153EPSS
Exploits0References2
Rows per page
Query Builder