Lucene search
K

57 matches found

NVD
NVD
added 2026/06/25 10:16 p.m.9 views

CVE-2025-71334

Flowise before 3.0.6 affected versions 2.2.8 and earlier contains an arbitrary file access vulnerability due to missing validation that the chatflowId and chatId parameters are UUIDs or numbers in file handling operations. By supplying a path-traversal value e.g., '../../../../../tmp' as the...

9.8CVSS0.00895EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/06/25 6:32 p.m.8 views

LangGraph SDK has unsafe URL path construction

Summary langgraph-sdk constructs HTTP request paths for resource operations by interpolating caller-supplied identifier values into URL templates. Without sanitization of those values, identifiers that contain characters with special meaning in URL paths could cause the resulting request to addre...

9.1CVSS5.7AI score0.00216EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/06/23 12:13 p.m.40 views

CVE-2026-56784 OpenRemote < 1.25.0 IDOR via Bulk Alarm Deletion Endpoint

OpenRemote before 1.25.0 contains an insecure direct object reference IDOR vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms method in AlarmResourceImpl.java...

8.6CVSS0.00258EPSS
Exploits0References2
OSV
OSV
added 2026/06/01 2:26 p.m.12 views

GHSA-QJWP-HRQ6-R26R kas checks out SHA-like git branches as valid commits

Impact When relying solely on a git commit ID SHA-1 or SHA-256 to qualify if a checkout of a repository is equivalent to the state validated while adding its commit ID to a kas configuration, users may be tricked to check out a branch of the same name from this repository. This implies that the...

2.1CVSS5.7AI score0.00018EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/28 8:13 p.m.14 views

CVE-2026-45718

Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint POST /api/tables/:sourceId/actions/:actionId/trigger fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row...

5.4CVSS5.8AI score0.00146EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.12 views

pam_usb 安全漏洞

pamusb is a Linux hardware authentication tool developed by McDope’s individual developer, based on USB devices. Versions of pamusb prior to 0.9.0 contain security vulnerabilities; these vulnerabilities stem from the lack of XPath metacharacter validation for identifiers provided to users and...

6.5CVSS5.8AI score0.00273EPSS
Exploits0References3
OSV
OSV
added 2026/05/18 8:16 a.m.7 views

SUSE-SU-2026:1970-1 Security update for php-composer2

This update for php-composer2 fixes the following issues - CVE-2026-40176: command injection via malicious Perforce repository definition bsc1262254. - CVE-2026-40261: command injection via malicious Perforce source reference/url bsc1262255. Changes for php-composer2: - version update to 2.2.27...

8.8CVSS6.6AI score0.03282EPSS
Exploits4References11
NVD
NVD
added 2026/05/13 9:16 p.m.7 views

CVE-2026-44379

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues o...

5.3CVSS0.00178EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/13 8:53 p.m.7 views

CVE-2026-44379 MISP: Improper UUID validation in MISP Collections

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues o...

5.3CVSS5.9AI score0.00178EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/13 8:53 p.m.9 views

EUVD-2026-30166

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues o...

5.3CVSS5.9AI score0.00178EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.11 views

MISP 输入验证错误漏洞

MISP is a set of open-source software solutions developed by MISP. This product is used for collecting, storing, distributing, and sharing network security metrics, and it includes features such as analysis of threats to network security and malware analysis. Prior to MISP 2.5.37, there was a...

5.3CVSS5.8AI score0.00178EPSS
Exploits0References1
NVD
NVD
added 2026/05/05 4:16 p.m.47 views

CVE-2026-7412

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...

8.6CVSS0.00516EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/01 12:0 a.m.8 views

EUVD-2026-26488

An issue was discovered in OpenStack Keystone 13 through 29. POST /v3/credentials did not validate that the caller-supplied projectid for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credentia...

7.9CVSS5.8AI score0.00446EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/01 12:0 a.m.36 views

CVE-2026-43001

An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied projectid for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credentia...

7.9CVSS0.00446EPSS
Exploits1References3
UbuntuCve
UbuntuCve
added 2026/04/30 1:16 p.m.8 views

CVE-2025-14576

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of...

9.3CVSS6AI score0.00224EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/30 12:39 p.m.30 views

CVE-2025-14576 Possible QML code injection in VectorImage component

Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of...

9.3CVSS0.00224EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/22 12:0 a.m.4 views

CVE-2026-31192

Insufficient validation of Chrome extension identifiers in Raindrop.io Bookmark Manager Web App 5.6.76.0 allows attackers to obtain sensitive user data via a crafted request...

5.8AI score0.00281EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/16 11:38 p.m.5 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization in the handler for creating or updating Traffic Influence Subscriptions due to improper validation of the influenceId path segment. An attacker can create or overwrite arbitrary Traffic Influence Subscriptions,...

8.7CVSS5.7AI score0.00427EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 8:0 p.m.6 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization through improper validation of the influenceId path parameter in the DELETE endpoint. An attacker can remove arbitrary Traffic Influence Subscriptions by sending a crafted request with an invalid influenceId value...

8.7CVSS5.9AI score0.0038EPSS
Exploits1References2
OSV
OSV
added 2026/04/10 10:9 p.m.5 views

GHSA-X7MM-9VVV-64W8 unhead: Streaming SSR `streamKey` injected into inline script without identifier validation

Summary createStreamableHead streamKey interpolated its streamKey argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a...

2.3CVSS6AI score
Exploits0References3
Rows per page
Query Builder