Lucene search
K

6835 matches found

EUVD
EUVD
added 10 hours ago4 views

EUVD-2026-43536

OpenClaw versions 2026.3.22 before 2026.6.6 contain an authorization bypass vulnerability where WhatsApp group IDs can satisfy elevated sender allowlists. Attackers with lower-trust access can perform actions requiring stronger authorization by leveraging group ID validation in the affected featu...

8.7CVSS6.1AI score
Exploits0References3
NVD
NVD
added yesterday4 views

CVE-2026-22098

Various sensitive information such as passwords and charging card UIDs are written to log files...

9.2CVSS0.00332EPSS
Exploits0References1
CVE
CVE
added yesterday11 views

CVE-2026-22098

Technical details about CVE-2026-22098 are not publicly available in the provided documents. The issue is described as sensitive information written to log files, but product/versions, impact specifics, and fixes are not specified. Monitor for updates.

9.2CVSS6.1AI score0.00332EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday16 views

CVE-2026-22098 Sensitive information is written to logs

Various sensitive information such as passwords and charging card UIDs are written to log files...

9.2CVSS0.00332EPSS
Exploits0References1
CVE
CVE
added yesterday13 views

CVE-2026-41041

CVE-2026-41041 affects Apache Gravitino (1.0.0 to before 1.2.1). The issue is a URL path injection due to unencoded user-supplied identifiers in the MCP REST client f-string URL construction, enabling path traversal to unintended API endpoints. Impact per sources: potential confidentiality and in...

9.1CVSS6.1AI score0.00214EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added yesterday17 views

CVE-2026-41041 Apache Gravitino: URL path injection via unencoded user-supplied identifiers in MCP REST client f-string URL construction, enabling path traversal to unintended API endpoints.

URL path injection via unencoded user-supplied identifiers vulnerability in Apache Gravitino. This issue affects Apache Gravitino: from 1.0.0 before 1.2.1. Users are recommended to upgrade to version 1.2.1, which fixes the issue...

0.00214EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday17 views

CVE-2026-49876 Apache Gravitino: Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs

Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. A vulnerability in Apache Gravitino. This issue affects Apache Gravitino: from 1.0.0 through 1.2.1. Users are recommended to upgrade to...

0.00204EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday4 views

Malicious code in kuaishou (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1d5daf09cc7bfff164e60bf5abd0a1b374b5bb616f0a78cac8f6c6ea613608 The package's prepare lifecycle script, which runs automatically on npm install, collects host, user, and platform identifiers along with the full...

6.1AI score
Exploits0References4
Nuclei
Nuclei
added yesterday13 views

OpenProject < 12.5.4 - Project Identifiers Exposure

OpenProject versions before 12.5.6 generate a publicly accessible robots.txt file revealing project identifiers, even if the instance is set to 'Login required', letting attackers gather project info, exploit requires no authentication. id: CVE-2023-33960 info: name: OpenProject 12.5.4 - Project...

7.5CVSS6.9AI score0.01268EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-57679

URL path injection via unencoded user-supplied identifiers vulnerability in Apache Gravitino. This issue affects Apache Gravitino: from 1.0.0 before 1.2.1. Users are recommended to upgrade to version 1.2.1, which fixes the issue...

9.1CVSS6.1AI score0.00214EPSS
Exploits0References4
OSV
OSV
added 2 days ago3 views

CVE-2026-56336 Capgo - Information Disclosure via Unauthenticated SSO check-domain Endpoint

Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /private/sso/check-domain endpoint that returns internal orgid and providerid values. Attackers can enumerate email domains to build mappings of domains to organization UUIDs and SSO provider identifiers...

6.9CVSS6.1AI score0.00205EPSS
Exploits0References4
NVD
NVD
added 3 days ago6 views

CVE-2026-56296

Cap-go before 12.128.2 contains an information disclosure vulnerability in the public.transferapp RPC function that returns distinct error messages for existing versus non-existing app IDs. Unauthenticated attackers can enumerate valid app IDs by observing error message differences when calling...

6.9CVSS0.00239EPSS
Exploits0References2
OSV
OSV
added 3 days ago2 views

CVE-2026-56296 Cap-go - App Existence Oracle via Unauthenticated transfer_app RPC

Cap-go before 12.128.2 contains an information disclosure vulnerability in the public.transferapp RPC function that returns distinct error messages for existing versus non-existing app IDs. Unauthenticated attackers can enumerate valid app IDs by observing error message differences when calling...

6.9CVSS6.1AI score0.00239EPSS
Exploits0References4
CVE
CVE
added 3 days ago11 views

CVE-2026-12103

CVE-2026-12103 affects the Wallet for WooCommerce WordPress plugin (

4.3CVSS6.2AI score0.00286EPSS
Exploits0References10
NVD
NVD
added 3 days ago5 views

CVE-2026-6804

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attacke...

5.3CVSS0.00353EPSS
Exploits0References10
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-43144

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attacke...

5.3CVSS6.2AI score0.00353EPSS
Exploits0References10
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-55670 ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers

ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original...

2.3CVSS0.00286EPSS
Exploits0References4
CVE
CVE
added 4 days ago14 views

CVE-2026-55670

ZITADEL (open source identity management) prior to v4.15.2 is affected by a cross-tenant leakage in the event store validation: when a user is deleted, the original resource owner may remain associated with the deleted user’s ID and, if a new user is recreated in another organization with the sam...

2.3CVSS6.1AI score0.00286EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42885

Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can register app IDs with underscores that collide with other tenants' dotted app IDs, causing preview...

6.4CVSS6.1AI score0.00237EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-56329 Capgo - Cross-Tenant Preview Namespace Collision via Non-Bijective Underscore Decoding

Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can register app IDs with underscores that collide with other tenants' dotted app IDs, causing preview...

6.4CVSS0.00237EPSS
Exploits0References2
Rows per page
Query Builder