Lucene search
K

505 matches found

AlpineLinux
AlpineLinux
added 2026/06/04 2:34 p.m.11 views

CVE-2026-40930

LIBPNG is a reference library for use in applications that process PNG Portable Network Graphics raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing...

5.4CVSS5.8AI score0.00202EPSS
Exploits0
OSV
OSV
added 2026/06/04 2:21 p.m.7 views

GHSA-777C-7FJR-54VF Allocation of Resources Without Limits or Throttling in Axios

Summary Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies large...

7.5CVSS5.8AI score0.0063EPSS
Exploits1References6
RedHat Linux
RedHat Linux
added 2026/06/02 11:22 a.m.20 views

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

7.5CVSS7.3AI score0.00728EPSS
Exploits0References8
OSV
OSV
added 2026/05/29 10:32 p.m.21 views

GHSA-GV23-XRM3-8C62 PraisonAI has Cross-Workspace IDOR and Privilege Escalation via Platform API

Summary The PraisonAI Platform API has two authorization failures that together break workspace isolation. The service layer for issues and projects performs global primary-key lookups without checking workspace ownership, so any authenticated user can read, modify, and delete resources in any...

8.8CVSS5.8AI score0.00044EPSS
Exploits0References2
OSV
OSV
added 2026/05/29 5:49 p.m.9 views

GHSA-C4CF-2HGV-2QV6 vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain

Summary The BaseHandler.set trap in bridge.js line 1231 ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy e.g., when a child object inherits from the proxy via Object.create, the property assignment...

8.6CVSS6AI score0.00287EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/29 5:49 p.m.18 views

vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain

Summary The BaseHandler.set trap in bridge.js line 1231 ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy e.g., when a child object inherits from the proxy via Object.create, the property assignment...

8.6CVSS6AI score0.00287EPSS
Exploits0References5Affected Software1
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.14 views

WordPress plugin Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

4.3CVSS5.8AI score0.003EPSS
Exploits0References10
OSV
OSV
added 2026/05/26 9:4 p.m.3 views

CVE-2026-44900 epa4all-client: VAU Signature bypass

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in SignedPublicKeysTrustValidatorImpl.isTrusted, the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify. The method performs certificate chain...

8.1CVSS5.9AI score0.00121EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/26 9:4 p.m.12 views

CVE-2026-44900

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in SignedPublicKeysTrustValidatorImpl.isTrusted, the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify. The method performs certificate chain...

8.1CVSS5.8AI score0.00121EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/05/26 6:16 p.m.14 views

CVE-2026-44775

Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with AllowAnonymous, allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Sin...

6.9CVSS0.00281EPSS
Exploits0References2
OSV
OSV
added 2026/05/25 2:0 p.m.3 views

CVE-2026-47071 SOCKS5 TLS upgrade ignores caller timeout in hackney

Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackneysocks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which...

8.2CVSS5.8AI score0.00703EPSS
Exploits1References9
CVE
CVE
added 2026/05/25 2:0 p.m.26 views

CVE-2026-47071

The vulnerability CVE-2026-47071 affects benoitc hackney (from 0.10.0 up to 4.0.0). The SOCKS5 transport (src/hackney_socks5.erl) forwards the caller timeout through SOCKS5 negotiation but upgrades to TLS with ssl:connect/2, which defaults to an infinite timeout. The Timeout in scope at the call ...

8.2CVSS5.7AI score0.00703EPSS
Exploits1References4Affected Software1
SUSE CVE
SUSE CVE
added 2026/05/23 1:29 a.m.22 views

SUSE CVE-2026-39831

The Verify method for FIDO/U2F security key types [email protected], [email protected] did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior,...

8.1CVSS5.8AI score0.00373EPSS
Exploits0References27
NVD
NVD
added 2026/05/20 2:16 p.m.14 views

CVE-2026-21836

The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability. Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. This could enable an authenticated attacker to view sensitive data...

6.5CVSS0.00264EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.4 views

Astra Linux – Vulnerability in Ansible

A flaw was discovered in Ansible Engine, in ansible-engine 2.8.x before 2.8.15, and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation, even when the disablegpgcheck parameter is set to False—which is the default...

7.1CVSS8.1AI score0.00233EPSS
Exploits0References2
Hacker One
Hacker One
added 2026/05/14 11:14 a.m.25 views

curl: libssh SFTP initialization ignores CURLOPT_TIMEOUT, hangs indefinitely

Hi all, The libssh backend in lib/vssh/libssh.c ignores CURLOPTTIMEOUT / --max-time during SFTP subsystem negotiation. A server that completes SSH authentication and then stalls before answering the SSHFXPINIT packet will pin the curl process indefinitely — no timeout fires, no error is returned,...

5.8AI score
Exploits0
Hacker One
Hacker One
added 2026/05/14 10:40 a.m.39 views

curl: rustls backend silently ignores CURLOPT_CRLFILE when native CA store is active

Hi all, When the rustls backend is configured to use the OS native CA store --ca-native / CURLSSLOPTNATIVECA, any CRL file supplied via --crlfile / CURLOPTCRLFILE is silently ignored. The option is accepted — CURLEOK from curleasysetopt, exit 0 from the command line — and revoked certificates pas...

5.8AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.15 views

PT-2026-40727

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0 Description Broken access control in the publish-mode allows readers to enumerate metadata from documents that are invisible to the publish service. This occurs because certain search handlers do not filter...

4.3CVSS5.8AI score0.00221EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/11 3:54 p.m.30 views

Next.js has a Middleware / Proxy bypass through dynamic route parameter injection

Impact Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected conte...

8.1CVSS5.8AI score0.00485EPSS
Exploits2References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:47 p.m.12 views

epa4all-client has a VAU Signature bypass

Impact In SignedPublicKeysTrustValidatorImpl.isTrusted, the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify. The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actually...

8.1CVSS5.8AI score0.00121EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder