Lucene search
K

47857 matches found

CVE
CVE
added 2026/05/12 9:51 p.m.21 views

CVE-2026-42545

Granian is a Rust HTTP server for Python applications. Vulnerable from 0.2.0 up to 2.7.4, where the WSGI response conversion path uses .unwrap() on header name and value constructors; malformed headers trigger a worker process abort instead of handling the error. This results in a Denial of Servi...

5.9CVSS5.8AI score0.00222EPSS
Exploits0References1
CVE
CVE
added 2026/05/12 9:46 p.m.32 views

CVE-2026-42544

CVE-2026-42544 (Granian) affects Granian versions 1.2.0–2.7.4, where an unauthenticated client sending a WebSocket upgrade request with a non-ASCII Sec-WebSocket-Protocol header causes the server to abort the worker in the WebSocket scope construction path, yielding an unauthenticated DoS. The cr...

7.5CVSS5.8AI score0.00324EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 9:37 p.m.8 views

CVE-2026-44301 Hugo: Node tool execution allows file system access outside the project directory

Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines PostCSS, Babel, TailwindCSS, Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could...

8.6CVSS5.8AI score0.00274EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/12 9:37 p.m.13 views

CVE-2026-44301

Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines PostCSS, Babel, TailwindCSS, Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could...

8.6CVSS5.8AI score0.00274EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/12 9:31 p.m.5 views

GHSA-WQWC-X3RC-2XW6 HashiCorp Nomad’s exec2 task driver vulnerable to a symlink attack

HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability CVE-2026-8052 is fixed in version 0.1.2 of the exec2 task driver...

6CVSS5.9AI score0.00129EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/12 9:31 p.m.11 views

EUVD-2026-29734

A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to...

8.8CVSS6.2AI score0.0027EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/12 9:28 p.m.18 views

CVE-2026-44305

Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled LDAPUSETLS = True, Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a man-in-the-middle attacker positioned between Lemur and the...

6.8CVSS5.8AI score0.00094EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/12 9:9 p.m.8 views

CVE-2026-44260 efw4.X: readonly Flag Not Enforced Server-Side

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the JSP tag is intended to prevent file modifications. When protected=true, elfindercheckRisk enforces that the client sends readonly=true matching the session value, but no event handler checks the readonly...

8.1CVSS5.8AI score0.00301EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/12 9:6 p.m.11 views

EUVD-2026-29842

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new FilebaseDir, zipEntry.getName with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomca...

9.3CVSS6AI score0.00319EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 8:28 p.m.37 views

CVE-2026-44232 dssrf: every IPv6 category bypasses is_url_safe

DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks. Prior to 1.0.3, every IPv6 category bypasses isurlsafe. This vulnerability is fixed in 1.0.3...

8.7CVSS0.00349EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 8:16 p.m.28 views

CVE-2026-7474

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability CVE-2026-7474 is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11...

8.8CVSS0.06892EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 8:16 p.m.9 views

CVE-2026-44222

vLLM is an inference and serving engine for large language models LLMs. From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder...

7.5CVSS0.00414EPSS
Exploits1References2
PyPA
PyPA
added 2026/05/12 8:16 p.m.15 views

PYSEC-2026-145

vLLM is an inference and serving engine for large language models LLMs. From to before 0.20.0, the extracthiddenstates speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a RuntimeError that crashes the EngineCore process. The crash ...

6.5CVSS5.8AI score0.00367EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/12 7:43 p.m.8 views

CVE-2026-42338 ip-address: XSS in Address6 HTML-emitting methods

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group and Address6.link do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage emitted by the Address6...

5.3CVSS5.4AI score0.00453EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/12 7:39 p.m.36 views

CVE-2026-44218 ciguard: Container image runs as root (no USER directive)

ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2...

3CVSS0.00122EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 7:39 p.m.9 views

CVE-2026-44218 ciguard: Container image runs as root (no USER directive)

ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2...

3CVSS5.8AI score0.00122EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/12 7:12 p.m.9 views

CVE-2026-42191

OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP OpenTelemetry Protocol exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath when OTELDOTNETEXPERIMENTALOTLPRETRY=disk was set but...

6.5CVSS5.8AI score0.00108EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/12 6:59 p.m.9 views

CVE-2026-6959 Nomad vulnerable to arbitrary file read/write on client host through symlink attack

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability CVE-2026-6959 is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11...

6CVSS5.9AI score0.00169EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 5:40 p.m.44 views

CVE-2026-44196 Pingvin Share X: TOTP Authentication Bypass via Password-only Login

Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication TOTP requirement entirely. Although, an attacker...

9.1CVSS0.00299EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 4:59 p.m.13 views

CVE-2026-40359 Microsoft Excel Remote Code Execution Vulnerability

...

7.8CVSS5.8AI score0.00332EPSS
Exploits0References1
Rows per page
Query Builder