Lucene search
K

47707 matches found

RedhatCVE
RedhatCVE
added 2026/02/20 1:22 a.m.4 views

CVE-2026-1999

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enableautomerge mutation for pull requests. This issue only affect...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/20 1:22 a.m.6 views

CVE-2026-24743

InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS vulnerability occurs in the upload Invoice Logo functions of InvoicePlane version 1.7.0. The Upload Invoice Logo function allows the application to upload svg file...

7.5CVSS5.7AI score0.0022EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/02/20 1:17 a.m.26 views

CVE-2026-26988 LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below contain an SQL Injection vulnerability in the ajaxtable.php endpoint. The application fails to properly sanitize or parameterize user input when processing IPv6 address searches. Specifically,...

9.3CVSS0.0744EPSS
Exploits2References3
ATTACKERKB
ATTACKERKB
added 2026/02/20 1:11 a.m.4 views

CVE-2026-26987

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Versions 25.12.0 and below are vulnerable to Reflected XSS attacks via email field. This issue has been fixed in version 26.2.0...

5.3CVSS5.4AI score0.00291EPSS
Exploits1References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/20 1:0 a.m.6 views

CVE-2026-26980

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1...

9.4CVSS5.7AI score0.69996EPSS
Exploits7References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/20 12:0 a.m.4 views

PT-2026-21020

Name of the Vulnerable Software and Affected Versions Sync-in Server versions prior to 1.9.3 Description A Stored Cross-Site Scripting XSS issue exists in Sync-in Server. An authenticated attacker can execute arbitrary JavaScript in a victim’s browser. This is achieved by uploading a crafted SVG...

5.1CVSS5.6AI score0.00267EPSS
Exploits1References9
Vulnrichment
Vulnrichment
added 2026/02/20 12:0 a.m.3 views

CVE-2025-67438

A Stored Cross-Site Scripting XSS vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information,...

5.8AI score0.00267EPSS
Exploits1References2
Packet Storm
Packet Storm
added 2026/02/20 12:0 a.m.107 views

📄 wlc SSL Certification Validation Bypass

This proof of concept demonstrates a security issue in wlc versions earlier than 1.17.0, where SSL/TLS certificate validation can be bypassed. By attempting connections to endpoints with invalid certificates such as self‑signed or expired certificates, the proof of concept verifies whether wlc...

5.7AI score
Exploits0
CVE
CVE
added 2026/02/20 12:0 a.m.10 views

CVE-2025-67438

CVE-2025-67438 affects Sync-in Server prior to 1.9.3. A stored XSS flaw allows an authenticated attacker to upload a crafted SVG file containing a malicious payload, enabling execution of arbitrary JavaScript in a victim’s browser and potential exfiltration of sensitive data, including session co...

6.1CVSS5.9AI score0.00267EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/02/20 12:0 a.m.27 views

CVE-2025-67438

A Stored Cross-Site Scripting XSS vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information,...

0.00267EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2026/02/20 12:0 a.m.5 views

SolarWinds Database Performance Analyzer < 2025.3 Hard-coded Cryptographic Key (CVE-2025-26398)

According to its self-reported version, the SolarWinds Database Performance Analyzer DPA installation on the remote host is prior to 2025.3. It is, therefore, affected by a hard-coded cryptographic key vulnerability. If exploited, this vulnerability could allow a machine-in-the-middle MITM attack...

6.4CVSS5.5AI score0.00169EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/02/20 12:0 a.m.5 views

PT-2026-21307

svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements e.g. enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a...

5.3CVSS5.5AI score0.00377EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/02/20 12:0 a.m.4 views

PT-2026-21298

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions 4.1.3 through 5.3.5 Description fast-xml-parser has a flaw in how it handles DOCTYPE entity names during XML parsing. Specifically, a dot . within an entity name is treated as a regex wildcard during entity replacement...

9.3CVSS5.6AI score0.00445EPSS
Exploits1References157
CVE
CVE
added 2026/02/19 11:8 p.m.25 views

CVE-2026-26972

OpenClaw has a path traversal vulnerability in the browser download helpers. In versions 2026.1.12 through 2026.2.12, the browser download assistant accepted unsanitized output paths, enabling writes outside the intended temp downloads directory when invoked via browser control gateway routes. Ex...

6.7CVSS5.5AI score0.00199EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/19 9:15 p.m.3 views

CVE-2026-26314 Go Ethereum affected by DoS via malicious p2p message

go-ethereum geth is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth...

8.7CVSS5.8AI score0.0058EPSS
Exploits0References3
OSV
OSV
added 2026/02/19 9:15 p.m.7 views

CVE-2026-26314 Go Ethereum affected by DoS via malicious p2p message

go-ethereum geth is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth...

8.7CVSS5.8AI score0.0058EPSS
Exploits0References5
OSV
OSV
added 2026/02/19 8:25 p.m.6 views

UBUNTU-CVE-2026-26278

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible ...

7.5CVSS5.8AI score0.00811EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/02/19 7:48 p.m.4 views

CVE-2026-26318 systeminformation has Command Injection via Unsanitized `locate` Output in `versions()`

systeminformation is a System and OS information library for node.js. Versions prior to 5.31.0 are vulnerable to command injection via unsanitized locate output in versions. Version 5.31.0 fixes the issue...

8.8CVSS5.5AI score0.0115EPSS
Exploits1References2
NVD
NVD
added 2026/02/19 7:22 p.m.9 views

CVE-2026-27474

SPIP before 4.4.9 allows Cross-Site Scripting XSS in the private area, complementing an incomplete fix from SPIP 4.4.8. The echappeantixss function was not systematically applied to input, form, button, and anchor a HTML tags, allowing an attacker to inject malicious scripts through these element...

6.1CVSS0.00264EPSS
Exploits0References3
NVD
NVD
added 2026/02/19 7:22 p.m.8 views

CVE-2026-26057

Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either trigger a denial of...

9.1CVSS0.00328EPSS
Exploits0References2
Rows per page
Query Builder