Lucene search
K

9 matches found

CVE
CVE
added yesterday6 views

CVE-2026-59854

SiYuan (open-source PKM) prior to 3.7.1 allows an authenticated administrator or API-token user to copy home-directory credential files into the workspace via POST /api/file/globalCopyFiles. The root cause is util.IsSensitivePath’s denylist in kernel/util/path.go missing common home-dir dotfiles ...

4.9CVSS6AI score
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/05/28 2:14 p.m.11 views

CVE-2026-36045

picoclaw =v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component pkg/tools/shell.go. The guardCommand function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete...

7.3CVSS5.9AI score0.01314EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.15 views

PT-2026-43703

Name of the Vulnerable Software and Affected Versions picoclaw versions prior to 0.1.3 Description The ExecTool component pkg/tools/shell.go allows OS command injection. This occurs because the guardCommand function uses an incomplete denylist of eight regular expressions to restrict shell comman...

7.3CVSS6AI score0.01314EPSS
Exploits0References8
CVE
CVE
added 2026/05/14 6:35 p.m.20 views

CVE-2026-44589

Nuxt-og-image (nuxt-og-image) contains an SSRF issue tracked as CVE-2026-44589. The isBlockedUrl validator in [email protected] is incomplete: IPv6 prefix handling is limited (only ::1, fc, fd, fe80) and there is no redirect re-validation, enabling bypass paths such as IPv6-mapped addresses and...

3.7CVSS5.8AI score0.00171EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/10 7:21 p.m.4 views

EUVD-2026-20872

LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf...

9.1CVSS5.8AI score0.00363EPSS
Exploits0References3
NVD
NVD
added 2026/04/09 10:16 a.m.4 views

CVE-2026-34177

Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden lxd/project/limits/permissions.go, which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote...

9.1CVSS0.00363EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/04/09 9:15 a.m.4 views

CVE-2026-34177

Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden lxd/project/limits/permissions.go, which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote...

9.1CVSS5.4AI score0.00363EPSS
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/04/09 9:15 a.m.4 views

CVE-2026-34177

Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden lxd/project/limits/permissions.go, which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote...

9.1CVSS6AI score0.00363EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2025/03/23 9:15 a.m.4 views

Server-Side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-Side Request Forgery SSRF due to an incomplete denylist of IP address ranges. Specifically, the package fails to classify the reserved IP address space 224.0.0.0/4 Multicast as invalid. This oversight allows attackers to craft...

8.8CVSS7AI score0.00455EPSS
Exploits1References2
Rows per page
Query Builder