Lucene search
K

318 matches found

Cvelist
Cvelist
added 5 days ago31 views

CVE-2025-58146 XAPI UTF-8 string handling

There are multiple issues. 1. Updates to the XAPI database sanitise input strings, but try generating the notification using the unsanitised input. This causes the database's event thread to terminate and cease further processing. 2. XAPI's UTF-8 encoder implements v3.0 of the Unicode spec, but...

9.4CVSS0.00137EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 2:16 a.m.7 views

CVE-2026-50740

A missing sanitisation vulnerability of user input in the zone-include.php script exists in Revive Adserver 6.0.7 and earlier. A low‑privileged user could exploit the refresh parameter of the iFrame invocation tag to perform reflected XSS attacks...

6.1CVSS0.00222EPSS
Exploits1References1
NVD
NVD
added 2026/06/23 5:16 p.m.6 views

CVE-2026-34914

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier. A low‑privileged user could exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the script a...

8.3CVSS0.00298EPSS
Exploits1References1
CVE
CVE
added 2026/06/23 4:14 p.m.23 views

CVE-2026-34915

CVE-2026-34915 affects Revive Adserver 6.0.6 and earlier due to missing sanitisation in zone-include.php, enabling a low-privileged attacker to exploit the clientid parameter to perform blind SQL injection. The public sources confirm input validation improvements were implemented to ensure all pa...

6.1CVSS6.1AI score0.00217EPSS
Exploits1References1
CVE
CVE
added 2026/06/23 4:14 p.m.25 views

CVE-2026-44959

CVE-2026-44959 affects Revive Adserver up to version 6.0.6. The issue is a missing validation of user input when saving delivery limitations, allowing a low-privileged user to add an unexpected component parameter and inject malicious PHP into the compiledlimitations field, which could be execute...

8.8CVSS6.6AI score0.0045EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/23 4:14 p.m.33 views

CVE-2026-34914

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier. A low‑privileged user could exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the script a...

8.3CVSS0.00298EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/23 4:14 p.m.32 views

CVE-2026-34915

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the...

6.1CVSS0.00217EPSS
Exploits1References1
CVE
CVE
added 2026/06/23 4:14 p.m.22 views

CVE-2026-34914

This CVE is confirmed: Revive Adserver

8.3CVSS6.6AI score0.00298EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/23 4:14 p.m.6 views

EUVD-2026-38500

A missing validation of user input exists when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low‑privileged user could add an unexpected component parameter and inject malicious PHP code into the compiledlimitations field, which would then be executed during banner delivery...

8.8CVSS6.6AI score0.0045EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/23 4:14 p.m.10 views

EUVD-2026-38499

A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the...

6.1CVSS6.2AI score0.00217EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/22 6:0 a.m.11 views

EUVD-2026-38212

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.8AI score0.00146EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.7 views

@tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration — unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels

Description Summary @tinacms/cli contains a Remote Code Execution vulnerability in its Forestry-to-Tina migration command. The internal helper addVariablesToCode unquotes any value matching the marker "TINAINTERNAL:::.?:::" inside the stringified collection JSON. User-supplied label and name fiel...

7.8CVSS6.2AI score0.0017EPSS
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.11 views

CVE-2026-33587

Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code and subsequently OS commands on the docker container via Server-Side Template Injection SSTI for user-created transformations...

10CVSS5.7AI score0.0023EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/05 2:50 p.m.9 views

CVE-2026-11362 DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The formatevent method used by the event method does not validate the content of the tags, whi...

5.4AI score0.00447EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/05 2:50 p.m.45 views

CVE-2026-11362 DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The formatevent method used by the event method does not validate the content of the tags, whi...

0.00447EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/29 4:38 p.m.33 views

Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename

Summary filepath.Base on the Linux container does not strip backslashes , because \ is only a path separator on Windows. A multipart filename like ........\Windows\System32\evil.pdf survives Gotenberg's input sanitisation and lands verbatim as the zip entry name when a multi-output route...

5.8AI score0.00032EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 1:59 p.m.23 views

Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter

Summary GET /environments/id/volumes/volumeName/browse accepts a path query parameter that is passed to a shell command sh -c "find … | while …" inside an Arcane helper container. The path sanitiser blocks ../ traversal but does not strip Bourne-shell metacharacters such as $ or backticks, and...

6.3CVSS6.2AI score0.0021EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/07 8:9 p.m.10 views

CVE-2026-41691

Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL templat...

6.5CVSS5.8AI score0.00251EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/05/07 12:31 p.m.18 views

EUVD-2026-28346

Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code and subsequently OS commands on the docker container via Server-Side Template Injection SSTI for user-created transformations...

10CVSS6AI score0.0023EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/07 12:0 a.m.19 views

PT-2026-38418

Name of the Vulnerable Software and Affected Versions Open Notebook version 1.8.3 Description Insufficient user input sanitization allows an application user to perform Server-Side Template Injection SSTI, a flaw where an attacker can inject malicious templates into a server-side engine. This...

10CVSS6AI score0.0023EPSS
Exploits0References8
Rows per page
Query Builder