Lucene search
K

2424 matches found

Vulnrichment
Vulnrichment
added 2026/05/29 4:53 p.m.15 views

CVE-2026-45577 Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass

Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolv...

6.9CVSS5.8AI score0.00249EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/29 4:53 p.m.10 views

CVE-2026-45577

Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolv...

6.9CVSS5.8AI score0.00249EPSS
Exploits0References3Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/26 1:0 a.m.15 views

Malicious code in fpjson-lang (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 38aca097f261c15ef9901f259883679e2d4308d6e4053099643c8befe9a14318 package.json declares "preinstall": "./bin/install-deps", causing npm to execute a 954KB packed Linux ELF binary on every install. The package...

6.3AI score
Exploits0References4
OSV
OSV
added 2026/05/23 10:27 a.m.7 views

MAL-2026-4411 Malicious code in @onerjs/inspector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08c3c6c201db840a5576941656934704b0932abe72527c5e85b969fd90ad0ccd Package name, version 8.52.2, README, homepage and repository all impersonate @babylonjs/inspector. The shipped code is a 700-byte UMD wrapper that...

6AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/23 10:27 a.m.10 views

Malicious code in @onerjs/inspector (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08c3c6c201db840a5576941656934704b0932abe72527c5e85b969fd90ad0ccd Package name, version 8.52.2, README, homepage and repository all impersonate @babylonjs/inspector. The shipped code is a 700-byte UMD wrapper that...

6AI score
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/21 8:45 p.m.21 views

@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators

Impact: @hulumi/policies versions before 1.3.2 only checked exact AWS IAM StringLike/StringEquals condition operator keys in GOIDC1. Set-qualified operators such as ForAnyValue:StringLike could hide wildcard GitHub Actions OIDC sub conditions from the mandatory guardrail. Patched in 1.3.2: the AW...

5.8AI score
Exploits0References2Affected Software1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.4 views

Astra Linux – Vulnerability in Chromium

The use of after free in the Inspector in Google Chrome before version 134.0.6998.88 allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page. Chromium security severity: Medium...

8.8CVSS7AI score0.00324EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in WebKit2GTK

A privacy issue was addressed through improved handling of files. This issue is fixed in Safari 18.3, iOS 18.3, and iPadOS 18.3, as well as macOS Sequoia 15.3. Copying a URL from the Web Inspector may lead to command injection...

8.8CVSS7.3AI score0.02902EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/19 1:58 a.m.17 views

CVE-2026-29964

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting XSS vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output...

6.1CVSS6.2AI score0.00244EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/19 1:58 a.m.17 views

CVE-2026-29965

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting XSS in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax...

6.1CVSS5.8AI score0.00195EPSS
Exploits1References1
NVD
NVD
added 2026/05/18 6:17 p.m.15 views

CVE-2026-29962

HSC MailInspector v5.3.3-7 contains a Local File Inclusion LFI vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization,...

7.5CVSS0.00372EPSS
Exploits1References3
NVD
NVD
added 2026/05/18 6:17 p.m.23 views

CVE-2026-29963

HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this...

7.5CVSS0.00595EPSS
Exploits1References3
NVD
NVD
added 2026/05/18 6:17 p.m.16 views

CVE-2026-29964

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting XSS vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output...

6.1CVSS0.00244EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/05/18 2:20 p.m.18 views

Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass

Neotoma versions starting at v0.6.0 can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the...

6.9CVSS5.8AI score0.00249EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/18 2:20 p.m.20 views

GHSA-5CVP-P7P4-MCX9 Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass

Neotoma versions starting at v0.6.0 can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the...

6.9CVSS5.8AI score0.00249EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/18 12:0 a.m.43 views

CVE-2026-29962

HSC MailInspector v5.3.3-7 contains a Local File Inclusion LFI vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization,...

0.00372EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/05/18 12:0 a.m.15 views

HSC MailInspector 跨站脚本漏洞

HSC MailInspector is a mail security analysis and filtering system developed by the Brazilian company HSC. Version 5.3.3-7 of HSC MailInspector contains a cross-site scripting vulnerability. This vulnerability arises from the use of alternative or obfuscated JavaScript syntax in user inputs withi...

6.1CVSS5.6AI score0.00195EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.16 views

PT-2026-41706

HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this...

5.9AI score0.00595EPSS
Exploits1References4
EUVD
EUVD
added 2026/05/18 12:0 a.m.12 views

EUVD-2026-30781

HSC MailInspector v5.3.3-7 contains a Local File Inclusion LFI vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization,...

5.9AI score0.00372EPSS
Exploits1References3
EUVD
EUVD
added 2026/05/18 12:0 a.m.14 views

EUVD-2026-30784

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting XSS vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output...

6.1CVSS6.2AI score0.00244EPSS
Exploits1References3
Rows per page
Query Builder