Lucene search
K

4021 matches found

RedHat Linux
RedHat Linux
added yesterday7 views

ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input

A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting XSS by providing untrusted input to the Address6 constructor. When an application renders the output of...

8.1CVSS6.9AI score0.00471EPSS
Exploits1References5
EUVD
EUVD
added yesterday5 views

EUVD-2026-43563

luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP...

8.7CVSS6.2AI score0.00445EPSS
Exploits0References4
Cvelist
Cvelist
added 2 days ago28 views

CVE-2026-62184 luci-app-banip Log Monitor IP Extraction Bypass

luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP...

8.7CVSS0.00445EPSS
Exploits0References3
Cvelist
Cvelist
added 2 days ago31 views

CVE-2026-62143 Server-Side Request Forgery protection bypass in misp-modules html_to_markdown via IPv4-mapped IPv6 addresses

A Server-Side Request Forgery SSRF protection bypass existed in the htmltomarkdown expansion module of misp-modules. The module attempts to prevent requests to loopback, private, link-local, and other restricted IP address ranges. However, IP addresses were compared against the blocked ranges...

8.3CVSS0.00239EPSS
Exploits0References1
Nuclei
Nuclei
added 2 days ago74 views

Western Digital MyCloud NAS - Authentication Bypass

It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the...

10CVSS7.1AI score0.86586EPSS
Exploits6References5
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-57886

Name of the Vulnerable Software and Affected Versions luci-app-banip versions 0 through 0.11.1 Description A log parsing flaw exists where the awk-based parser extracts the first IPv4 address from log lines regardless of its field position. This allows an unauthenticated remote attacker to inject...

8.7CVSS6.2AI score0.00445EPSS
Exploits0References5
OSV
OSV
added 2 days ago3 views

UBUNTU-CVE-2026-15146

GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an...

5.9CVSS6.2AI score0.00121EPSS
Exploits0References5
Cvelist
Cvelist
added 3 days ago29 views

CVE-2026-10666 Stack buffer overflow in `net_ipaddr_parse()` IPv4 address-with-port parsing in `subsys/net/ip/utils.c`

parseipv4 in subsys/net/ip/utils.c reached via netipaddrparse for strings of the form "a.b.c.d:port" copies the port substring into a fixed 17-byte stack buffer char ipaddrNETIPV4ADDRLEN + 1 using a length of strlen - end - 1, where strlen is the full, unbounded input length and end is only the...

8.1CVSS0.00346EPSS
Exploits0References3
CVE
CVE
added 3 days ago21 views

CVE-2026-10666

CVE-2026-10666 affects Zephyr’s net_ipaddr_parse() path (IPv4 address-with-port parsing via net_ipaddr_parse() in subsys/net/ip/utils.c). The bug stems from parse_ipv4() copying the port suffix into a fixed 17-byte buffer without validating port length, using a length derived from an unbounded in...

8.1CVSS6.2AI score0.00346EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-57525

Name of the Vulnerable Software and Affected Versions Trendnet TEW-635BRM versions prior to 1.00.04 Description A flaw in the IPoA WAN Connection Setup component allows remote command injection. The issue exists within the ipoa test function located in the /sbin/rc file. An attacker can trigger...

9CVSS7.1AI score0.01514EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 5 days ago8 views

CVE-2026-15146 CVE-2026-15146

GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an...

6.2AI score0.00121EPSS
Exploits0References2
CVE
CVE
added 2026/07/08 9:2 p.m.17 views

CVE-2026-60105

Monsta FTP before 2.14.5 contains a server-side request forgery (SSRF) in the fetchRemoteFile action due to an incomplete IP blocklist in isBlockedIP(), which fails to detect IPv4 addresses embedded in IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public...

8.6CVSS5.9AI score0.00308EPSS
Exploits0References3
CVE
CVE
added 2026/07/08 3:56 p.m.16 views

CVE-2026-59883

CVE-2026-59883 – Guzzle: CookieJar domain-matching flaw in the PHP HTTP client allowed cookies scoped to IP-address or bare-numeric domains (e.g., 192.168.0.1, ::1) to be accepted by non-origin hosts due to SetCookie::matchesDomain() applying ordinary suffix matching. Affects versions prior to 7....

6.1CVSS6AI score0.00115EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/07/08 3:56 p.m.4 views

CVE-2026-59883 Guzzle: Cookie Disclosure and Injection via IP-Address Domains

Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain applied ordinary suffix matching to domains such as 192.168.0.1, ::1, or 1, allowing...

4.7CVSS6.1AI score0.00115EPSS
Exploits0References6
CVE
CVE
added 2026/07/08 3:50 p.m.9 views

CVE-2026-59882

The CVE affects guzzlehttp/psr7 (PSR-7 HTTP message library for PHP). Prior to version 2.12.3, Uri::assertValidHost() fails to reject authority delimiters, embedded ports, or malformed IPv6 brackets in host components, causing Uri::getHost() to disagree with the URI authority used for security or...

4.2CVSS6AI score0.00186EPSS
Exploits0References4
Rockylinux
Rockylinux
added 2026/07/07 12:3 a.m.9 views

nodejs:24 security, bug fix, and enhancement update

An update is available for nodejs, module.nodejs, nodejs-packaging, nodejs-nodemon, module.nodejs-packaging, module.nodejs-nodemon. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

9.8CVSS6.5AI score0.02806EPSS
Exploits1
RedHat Linux
RedHat Linux
added 2026/07/06 3:7 p.m.7 views

ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input

A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting XSS by providing untrusted input to the Address6 constructor. When an application renders the output of...

8.1CVSS6.9AI score0.00471EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2026/07/06 5:32 a.m.6 views

ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input

A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting XSS by providing untrusted input to the Address6 constructor. When an application renders the output of...

8.1CVSS5.8AI score0.00471EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2026/07/06 4:52 a.m.6 views

ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input

A flaw was found in ip-address, a JavaScript library for parsing and manipulating IPv4 and IPv6 addresses. This vulnerability allows a remote attacker to perform cross-site scripting XSS by providing untrusted input to the Address6 constructor. When an application renders the output of...

8.1CVSS6.9AI score0.00471EPSS
Exploits1References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.4 views

Malicious code in enbd-react-logger (npm)

The enbd-react-logger package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization an 'enbd'...

6.1AI score
Exploits0References3
Rows per page
Query Builder