Lucene search
K

52573 matches found

OSV
OSV
added 2026/05/27 1:17 p.m.9 views

MAL-2026-4833 Malicious code in bulletproof-json (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 00849bd08fa4e9ebb1877039ab1ff287fd0ab89a683a45229176f717b6db1e9d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.8AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 12:56 p.m.8 views

CVE-2026-9704

A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subjecttoken JSON Web Token JWT to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client...

8.8CVSS5.8AI score0.0032EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/05/27 12:56 p.m.10 views

CVE-2026-9704 Keycloak: keycloak: privilege escalation due to oversized subject_token jwt

A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subjecttoken JSON Web Token JWT to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client...

6.8CVSS5.8AI score0.0032EPSS
Exploits0References6
NVD
NVD
added 2026/05/27 7:16 a.m.13 views

CVE-2026-8938

The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJLcertification function. This makes it possible for unauthenticated attackers to update the plugin's...

4.3CVSS0.0014EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.9 views

Kysely 安全漏洞

Kysely is a type-safe TypeScript SQL query builder developed by Kysely contributors. Versions of Kysely from 0.26.0 to 0.28.16 contain security vulnerabilities. These vulnerabilities stem from the lack of escaping of JSON path metacharacters in the DefaultQueryCompiler.visitJSONPathLeg function. ...

7.5CVSS5.8AI score0.00362EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.13 views

go-ipld-prime 安全漏洞

go-ipld-prime is an implementation of the IPLD open-source specification interface. Versions of go-ipld-prime prior to 0.23.0 contained security vulnerabilities. These vulnerabilities stemmed from the DAG-CBOR and DAG-JSON decoders having no depth limit when decoding nested mappings or lists, whi...

6.2CVSS5.8AI score0.0012EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.10 views

WordPress plugin auto making JSON-LD 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

4.3CVSS5.7AI score0.0014EPSS
Exploits0References3
Exploit DB
Exploit DB
added 2026/05/27 12:0 a.m.76 views

scramble - Remote Code Execution

Exploit Title: scramble - Remote Code Execution Google Dork: inurl:/docs/api.json "dedoc/scramble" Date: 2026-05-07 Exploit Author: Joshua van der Poll https://github.com/joshuavanderpoll Vendor Homepage: https://scramble.dedoc.co Software Link: https://github.com/dedoc/scramble Version: =0.13.2,...

9.4CVSS5.8AI score0.0586EPSS
Exploits3
Tenable Nessus
Tenable Nessus
added 2026/05/27 12:0 a.m.12 views

RHEL 10 : ruby4.0 (RHSA-2026:20606)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:20606 advisory. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and ...

9.1CVSS6.2AI score0.01131EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/05/27 12:0 a.m.8 views

AlmaLinux 9 : ruby:4.0 (ALSA-2026:20596)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:20596 advisory. ruby/json: Ruby JSON: Denial of Service or Information Disclosure via format string injection CVE-2026-33210 erb: ERB: Arbitrary code execution via...

9.1CVSS6.8AI score0.01131EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/05/27 12:0 a.m.11 views

AlmaLinux 10 : mysql8.4 (ALSA-2026:20693)

The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:20693 advisory. mysql: InnoDB unspecified vulnerability CPU Apr 2026 CVE-2026-22004 mysql: Information Schema unspecified vulnerability CPU Apr 2026 CVE-2026-22001 mysq...

6.5CVSS7.3AI score0.00323EPSS
Exploits0References21
Snyk
Snyk
added 2026/05/26 11:38 p.m.12 views

Incorrect Behavior Order: Validate Before Canonicalize

Overview @fedify/fedify is an An ActivityPub server framework Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through manipulation of JSON-LD document structure using keywords such as @graph, @included, and @reverse. An attacker can alter...

8.3CVSS5.9AI score0.00171EPSS
Exploits0References2
OSV
OSV
added 2026/05/26 11:38 p.m.7 views

GHSA-9RFG-V8G9-9367 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

As told on Discord earlier, multiple projects are affected, and we would like to coordinate. For now, we are aiming at a May 6th release date, but this is not set in stone yet. Summary An attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify...

7CVSS5.4AI score0.00171EPSS
Exploits0References4
NVD
NVD
added 2026/05/26 10:16 p.m.12 views

CVE-2026-44985

Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: funcr http.Request bool return true , accepting upgrade requests from any origin. Combined with the JWT cookie using SameSite: Lax, this enables...

9.6CVSS0.00195EPSS
Exploits1References2
EUVD
EUVD
added 2026/05/26 9:58 p.m.9 views

EUVD-2026-32017

Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: funcr http.Request bool return true , accepting upgrade requests from any origin. Combined with the JWT cookie using SameSite: Lax, this enables...

8.7CVSS5.8AI score0.00195EPSS
Exploits1References2
NVD
NVD
added 2026/05/26 7:16 p.m.18 views

CVE-2026-8890

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is...

8.8CVSS0.0049EPSS
Exploits0References5
NVD
NVD
added 2026/05/26 6:16 p.m.15 views

CVE-2026-47202

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

9.3CVSS0.00171EPSS
Exploits0References2
NVD
NVD
added 2026/05/26 6:16 p.m.12 views

CVE-2026-41164

nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint /auth/v1/introspectaccesstoken accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims...

4.4CVSS0.00076EPSS
Exploits0References1
CVE
CVE
added 2026/05/26 5:35 p.m.18 views

CVE-2026-41164

The CVE concerns nuts-node, the reference implementation of the Nuts spec. Prior to versions 6.2.3 (and 5.4.31 for the 5.x branch), the v1 access token introspection endpoint (/auth/v1/introspect_access_token) validates only standard JWTs, and does not enforce Nuts-specific checks such as JWT typ...

4.4CVSS5.8AI score0.00076EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/26 5:30 p.m.47 views

CVE-2026-47202 Kavita: Pre-Auth Account Takeover

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

9.3CVSS0.00171EPSS
Exploits0References2
Rows per page
Query Builder