Lucene search
K

43219 matches found

CVE
CVE
added 1 hour ago4 views

CVE-2026-14738

A security flaw has been discovered in exo-explore exo up to 1.0.71. Affected is the function imagecachekey of the file src/exo/worker/engines/mlx/vision.py of the component Vision Feature Cache. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high...

6.3CVSS5.2AI score
Exploits0References7
Nuclei
Nuclei
added 8 hours ago6 views

Gorse < 0.5.10 - Unauthenticated Database Dump

Gorse 0.5.10 contains an authentication bypass caused by empty adminapikey in /api/dump and /api/restore endpoints, letting unauthenticated remote attackers access and modify protected data, exploit requires default empty adminapikey configuration. id: CVE-2026-56782 info: name: Gorse 0.5.10 -...

9.8CVSS6AI score0.03016EPSS
Exploits2References2
Nuclei
Nuclei
added 8 hours ago12 views

Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation

Zoom WordPress plugin 4.6.6 contains a broken authentication caused by disabled nonce verification in an AJAX handler, letting unauthenticated attackers generate valid Zoom SDK signatures and retrieve the Zoom SDK key. id: CVE-2026-1368 info: name: Video Conferencing with Zoom API 4.6.6 -...

7.5CVSS5.9AI score0.01211EPSS
Exploits0References3
Nuclei
Nuclei
added 8 hours ago46 views

Apache Superset < 4.0.2 - SQL Injection

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new...

9.8CVSS6AI score0.04433EPSS
Exploits2References4
Nuclei
Nuclei
added 8 hours ago22 views

SmartSearchWP < 2.4.6 - OpenAI Key Disclosure

The plugin does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key. id: CVE-2024-6845 info: name: SmartSearchWP 2.4.6 - OpenAI Key Disclosure author: s4e-io severity: medium...

5.3CVSS6AI score0.01113EPSS
Exploits1References2
Nuclei
Nuclei
added 8 hours ago8 views

Zoho ManageEngine - getUserAPIKey Authentication Bypass

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 125657, 126002, 126104, and 126118 allow unauthenticated attackers to obtain a user's API key, and then access external...

7.5CVSS7.1AI score0.0793EPSS
Exploits0References3
Nuclei
Nuclei
added 8 hours ago20 views

Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the...

8.6CVSS7AI score0.01594EPSS
Exploits1References4
Nuclei
Nuclei
added 8 hours ago29 views

SolarWinds Web Help Desk - Authentication Bypass

SolarWinds Web Help Desk 12.8.8 HF1 and earlier contains an authentication bypass vulnerability in the WebObjects session handling. By crafting a request with a manipulated path component to an internal admin page endpoint, an unauthenticated attacker can access privileged administrative function...

9.8CVSS7.6AI score0.8413EPSS
Exploits5References4
Nuclei
Nuclei
added 8 hours ago83 views

Netmaker - Hardcoded DNS Secret Key

Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. id: CVE-2023-32077 info: name: Netmaker - Hardcoded DNS Secret Key author: iamnoooob,rootxharsh,pdresearch...

7.5CVSS6.9AI score0.03147EPSS
Exploits0
Nuclei
Nuclei
added 8 hours ago78 views

Apache APISIX - Remote Code Execution

A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different...

9.8CVSS7.7AI score0.96182EPSS
Exploits16References5
NVD
NVD
added 9 hours ago5 views

CVE-2026-14570

Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce a...

Exploits0References4
Cvelist
Cvelist
added 10 hours ago8 views

CVE-2026-14570 Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery

Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce a...

Exploits0References3
CVE
CVE
added 10 hours ago7 views

CVE-2026-14570

CVE-2026-14570 affects Crypt::DSA for Perl prior to 1.22. The root cause is a biased random generator in Crypt::DSA::Util::makerandom that fixes the top bit of the produced N-bit values, making signing nonces non-uniform and enabling private-key recovery. An attacker collecting a modest number of...

5.9AI score
Exploits0References4
EUVD
EUVD
added 10 hours ago5 views

EUVD-2026-41713

Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce a...

5.9AI score
Exploits0References3
Nuclei
Nuclei
added yesterday11 views

EyesOfNetwork - Hardcoded API Key & SQL Injection

An issue was discovered in EyesOfNetwork 5.3. The EyesOfNetwork API 2.4.2 is prone to SQL injection, allowing an unauthenticated attacker to perform various tasks such as authentication bypass via the username field to getApiKey in include/apifunctions.php. id: CVE-2020-8656 info: name:...

9.8CVSS7.1AI score0.846EPSS
Exploits8References3
Nuclei
Nuclei
added yesterday23 views

D-Tale 3.10.0 - 3.15.1 - Authentication Bypass & Remote Code Execution

man-group/dtale 3.10.0 contains an authentication bypass and remote code execution caused by improper input validation and a hardcoded SECRETKEY in Flask configuration, letting attackers forge session cookies and execute arbitrary code, exploit requires attacker to access the application. id:...

9.8CVSS8AI score0.77951EPSS
Exploits5References2
Nuclei
Nuclei
added 2 days ago74 views

Zoho ManageEngine OpManager - SQL Injection

Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL...

7.5CVSS7.1AI score0.66347EPSS
Exploits1References2
CVE
CVE
added 2 days ago7 views

CVE-2026-59234

This CVE affects Prospero Flow CRM prior to version 5.5.3. The vulnerability lies in the CalendarDeleteEventController (app/Http/Controllers/Calendar/CalendarDeleteEventController.php), exposed at the GET endpoint /calendar/event/delete/{id} . The delete logic uses Calendar::find($id)-&gt;delete(...

6.9CVSS6AI score0.00403EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2 days ago7 views

CVE-2026-55952

A flaw was found in Erlang/OTP's SSL Secure Sockets Layer application. An unauthenticated remote attacker can send a specially crafted ClientHello message to a TLS 1.3 server with session tickets enabled. This can permanently disrupt the server's ability to handle session tickets, leading to a...

8.2CVSS6AI score0.00464EPSS
Exploits0References10
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-41495

When a libcurl-based application performs transfers via SCP:// or SFTP:// and utilizes the CURLOPTSSHKEYFUNCTION callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for th...

6AI score0.00187EPSS
Exploits0References3
Rows per page
Query Builder