Lucene search
K

23036 matches found

IBM Security Bulletins
IBM Security Bulletins
added yesterday5 views

Security Bulletin: Vulnerability in follow-redirects bundled with IBM Fusion and IBM Fusion HCI

Summary IBM Fusion and IBM Fusion HCI include the follow-redirects library, which is affected by an information exposure vulnerability. CVE-2026-40895 Vulnerability Details CVEID:CVE-2026-40895 DESCRIPTION: follow-redirects is an open source, drop-in replacement for Node's http and https modules...

7.5CVSS7AI score0.00486EPSS
Exploits0Affected Software2
Nuclei
Nuclei
added yesterday46 views

Adlisting Classified Ads 2.14.0 - Information Disclosure

Information disclosure issue in the redirect responses, When accessing any page on the website, Sensitive data, such as API keys, server keys, and app IDs, is being exposed in the body of these redirects. id: CVE-2023-4168 info: name: Adlisting Classified Ads 2.14.0 - Information Disclosure autho...

7.5CVSS6.3AI score0.36205EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday205 views

Chuanhu Chat - Directory Traversal

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the webassets folder. However, the outdated version of gradio it employs is susceptible to pa...

9.8CVSS7AI score0.03757EPSS
Exploits1
Nuclei
Nuclei
added yesterday88 views

NocoBase - SQL Injection

NocoBase versions prior to 2.0.39 contain a SQL injection vulnerability in the @nocobase/database package. The queryParentSQL function in eager-loading-tree.ts constructs a recursive CTE query by directly concatenating user-controlled primary key values into the SQL WHERE IN clause without...

8.8CVSS6.2AI score0.01875EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday19 views

Gotenberg - Command Injection

Gotenberg 8.31.0 contains a command injection caused by lack of validation on JSON metadata keys in /forms/pdfengines/metadata/write endpoint, letting unauthenticated attackers execute OS commands, exploit requires crafted HTTP request. id: CVE-2026-42589 info: name: Gotenberg - Command Injection...

9.8CVSS6.1AI score0.0295EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday95 views

WordPress Metform <=2.1.3 - Information Disclosure

WordPress Metform plugin through 2.1.3 is susceptible to information disclosure due to improper access control in the /core/forms/action.php file. An attacker can view all API keys and secrets of integrated third-party APIs such as that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA...

7.5CVSS7AI score0.09699EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday29 views

Control Web Panel (CWP) - File Inclusion

In CWP Control Web Panel, previously CentOS Web Panel before version 0.9.8.1107, an unauthenticated attacker can abuse null byte %00 injection with the "scripts" parameter in the /user/loader.php or /user/login.php endpoints to register arbitrary API keys or access sensitive files. This can be...

9.8CVSS7.3AI score0.70947EPSS
Exploits1References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2 days ago9 views

Malicious code in fast-dotenv (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector da3250a4b69ccce49128d2e75ffb9e577746de4fb3afe0e0d242fbe5d094d02d The package presents itself as a.env loader but on load/config spawns a background thread that, after a 72–96 hour activation delay jittered by...

6.2AI score
Exploits0References6
NVD
NVD
added 2 days ago13 views

CVE-2026-56259

Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables. Attackers can exploit the unauthenticated /md, /llm, and /llm/job endpoints by...

8.8CVSS0.00268EPSS
Exploits0References2
NVD
NVD
added 2 days ago7 views

CVE-2026-56252

Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks...

5.4CVSS0.00169EPSS
Exploits0References2
CVE
CVE
added 2 days ago18 views

CVE-2026-56252

Capgo before 12.128.2 is affected by a scope isolation vulnerability in the POST /webhooks/test endpoint. The issue allows app-scoped API keys to invoke organization-scoped webhook operations, enabling attackers with app-scoped credentials to trigger signed outbound webhook deliveries for arbitra...

5.4CVSS6.2AI score0.00169EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2 days ago5 views

Malicious code in jupiter-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f8e0901ca45da110106c60f288b0166fc51c348a44569d7e7ff22af3d19deafe On import jupitersdk, the package's top-level init.py fetches a payload over HTTPS from a public IPFS gateway...

6.6AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2 days ago5 views

Malicious code in eth-agent (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3131490d64c4ae90de2926ca90f6fce23e6a113d1e6538db5ce98ffcf06983d1 The top-level ethagent/init.py performs an outbound HTTP fetch to a hardcoded IPFS gateway URL...

6.3AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2 days ago5 views

Malicious code in metemask-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a99855c93b46f7b996a005065c319bbb24c9d1f497d05dfd38fc83d1b21facdd metemask-sdk is a typosquat of the legitimate metamask-sdk package. On import, the top-level init.py performs an outbound HTTP fetch to...

6.3AI score
Exploits0References3
NVD
NVD
added 3 days ago5 views

CVE-2026-10865

The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...

5.3CVSS0.0037EPSS
Exploits0References10
EUVD
EUVD
added 3 days ago10 views

EUVD-2026-43152

The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...

5.3CVSS6.1AI score0.0037EPSS
Exploits0References10
CVE
CVE
added 3 days ago16 views

CVE-2026-10865

CVE-2026-10865 affects the Cost Calculator Builder plugin for WordPress. The vulnerability exists in all versions up to 4.0.11 and arises from exposure in the template body, allowing unauthenticated attackers to read plaintext payment gateway secrets (Stripe secret key, Razorpay secret key, and P...

5.3CVSS6.1AI score0.0037EPSS
Exploits0References10
NVD
NVD
added 4 days ago4 views

CVE-2026-55879

OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the OpenReplay tracking SDK accepts custom event names and captured page URLs from any visitor using a public project key, stores them in ClickHouse without output encoding, and later renders them in the authenticated...

9.3CVSS0.00274EPSS
Exploits0References3
NVD
NVD
added 4 days ago4 views

CVE-2026-55405

LangChain4j is a Java library for building LLM-powered applications on the JVM. Prior to 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26, the MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter keys, and in MariaDB string values, directly int...

7.6CVSS0.00348EPSS
Exploits0References7
NVD
NVD
added 4 days ago5 views

CVE-2026-59180

Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. Prior to 1.11.0, Apprise HTTP-based notification plugins and HTTP attachment and config loaders in apprise/attachment/http.py and apprise/config/http.py...

3.1CVSS0.00195EPSS
Exploits0References4
Rows per page
Query Builder