Lucene search
K

809 matches found

EUVD
EUVD
added yesterday4 views

EUVD-2026-42266

Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: , allowing unauthenticated attackers to make fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT token...

8.7CVSS6AI score
Exploits0References2
CVE
CVE
added 2 days ago9 views

CVE-2026-42172

CVE-2026-42172 affects Coolify prior to version 4.0.0-beta.474, where Sanctum API tokens did not expire. The underlying issue allowed a leaked token to retain access indefinitely until manually revoked. The vulnerability is resolved in 4.0.0-beta.474.

3.1CVSS6AI score0.00188EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2 days ago4 views

CVE-2026-42172

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474...

3.1CVSS6AI score0.00188EPSS
Exploits0References5Affected Software1
The Hacker News
The Hacker News
added 5 days ago16 views

U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case

A U.S. government entity paid about $1 million to keep stolen files from being leaked, according to a new case study by Rakesh Krishnan for Ransom-ISAC, built on a leaked negotiation chat and the blockchain trail the payment left. The odd part: the group that took the money calls itself Kairos ,...

5.7AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/07/01 8:35 p.m.12 views

Fleet has PSS Bypass through addLabelsFromOptions in Fleet Agent

Impact A vulnerability has been identified in Fleet's agent-side deployer, which did not filter security-sensitive keys from namespaceLabels in fleet.yaml or BundleDeployment.spec.options.namespaceLabels when applying them to the target namespace. An attacker with git push access to a...

8.8CVSS5.8AI score0.00508EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/07/01 1:18 p.m.7 views

EUVD-2026-40958

The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to o...

10CVSS5.8AI score0.00253EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 11:53 a.m.7 views

CVE-2026-56302

Capgo before 12.128.2 uses an unsecured Supabase images bucket with no row-level security, allowing unauthenticated read, insert, and delete operations on stored app icons. This misconfiguration enables attackers to delete all icons and leak sensitive app IDs and user IDs. The connected documents...

6.9CVSS5.9AI score0.00208EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 3:16 p.m.13 views

CVE-2026-45536

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, nettyunixsocketrecvFd sets msgcontrol to char controlCMSGSPACEsizeofint line 940 — 24 bytes on 64-bit Linux. A peer-sent SCMRIGHTS cmsg carrying two ints has...

4CVSS0.00136EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:28 p.m.9 views

CVE-2026-4409

The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the...

6.5CVSS5.6AI score0.00227EPSS
Exploits0References1
HackRead
HackRead
added 2026/06/05 5:16 p.m.15 views

Atlas Menu Data Breach Exposes 64,000 GTA V and CS2 Cheat Service Users

Atlas Menu Data Breach exposes 64,000 GTA V and CS2 cheat service users, leaking emails, IPs, support tickets and hashed passwords...

5.4AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/06/05 12:0 a.m.25 views

PT-2026-47073

Name of the Vulnerable Software and Affected Versions RSS Aggregator by Feedzy versions prior to 5.1.8 Description An authorization bypass exists because the plugin fails to properly verify if a user is authorized to perform specific actions. Authenticated attackers with contributor-level access ...

4.3CVSS5.5AI score0.0029EPSS
Exploits0References27
Github Security Blog
Github Security Blog
added 2026/05/28 5:52 p.m.18 views

OpenBao's Inline Auth Incorrectly Redacted Headers

Impact OpenBao's inline auth functionality incorrectly redacted audit log entries, resulting in non-auth headers being removed and auth-related headers being retained in cleartext. This requires an attacker to compromise access to the audit device. Operators should review leaked source...

5.8AI score0.00029EPSS
Exploits0References6Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/28 1:32 a.m.12 views

CVE-2026-45917

A flaw was found in the Linux kernel's IP Virtual Server IPVS component. A race condition exists between the network device notifier and the destination cache when a device is shutting down. This can lead to a leaked device reference, potentially causing system instability or a denial of service...

5.5CVSS5.8AI score0.00122EPSS
Exploits0References4
hivepro
hivepro
added 2026/05/27 10:3 a.m.11 views

Identity Exposure Management: Why It Matters

Millions of corporate credentials leak onto the public internet every single week. These exposed credentials act as open doors for threat actors looking to breach hybrid networks. When security teams rely only on legacy tools, they remain blind to these silent entry points. Book a HivePro demo to...

5.9AI score
Exploits0
Cvelist
Cvelist
added 2026/05/27 12:0 a.m.43 views

CVE-2026-36539

Netis AC1200 Router NC21 V4.0.1.4296 exposes a CGI endpoint /cgi-bin/skkget.cgi that returns the entire router configuration as a JSON response with no authentication required. Any attacker on the LAN can send a single HTTP GET request and instantly retrieve administrator credentials, WiFi...

0.00358EPSS
Exploits0References1
OSV
OSV
added 2026/05/22 1:16 a.m.7 views

MAL-2026-4388 Malicious code in @exocore/exocode (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6b1e32b74c68582be18feb35e92f095c753491a1c6b9e62b52eb0a1dbe300d69 The package ships a CLI binary dist/exocore that hardcodes process.env.ANTHROPICBASEURL to https://exocoreai-exocore-gateway.hf.space/v1 and...

5.8AI score
Exploits0References3
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.2 views

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: btrfs: Directly freeing partially initialized fsinfo in btrfscheckleakedroots If fsinfo-supercopy or fsinfo-superforcommit allocation failed in btrfsgettreesubvol, then there is no need to call btrfsfreefsinfo. Otherwise,...

5.9AI score0.00172EPSS
Exploits0References2
OSV
OSV
added 2026/05/19 6:5 p.m.15 views

MAL-2026-4441 Malicious code in @shadanai/openclaw (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c0e2f02ab1bb3d99de1787ed7d69f1df97bd3b2d7c18cc8ba4e5f8688f649ce9 On npm install, scripts/postinstall.mjs performs several installer-harm actions. 1 Backdoor: writes /.openclaw/openclaw.json configuring a local...

6.2AI score
Exploits0References3
NVD
NVD
added 2026/05/19 12:16 a.m.20 views

CVE-2026-32244

Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in versions 2026.1.4,...

5.3CVSS0.00233EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/07 6:3 p.m.5 views

CVE-2026-41902

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...

9.1CVSS5.8AI score0.00246EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder