Lucene search
K

2155 matches found

Cvelist
Cvelist
added 2026/06/25 3:49 p.m.30 views

CVE-2026-54037 LibreChat: Incomplete Fix for CVE-2025-7105 — /api/convos/duplicate Lacks Rate Limiting Applied to /api/convos/fork

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter rate limiters to POST /api/convos/fork to prevent rapid-fire conversation duplication. However, the POST /api/convos/duplicate endpoint...

6.5CVSS0.00293EPSS
Exploits1References1
CVE
CVE
added 2026/06/25 3:49 p.m.11 views

CVE-2026-54037

LibreChat (a multi-provider ChatGPT-like app) contains a missing rate limiter in POST /api/convos/duplicate, which performs the same expensive DB operations as POST /api/convos/fork. The fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter to /fork, but did not apply a corresponding limi...

6.5CVSS5.9AI score0.00293EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.6 views

PT-2026-52597

Name of the Vulnerable Software and Affected Versions WebSocket Application Programming Interface affected versions not specified Description The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an...

8.7CVSS5.8AI score0.00391EPSS
Exploits0References8
NVD
NVD
added 2026/06/23 1:16 p.m.12 views

CVE-2026-56234

Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validatepasswordcompliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate...

6.9CVSS0.00247EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/23 12:12 p.m.6 views

CVE-2026-56234

Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validatepasswordcompliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate...

6.9CVSS5.9AI score0.00247EPSS
Exploits0References3
CVE
CVE
added 2026/06/23 12:12 p.m.11 views

CVE-2026-56234

Capgo prior to 12.128.2 exposes a credential validation endpoint (POST /functions/v1/private/validate_password_compliance) that is accessible with only the public Supabase key and lacks authentication. The endpoint uses permissive CORS with a wildcard origin and has no rate limiting, which enable...

6.9CVSS5.9AI score0.00247EPSS
Exploits0References2
NVD
NVD
added 2026/06/22 10:16 p.m.12 views

CVE-2026-56255

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement. Attackers can repeatedly invoke this endpoint to generate...

5.3CVSS0.00272EPSS
Exploits0References2
CVE
CVE
added 2026/06/22 1:2 p.m.14 views

CVE-2026-56450

CVE-2026-56450 relates to the AIL Framework where the OTP (2FA) verification lacked rate-limiting, allowing unlimited OTP attempts after reaching the 2FA step. Root cause: no per-user throttling on failed OTPs. Impact: potential brute-force of OTPs enabling unauthorized access. The patch adds per...

5.1CVSS5.9AI score0.0033EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.15 views

PT-2026-51403

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description A denial of service issue exists in the 'POST /app/demo' endpoint. Authenticated users with organization write permissions can create an unlimited number of demo applications because the system lack...

5.3CVSS5.8AI score0.00272EPSS
Exploits0References5
Veracode
Veracode
added 2026/06/15 6:1 p.m.11 views

Brute Force Attack

Yamcs Core is vulnerable to Brute Force Attack. The vulnerability is due to the absence of rate limiting, account lockout, and failed login throttling on the /auth/token endpoint, which allows an attacker to perform unlimited password-guessing attempts and conduct brute-force attacks against user...

5.2AI score0.00052EPSS
Exploits2References3Affected Software1
EUVD
EUVD
added 2026/06/15 5:28 p.m.12 views

EUVD-2026-32916

PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values DoS...

3.7CVSS5.1AI score0.00222EPSS
Exploits0References3
CVE
CVE
added 2026/06/15 12:42 p.m.12 views

CVE-2026-5233

The CVE describes an input/output flood condition in Mia Technologies’ Pizzy Library (affected from 1.0.0.26250 up to, but not including, 1.3.9.26250) caused by missing rate limiting / improper control of interaction frequency. This vulnerability can enable flooding, with CVSS v3.1 Base Score 7.1...

7.1CVSS5.3AI score0.00205EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/15 12:42 p.m.36 views

CVE-2026-5233 Missing Rate Limiting in Mia Technologies' Pizzy Library

Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250...

7.1CVSS0.00205EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/15 12:42 p.m.9 views

CVE-2026-5233 Missing Rate Limiting in Mia Technologies' Pizzy Library

Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250...

7.1CVSS5.2AI score0.00205EPSS
Exploits0References1
NVD
NVD
added 2026/06/12 8:16 p.m.16 views

CVE-2026-42604

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS0.004EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 6:42 p.m.14 views

CVE-2026-42604 Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS5.3AI score0.004EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:42 p.m.9 views

EUVD-2026-36543

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS5.3AI score0.004EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 6:42 p.m.27 views

CVE-2026-42604

The CVE concerns Actual Budget’s sync-server (local-first Personal Finance tool). Versions ≤ 26.4.0 expose the full OpenID Connect configuration, including the OAuth2 client_secret, via POST /openid/config to callers who know the bootstrap password. The endpoint lacks authentication and rate limi...

9.1CVSS5.3AI score0.004EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:22 p.m.11 views

EUVD-2026-36535

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains...

8.7CVSS5.2AI score0.00584EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.22 views

PT-2026-48963

Name of the Vulnerable Software and Affected Versions Actual Budget sync-server versions prior to 26.5.0 Description The POST /openid/config endpoint exposes the complete OpenID Connect configuration, which includes the OAuth2 client secret. This information is accessible to any user who possesse...

9.1CVSS5.2AI score0.004EPSS
Exploits0References4
Rows per page
Query Builder