Lucene search
+L

47 matches found

attackerkb
attackerkb
added 2026/06/30 3:52 p.m.7 views

CVE-2026-58169

Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to...

7.7CVSS6.4AI score0.00286EPSS
Exploits0References8
osv
osv
added 2026/06/30 3:52 p.m.4 views

CVE-2026-58169 Vibe-Trading < 0.1.10 - Loopback Trust and Missing Host Validation Enable DNS-Rebinding Authentication Bypass and Remote Code Execution

Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to...

7.7CVSS6.6AI score0.00286EPSS
Exploits0References10
cve
cve
added 2026/06/30 3:52 p.m.21 views

CVE-2026-58169

CVE-2026-58169 — Vibe-Trading

7.7CVSS6.4AI score0.00286EPSS
Exploits0References7
vulnrichment
vulnrichment
added 2026/06/30 3:52 p.m.5 views

CVE-2026-58169 Vibe-Trading < 0.1.10 - Loopback Trust and Missing Host Validation Enable DNS-Rebinding Authentication Bypass and Remote Code Execution

Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to...

7.7CVSS6.4AI score0.00286EPSS
Exploits0References7
redhatcve
redhatcve
added 2026/06/05 7:40 p.m.13 views

CVE-2025-57798

Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service DoS vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an attacker to cause an Ou...

5.5CVSS5.4AI score0.00159EPSS
Exploits0References1
veracode
veracode
added 2026/05/27 9:11 a.m.18 views

Improper Access Control

@delmaredigital/payload-puck is vulnerable to Improper Access Control. The vulnerability is due to the use of Payload's local API with overrideAccess: true in /api/puck/ CRUD endpoints, which allows an attacker to bypass collection-level access controls and perform unauthorized actions...

9.8CVSS5.8AI score0.00376EPSS
Exploits1References3Affected Software1
nvd
nvd
added 2026/05/19 9:16 p.m.18 views

CVE-2025-57798

Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service DoS vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an attacker to cause an Ou...

5.5CVSS0.00159EPSS
Exploits0References2
cve
cve
added 2026/05/19 8:24 p.m.17 views

CVE-2025-57798

CVE-2025-57798 affects Joplin

5.5CVSS5.7AI score0.00159EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/05/19 8:24 p.m.6 views

CVE-2025-57798

Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service DoS vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an attacker to cause an Ou...

5.5CVSS5.7AI score0.00159EPSS
Exploits0References3Affected Software1
ptsecurity
ptsecurity
added 2026/05/12 12:0 a.m.15 views

PT-2026-40389

Name of the Vulnerable Software and Affected Versions Archon OS affected versions not specified Description A flaw in the local API handling allows unauthenticated attackers to perform a web-to-client attack. By inducing a user to visit a malicious website, an attacker can bypass Cross-Origin...

5.9AI score0.00312EPSS
Exploits0References6
githubexploit
githubexploit
added 2026/05/07 4:35 p.m.130 views

Exploit for CVE-2026-7482

CVE-2026-7482: Ollama GGUF Heap OOB Read Reproduction This re...

9.1CVSS5.8AI score0.01001EPSS
Exploits3
cve
cve
added 2026/04/29 6:6 p.m.23 views

CVE-2026-7439

CVE-2026-7439: AgentFlow local web API content-type validation bypass. The vulnerability affects AgentFlow’s local web API, where non-JSON content types are accepted on POST /api/runs and POST /api/runs/validate without enforcing application/json, enabling bypass of trust-boundary enforcement for...

4.8CVSS5.3AI score0.00089EPSS
Exploits0References3
vulnrichment
vulnrichment
added 2026/04/29 6:6 p.m.4 views

CVE-2026-7439 AgentFlow Local Web API Content-Type Validation Bypass

AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation...

4.8CVSS5.3AI score0.00089EPSS
Exploits0References3
euvd
euvd
added 2026/04/29 6:6 p.m.7 views

EUVD-2026-26278

AgentFlow's local web API accepts non-JSON content types on POST /api/runs and POST /api/runs/validate endpoints without enforcing application/json validation, allowing attackers to bypass trust-boundary enforcement on sensitive operations. Attackers can exploit this content-type validation...

4.8CVSS5.3AI score0.00089EPSS
Exploits0References3
github
github
added 2026/04/08 12:15 a.m.8 views

@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections

Impact All /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin and any access rules defined on Puck-registered collections wer...

9.8CVSS6.1AI score0.00376EPSS
Exploits1References5Affected Software1
vulnrichment
vulnrichment
added 2026/02/24 4:30 p.m.4 views

CVE-2026-27589 Caddy vulnerable to cross-origin config application via local admin API /load (caddy)

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API default listen 127.0.0.1:2019 exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement is not enabled enforceorigin not...

8.2CVSS5.9AI score0.00166EPSS
Exploits1References4
euvd
euvd
added 2025/10/07 12:30 a.m.8 views

EUVD-2018-7591

Malware in sbrugna...

9.8CVSS9.5AI score0.01825EPSS
Exploits1References2
euvd
euvd
added 2025/10/03 8:7 p.m.8 views

EUVD-2021-8806

Malicious code in bioql PyPI...

4CVSS4.7AI score0.00226EPSS
Exploits0References1
euvd
euvd
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-54373

Malicious code in bioql PyPI...

8.8CVSS6.6AI score0.00188EPSS
Exploits0References2
redhatcve
redhatcve
added 2025/05/23 8:25 a.m.19 views

CVE-2024-49755

Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...

3.1CVSS6.8AI score0.0032EPSS
Exploits0References1
Rows per page
Query Builder