Lucene search
+L

113 matches found

attackerkb
attackerkb
added 2026/06/24 11:53 a.m.4 views

CVE-2026-56269

Flowise before 3.1.0 npm package flowise, versions 3.0.13 and earlier uses a weak hardcoded default value 'Secre$t' for the TOKENHASHSECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key...

4.6CVSS5.8AI score0.00093EPSS
Exploits0References3
github
github
added 2026/06/01 2:23 p.m.18 views

praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id}

Summary Type: Authorization bypass enabling workspace metadata + settings tampering. The PATCH /workspaces/workspaceid endpoint is gated only by requireworkspacememberworkspaceid default minrole="member". Any member can rewrite the workspace's name, description, and the settings JSON blob. The...

6AI score0.00029EPSS
Exploits0References2Affected Software1
nvd
nvd
added 2026/05/12 11:16 p.m.17 views

CVE-2026-42158

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation ID, could update the metadata of an investigation of another user. This vulnerability is fixed in 1.2.3...

2.3CVSS0.0017EPSS
Exploits0References1
osv
osv
added 2026/05/05 6:51 p.m.4 views

CVE-2026-31835 Vaultwarden WebAuthn credential metadata tampered before signature verification

Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in validatewebauthnlogin updates persistent credential metadata 1backupeligible1 and 1backupstate flags1 based on unverified authenticatorData before signature validation...

5.3CVSS5.9AI score0.00151EPSS
Exploits1References4
ptsecurity
ptsecurity
added 2026/04/16 12:0 a.m.16 views

PT-2026-51774

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0 Description The software uses a weak hardcoded default value 'Secre$t' for the TOKEN HASH SECRET environment variable in the packages/server/src/enterprise/utils/tempTokenUtils.ts file when the variable is not...

5.6CVSS6.2AI score0.00093EPSS
Exploits0References9
cvelist
cvelist
added 2026/04/09 4:7 p.m.17 views

CVE-2026-39942 Directus has a Path Traversal and Broken Access Control in File Management API

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...

8.5CVSS0.00204EPSS
Exploits0References2
cve
cve
added 2026/04/09 4:7 p.m.23 views

CVE-2026-39942

CVE-2026-39942 (Directus) is a path traversal/broken access control issue in the Directus file management API. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. An attacker can set filename_disk to the storage path of another user’s file, allowing...

8.8CVSS5.9AI score0.00204EPSS
Exploits0References2Affected Software1
osv
osv
added 2026/03/24 12:16 a.m.5 views

DEBIAN-CVE-2026-33173

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the...

5.3CVSS5.6AI score0.0039EPSS
Exploits0References1
debiancve
debiancve
added 2026/03/23 11:21 p.m.6 views

CVE-2026-33173

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the...

5.3CVSS5.5AI score0.0039EPSS
Exploits0
susecve
susecve
added 2026/01/23 12:24 a.m.7 views

SUSE CVE-2026-23992

go-tuf is a Go implementation of The Update Framework TUF. Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to...

5.3CVSS5.6AI score0.00196EPSS
Exploits0References7
ossf
ossf
added 2025/11/13 3:23 a.m.5 views

Malicious code in spinner-rest-standard-writable (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebdb152aca673463af38f743b1775bb01844887f70361930a578a2fcac67ff80 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.3 views

Malicious code in sirius-scorpius-sirius-parsec (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 945110d04861c7ba28d752135fc122c0ded21115150e551cf17097d9fdfb3eb5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.5 views

Malicious code in secure-eta-throw-index-fork (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a6ef07f6a8d07c9ae7049f63ac2d5a0c363e46cfda057c7eb6353624e949ce2c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.2 views

Malicious code in serialize-cloud-key-array-secure (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d01874bd4c7f5835f39f72b5f76baf3b4f36532a530bfe790cfd96aaa71f6870 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
osv
osv
added 2025/11/13 3:23 a.m.3 views

MAL-2025-189269 Malicious code in rollup-plugin-chai-soap-terser-webpack-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 961e8a7cfffd287292e217d76e3379b062907280f409cf0ea9836155a60343e2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
osv
osv
added 2025/11/13 3:23 a.m.2 views

MAL-2025-190182 Malicious code in void-oberon-supernova-package (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1662dd30a3bfdab50f06631023e83a010a07f87f264297ccff4a1f470029289c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
ossf
ossf
added 2025/11/12 10:25 p.m.4 views

Malicious code in masv-ilmo-civas (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9f437d29167926781bbcba80ae934ed6c768eecc49fd82bae3827bcc8dcc5790 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/12 10:25 p.m.2 views

Malicious code in flights-tuiga-alukza (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ae78f3017f1d48e680d47a29bb4fb6f3dbbe20742ee0b8aac53189fb838a44f9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
osv
osv
added 2025/11/12 10:25 p.m.2 views

MAL-2025-181642 Malicious code in astam-ifst-dikg (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 90022fb9e51aab356734925aaf6de982075f0406473d9023ed294ef58b67d036 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
ossf
ossf
added 2025/11/12 9:45 p.m.4 views

Malicious code in baso59 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e5e93d29eddc21366fdb7fb7190c4cd298a49c63146554ea1aab064ee4b1fa5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
Rows per page
Query Builder