Lucene search
K

8254 matches found

Tenable Nessus
Tenable Nessus
added 2026/06/25 12:0 a.m.9 views

Oracle WebCenter Portal (June 2026 CSPU)

The 12.2.1.4.0 and 14.1.2.0.0 versions of WebCenter Portal installed on the remote host are affected by multiple vulnerabilities as referenced in the June 2026 CSPU advisory. - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware component: Security Framework. Supporte...

10CVSS5.9AI score0.00474EPSS
Exploits0References12
Metasploit
Metasploit
added 2026/06/24 7:4 p.m.150 views

Next.js Middleware Authorization Bypass Scanner

This module detects self-hosted Next.js applications affected by CVE-2025-29927, an authorization bypass in the middleware layer. Next.js tags its own internal subrequests with the x-middleware-subrequest header and skips middleware when it sees it. The header is trusted without verifying it...

9.1CVSS6.9AI score0.99621EPSS
Exploits58
EUVD
EUVD
added 2026/06/24 11:53 a.m.7 views

EUVD-2026-38739

Capgo before 12.128.2 fails to enforce limitedtoorgs and limitedtoapps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the...

8.8CVSS5.9AI score0.00266EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 11:53 a.m.7 views

CVE-2026-56232

Capgo is affected: before version 12.128.2, the system does not enforce limited_to_orgs and limited_to_apps on subkeys supplied via the x-limited-key-id header in the middlewareKey function. This allows attackers to reference their own subkeys and bypass subkey scope restrictions, causing downstr...

8.8CVSS5.9AI score0.00266EPSS
Exploits0References2
AlpineLinux
AlpineLinux
added 2026/06/23 4:8 p.m.4 views

CVE-2026-56115

Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the JWTMiddleware function in internal/auth/auth.go, which validates JWT tokens and account status but...

8.8CVSS5.8AI score0.00307EPSS
Exploits1References4
NVD
NVD
added 2026/06/22 10:16 p.m.9 views

CVE-2026-54281

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated clien...

8.7CVSS0.00285EPSS
Exploits0References1
NVD
NVD
added 2026/06/22 9:16 p.m.11 views

CVE-2026-55603

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS0.00243EPSS
Exploits1References1
CVE
CVE
added 2026/06/22 9:4 p.m.12 views

CVE-2026-56321

Capgo (backend Supabase edge functions) before 12.128.2 fails to apply the global authentication middleware to GET /private/role_bindings/:org_id, unlike POST/DELETE for the same resource. Unaunthenticated requests reach the handler instead of middleware rejection, but the handler still performs ...

6.9CVSS5.9AI score0.00322EPSS
Exploits0References2
CVE
CVE
added 2026/06/22 8:48 p.m.16 views

CVE-2026-54281

The CVE concerns NestJS with the Fastify adapter: an authentication bypass exists in @nestjs/platform-fastify before version 11.1.24 when middleware is registered via MiddlewareConsumer.forRoutes(). A trailing slash on the request URL can bypass route-specific Nest middleware on the default Fasti...

8.7CVSS5.9AI score0.00285EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 8:48 p.m.31 views

CVE-2026-54281 Nest: Middleware Bypass on Fastify via Trailing Slash

Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated clien...

8.7CVSS0.00285EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 8:7 p.m.24 views

CVE-2026-55603 http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS0.00243EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 8:7 p.m.5 views

CVE-2026-55603

http-proxy-middleware is node.js http-proxy middleware. From 3.0.4 until 3.0.7 and 4.1.1, fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with...

7.5CVSS5.9AI score0.00243EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/06/22 8:7 p.m.43 views

CVE-2026-55603

CVE-2026-55603 affects http-proxy-middleware (Node.js). In versions 3.0.4–3.0.7 and 4.1.1, fixRequestBody() rebuilds multipart/form-data by interpolating req.body into the wire format without neutralizing CR/LF. This can let an attacker inject a new multipart part (via unescaped CRLF in keys/valu...

7.5CVSS5.9AI score0.00243EPSS
Exploits1References1Affected Software1
NVD
NVD
added 2026/06/22 6:16 p.m.8 views

CVE-2026-55602

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request...

8.6CVSS0.0034EPSS
Exploits1References1
NVD
NVD
added 2026/06/22 6:16 p.m.14 views

CVE-2026-54286

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as...

5.9CVSS0.00292EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 5:21 p.m.40 views

CVE-2026-55443 LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.3.9, several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include: a file-search...

5.1CVSS0.00157EPSS
Exploits0References2
CVE
CVE
added 2026/06/22 5:21 p.m.14 views

CVE-2026-55443

CVE-2026-55443 describes a path traversal / sandbox-escape flaw in LangChain prior to 1.3.9. The vulnerability arises when components that resolve filesystem paths or expand search patterns fail to confine results to a trusted root, allowing untrusted inputs (paths, globs, symlinks, or LLM-influe...

5.5CVSS5.9AI score0.00157EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/22 5:15 p.m.4 views

CVE-2026-54290

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make...

7.1CVSS5.9AI score0.00248EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/22 4:36 p.m.40 views

CVE-2026-54276

CVE-2026-54276 affects the AIOHTTP framework prior to version 3.14.1, where DigestAuthMiddleware could send an authentication response after following a cross-origin redirect. This requires an open redirect or similar condition on the target domain and exposes the Digest header, potentially allow...

6.3CVSS5.9AI score0.00178EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/22 3:58 p.m.4 views

CVE-2026-55602

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request...

6.9CVSS5.9AI score0.0034EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder