Lucene search
K

47 matches found

ATTACKERKB
ATTACKERKB
added last week6 views

CVE-2026-59708

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings,...

8.7CVSS6AI score0.00343EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/25 3:51 p.m.30 views

CVE-2026-54029 LibreChat: IDOR in Message Deletion — Incomplete Fix for CVE-2024-41703 Leaves deleteMessages() Without User Filter

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the DELETE /api/messages/:conversationId/:messageId endpoint allows any authenticated user to delete any other user's messages. The validateMessageReq middleware only validates that the conversationId...

5.3CVSS0.00159EPSS
Exploits2References1
NVD
NVD
added 2026/05/28 5:16 a.m.15 views

CVE-2026-32995

The Rocket.Chat DDP method autoTranslate.translateMessage in versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, and 7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage without checking Meteor.userId or verifying room membership. Any authenticated D...

7.5CVSS0.00283EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.14 views

AnythingLLM 安全漏洞

AnythingLLM is an integrated AI application open source by Mintplex. Versions of AnythingLLM prior to 1.13.0 contained a security vulnerability. This vulnerability stemmed from mobile device tokens created in single-user mode being accepted after migration to multi-user mode, without any user...

2CVSS5.8AI score0.00219EPSS
Exploits1References2
NVD
NVD
added 2026/05/27 5:16 p.m.30 views

CVE-2026-44324

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/ueId/servingPlmnId/ee-subscriptions/subsId/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does n...

6.5CVSS0.0042EPSS
Exploits1References4
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability in symfony

Symfony is a PHP framework for web and console applications, along with a set of reusable PHP components. The ability to enumerate users was possible without requiring relevant permissions, as the handling differed depending on whether the user existed or not when attempting to use the “switch...

5.3CVSS6.2AI score0.01712EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/14 7:58 p.m.9 views

CVE-2026-44218

ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2...

3CVSS5.8AI score0.00122EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 8:16 p.m.13 views

CVE-2026-44218

ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2...

3CVSS0.00122EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 7:39 p.m.10 views

CVE-2026-44218 ciguard: Container image runs as root (no USER directive)

ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2...

3CVSS5.8AI score0.00122EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/12 7:39 p.m.9 views

CVE-2026-44218

ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2...

3CVSS5.8AI score0.00122EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/12 7:39 p.m.11 views

CVE-2026-44218

Summary of CVE-2026-44218 (ciguard) : The affected container image ghcr.io/jo-jo98/ciguard (0.1.0–0.8.1) runs as root because the Dockerfile lacks a USER directive; this is fixed in 0.8.2. Documented impact is a container that inherits root privileges, with a CVSSv3.1 score of 3.0 (Low) and LOCAL...

3CVSS5.8AI score0.00122EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 7:39 p.m.37 views

CVE-2026-44218 ciguard: Container image runs as root (no USER directive)

ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2...

3CVSS0.00122EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.15 views

PT-2026-39254

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2 Description The UDR nudr-dr handler in free5GC contains an issue where a single authenticated request can cause a panic. This occurs when a request is made to the endpoint "DELETE...

6.5CVSS5.8AI score0.0042EPSS
Exploits1References8
OSV
OSV
added 2026/05/05 10:18 p.m.17 views

GHSA-JRM4-4PCF-4763 ciguard: Container image runs as root (no USER directive)

Summary The published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactfu...

3CVSS5.8AI score0.00122EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/05 10:18 p.m.12 views

ciguard: Container image runs as root (no USER directive)

Summary The published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactfu...

3CVSS5.8AI score0.00122EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/16 8:42 p.m.7 views

ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint

Summary The password reset endpoint /api/v1/@apostrophecms/login/reset-request exhibits a measurable timing side channel that allows unauthenticated attackers to enumerate valid usernames and email addresses. When a user is not found, the handler returns after a fixed 2-second artificial delay, b...

3.7CVSS5.8AI score0.00365EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/16 8:42 p.m.13 views

GHSA-MJ7R-X3H3-7RMR ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint

Summary The password reset endpoint /api/v1/@apostrophecms/login/reset-request exhibits a measurable timing side channel that allows unauthenticated attackers to enumerate valid usernames and email addresses. When a user is not found, the handler returns after a fixed 2-second artificial delay, b...

3.7CVSS5.8AI score0.00365EPSS
Exploits1References4
Snyk
Snyk
added 2026/03/03 10:25 p.m.7 views

Execution with Unnecessary Privileges

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to the absence of a USER directive in the Dockerfiles, causing all processes to run as root. An attacker can gain root privileges within the...

8.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/02/27 9:22 p.m.3 views

Authentication Bypass by Assumed-Immutable Data

Overview Affected versions of this package are vulnerable to Authentication Bypass by Assumed-Immutable Data in the verifyAccessTokenV2 function that accepts truncated tokens as the valid ones. An attacker can cause the system to accept truncated tokens missing the userid by submitting an opaque...

5.3CVSS6AI score0.00142EPSS
Exploits0References2
NVD
NVD
added 2025/12/23 10:15 p.m.5 views

CVE-2025-14415

Soda PDF Desktop Launch Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a...

7.8CVSS0.00209EPSS
Exploits0References1
Rows per page
Query Builder