Lucene search
K

75930 matches found

Snyk
Snyk
added 2026/06/12 7:32 p.m.4 views

Missing Authorization

Overview typo3/cms-core is a free open source enterprise content management system. Affected versions of this package are vulnerable to Missing Authorization via the upload for form definition files with mixed-case extensions. An attacker can escalate privileges by uploading maliciously crafted...

8.8CVSS6AI score0.00253EPSS
Exploits0References3
NVD
NVD
added 2026/06/12 7:16 p.m.17 views

CVE-2026-28742

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys,...

9.8CVSS0.0033EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 7:9 p.m.11 views

EUVD-2026-35400

TYPO3 CMS has Broken Access Control in its File Abstraction Layer...

2.1CVSS5.2AI score0.00356EPSS
Exploits0References6
CVE
CVE
added 2026/06/12 6:51 p.m.18 views

CVE-2026-50552

Koel (open-source music streaming) is affected prior to version 9.7.1 by a Server-Side Request Forgery (SSRF) in the radio station creation endpoint (POST /api/radio/stations). The url validation rules are declared without bail, allowing the HasAudioContentType rule to issue HTTP requests even af...

6.3CVSS5.5AI score0.0016EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 6:44 p.m.32 views

CVE-2026-50287

AgenticMail MCP HTTP mode (via --http or MCP_HTTP=1) exposed the /mcp endpoint without HTTP authentication, enabling an unauthenticated remote client to initialize a session and call master-key tools. Affected component: @agenticmail/mcp; impact includes potential exposure of administrative/gatew...

8.7CVSS5.3AI score0.00359EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 6:44 p.m.7 views

CVE-2026-50287 Missing Authentication for Critical Function in @agenticmail/mcp

AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCPHTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can...

8.7CVSS5.3AI score0.00359EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 6:44 p.m.34 views

CVE-2026-50287 Missing Authentication for Critical Function in @agenticmail/mcp

AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCPHTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can...

8.7CVSS0.00359EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 6:42 p.m.7 views

EUVD-2026-36543

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS5.3AI score0.004EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 6:21 p.m.17 views

CVE-2026-50244

CVE-2026-50244 affects the Naxclow IoT Platform. The registration endpoint accepts signed requests with a batch prefix and a caller-supplied account identifier without ownership validation, allowing an attacker to mint new sequential device identifiers and read the batch’s current high-water coun...

6.9CVSS5.3AI score0.00221EPSS
Exploits0References2
OSV
OSV
added 2026/06/12 6:16 p.m.12 views

DEBIAN-CVE-2026-48165

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrepsstreceiveaddress or wsrepsstdonor global system...

7.2CVSS5.5AI score0.00666EPSS
Exploits0References1
OSV
OSV
added 2026/06/12 6:16 p.m.10 views

DEBIAN-CVE-2026-44169

MariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been...

4.3CVSS5.2AI score0.00161EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 6:10 p.m.12 views

CVE-2026-50108 Naxclow IoT Platform Missing Authorization

The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register o...

8.7CVSS5.5AI score0.00306EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 6:10 p.m.29 views

CVE-2026-50108 Naxclow IoT Platform Missing Authorization

The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register o...

8.7CVSS0.00306EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 6:10 p.m.16 views

CVE-2026-50108

The CVE-2026-50108 entry concerns the Naxclow IoT Platform API where device relay registration details are returned with a persistent credential without verifying the requester’s identity. An actor who can present a platform-valid request signature can retrieve credentials for arbitrary devices a...

8.7CVSS5.5AI score0.00306EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 6:7 p.m.10 views

CVE-2026-50101

CVE-2026-50101 affects Naxclow IoT Platform devices. The issue is a server-side, per-device relay credential that never rotates and is re-issued on every boot. Since the credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, an adversary who gains it can mai...

9.2CVSS5.2AI score0.00281EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:3 p.m.9 views

EUVD-2026-36525

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys,...

9.8CVSS5.4AI score0.0033EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 6:3 p.m.37 views

CVE-2026-28742 Naxclow IoT Platform Use of hard-coded cryptographic key

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys,...

9.8CVSS0.0033EPSS
Exploits0References2
OSV
OSV
added 2026/06/12 5:2 p.m.7 views

MINI-Q2C3-5CR2-G6Q7

Bulletin has no description...

7.5CVSS4.8AI score0.00578EPSS
Exploits0
OSV
OSV
added 2026/06/12 5:1 p.m.6 views

MINI-CC22-4XVQ-F3VF

Bulletin has no description...

7.5CVSS5AI score0.00578EPSS
Exploits0
OSV
OSV
added 2026/06/12 4:59 p.m.5 views

MINI-6H3M-7MPM-GQHV

Bulletin has no description...

5AI score0.00052EPSS
Exploits0
Rows per page
Query Builder