Lucene search
K

2334 matches found

Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.16 views

PT-2026-40729

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0 Description SiYuan's publish-mode Reader can modify configuration and SQL index data through eight ungated APIs. These endpoints are registered with model.CheckAuth but lack model.CheckAdminRole and...

7.2CVSS5.8AI score0.00207EPSS
Exploits0References6
OSV
OSV
added 2026/05/12 9:23 p.m.8 views

MAL-2026-3684 Malicious code in @gusmano/reext (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 498a21b60dcdfe236ea0b1683e1ec64aa091643b6ad562c3845757eed79660d8 The npm preinstall lifecycle script dist/scripts/preinstall.js, wired via package.json "preinstall": "node./dist/scripts/preinstall.js" reads the...

5.9AI score
Exploits0References34
NVD
NVD
added 2026/05/12 9:16 p.m.10 views

CVE-2026-44224

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without...

8.8CVSS0.00379EPSS
Exploits1References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/12 7:42 a.m.14 views

Malicious code in enhancer (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cefeea627aa1a0cc84aeedff1db0ae88ebf61b233bb9b20fa82b0a5fd0737cbf The distribution is published as enhancer but installs modules under the top-level safety namespace setup.py declares namespacepackages='safety' and...

5.9AI score
Exploits0References1
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.11 views

wiki.js 安全漏洞

Wiki.js is a Wiki application open-sourced by requarks.io. Versions of Wiki.js prior to 2.5.313 contained a security vulnerability. This vulnerability stemmed from the GraphQL mutation in users.update, which accepted an arbitrary groups array and applied it directly to the database without...

8.8CVSS5.9AI score0.00379EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/11 6:31 p.m.12 views

EUVD-2026-29081

Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's...

9.9CVSS6.1AI score0.00455EPSS
Exploits0References3
CVE
CVE
added 2026/05/11 4:46 p.m.18 views

CVE-2026-45006

CVE-2026-45006 affects OpenClaw prior to 2026.4.23, due to improper access control in the gateway tool’s config.apply and config.patch. The vulnerability bypasses an incomplete denylist, allowing compromised models to persist unsafe configuration changes that can alter command execution, network ...

8.8CVSS5.8AI score0.00489EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/08 11:1 p.m.5 views

GHSA-P9MG-74MG-CWWR free5GC's SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating

Summary free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware same root cause as the broader UPI auth gap reported in free5gc/free5gc887. On top of that, the DELETE /upi/v1/upNodesLinks/upNodeRef handler unconditionally dereferences upNode.UPF after the type-guarde...

8.2CVSS6AI score0.00324EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/05/08 11:1 p.m.9 views

free5GC's SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating

Summary free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware same root cause as the broader UPI auth gap reported in free5gc/free5gc887. On top of that, the DELETE /upi/v1/upNodesLinks/upNodeRef handler unconditionally dereferences upNode.UPF after the type-guarde...

8.2CVSS6AI score0.00324EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2026/05/07 4:7 a.m.4 views

GHSA-VWRP-X96C-MHWQ vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape

Summary vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet and otherReflectDefineProperty, which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate...

10CVSS6.1AI score0.00842EPSS
Exploits1References4
OSV
OSV
added 2026/05/07 1:56 a.m.3 views

GHSA-3V3M-WC6V-X4X3 ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction

Summary There is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. Details Argo CD masks Secret...

9.6CVSS5.8AI score0.00505EPSS
Exploits2References3
Github Security Blog
Github Security Blog
added 2026/05/07 1:56 a.m.36 views

ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction

Summary There is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. Details Argo CD masks Secret...

9.6CVSS5.8AI score0.00505EPSS
Exploits2References3Affected Software1
Cvelist
Cvelist
added 2026/05/06 7:49 p.m.31 views

CVE-2026-43579 OpenClaw < 2026.4.10 - Insufficient Access Control in Nostr Profile Mutation Routes

OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile setting...

6.5CVSS0.00218EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/06 7:49 p.m.8 views

CVE-2026-43579 OpenClaw < 2026.4.10 - Insufficient Access Control in Nostr Profile Mutation Routes

OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile setting...

6.5CVSS5.8AI score0.00218EPSS
Exploits0References3
CVE
CVE
added 2026/05/06 7:49 p.m.13 views

CVE-2026-43579

CVE-2026-43579 affects OpenClaw prior to 2026.4.10, with an insufficient access control flaw in the Nostr plugin HTTP profile mutation routes. Operators with write permissions can persist profile configuration without admin authority by abusing unprotected mutation endpoints, enabling unauthorize...

6.5CVSS5.8AI score0.00218EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/05/05 12:16 p.m.12 views

CVE-2026-42433

OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner...

7.1CVSS0.00295EPSS
Exploits0References3
Packet Storm News
Packet Storm News
added 2026/05/04 12:0 a.m.4 views

ContextualJailbreak: Evolutionary Red-Teaming Via Simulated Conversational Priming

Large language models LLMs remain vulnerable to jailbreak attacks that bypass safety alignment and elicit harmful responses. A growing body of work shows that contextual priming, where earlier turns covertly bias later replies, constitutes a powerful attack surface, with hand-crafted multi-turn...

5.8AI score
Exploits0
Packet Storm News
Packet Storm News
added 2026/05/04 12:0 a.m.9 views

PIIGuard: Mitigating PII Harvesting under Adversarial Sanitization

Browsing-enabled LLM assistants can fetch webpages and answer contact-seeking queries, creating a practical channel for scraping contact-style personally identifiable information PII from public pages. Many prior defenses are deployed at the model, service, or agent layer rather than at the webpa...

5.8AI score
Exploits0
NVD
NVD
added 2026/04/28 7:37 p.m.3 views

CVE-2026-42431

OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invokebrowser.proxy that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations...

8.1CVSS0.00258EPSS
Exploits0References3
CVE
CVE
added 2026/04/28 6:10 p.m.15 views

CVE-2026-42431

OpenClaw contains a vulnerability where node.invoke(browser.proxy) bypasses the browser.request persistent profile‑mutation guard, enabling mutation of persistent browser profiles. Affected software: OpenClaw npm package, prior to 2026.4.8. Root cause: a security bypass path in node.invoke(browse...

8.1CVSS5.3AI score0.00258EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder