Lucene search
K

34 matches found

CVE
CVE
added yesterday19 views

CVE-2026-55884

Tilt HUD server in github.com/tilt-dev/tilt is affected in versions 0.20.8–0.37.3 where the HUD HTTP server registers handlers on a gorilla/mux router without authentication. When bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined Tiltfile resources, ...

9.2CVSS6.2AI score
Exploits0References4
Snyk
Snyk
added 2026/06/19 1:58 p.m.3 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the HUD server when it is bound to a non-loopback address. An attacker can execute arbitrary developer-defined resources, modify arguments, and access sensitive engine state by making...

9.2CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 1:58 p.m.3 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the HUD server when it is bound to a non-loopback address. An attacker can execute arbitrary developer-defined resources, modify arguments, and access sensitive engine state by making...

9.2CVSS6AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/19 1:58 p.m.10 views

Tilt: Missing authentication on the network-exposed Tilt HUD server

Summary The Tilt HUD HTTP server exposes state-changing and sensitive-read endpoints with no authentication. When the HUD is bound to a non-loopback address, a network attacker can trigger the developer's pre-defined Tiltfile resources, tamper with Tiltfile arguments, read full engine state...

9.2CVSS6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 1:53 p.m.9 views

Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream

Summary The Tilt HUD WebSocket /ws/view is gated by a CSRF token, but the token is served by an unauthenticated endpoint and the upgrader accepts any client that omits an Origin header. When the HUD is network-exposed, an attacker can open the HUD stream and read the developer's session state...

8.3CVSS5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 1:52 p.m.7 views

Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server

Summary The Tilt HUD server mounts Go's net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling. Details A blank import of net/http/pprof...

8.3CVSS6AI score
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/19 1:34 p.m.8 views

GHSA-R78R-RWRF-RJWP Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests

Advisory / Disclosure Network-AI — CVE-2026-46701 fix is incomplete: the "Empty Default Secret" unauth path survives Target: Jovancoding/Network-AI npm network-ai, latest v5.7.1 Status: the advisory "Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret" named three flaws. The...

9.1CVSS5.9AI score0.00297EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.18 views

PT-2026-50978

Name of the Vulnerable Software and Affected Versions Tilt versions 0.19.5 through 0.37.3 Description The Tilt HUD server mounts Go's net/http/pprof handlers under the '/debug' endpoint without access control. When the HUD is network-exposed, an unauthenticated caller can read process memory via...

8.3CVSS6AI score
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.13 views

PT-2026-50980

Name of the Vulnerable Software and Affected Versions Tilt versions 0.20.8 through 0.37.3 Description The HUD HTTP server lacks authentication for state-changing and sensitive-read endpoints. When the HUD is bound to a non-loopback address, a network attacker can trigger pre-defined Tiltfile...

9.2CVSS5.9AI score
Exploits0References8
EUVD
EUVD
added 2026/06/16 11:39 p.m.13 views

EUVD-2026-36421

@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent incomplete fix for GHSA-6m52-m754-pw2g...

5.9CVSS5.2AI score0.0028EPSS
Exploits1References6
NVD
NVD
added 2026/06/12 2:16 p.m.14 views

CVE-2026-49993

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack /...

5.9CVSS0.0028EPSS
Exploits1References5
NVD
NVD
added 2026/06/12 2:16 p.m.16 views

CVE-2026-45670

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack /...

5.9CVSS0.00208EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/06/12 12:57 p.m.32 views

CVE-2026-49993 @nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack /...

5.9CVSS0.0028EPSS
Exploits1References5
CVE
CVE
added 2026/06/12 12:57 p.m.30 views

CVE-2026-49993

Nuxt (Vue.js) users using the @nuxt/rspack-builder and @nuxt/webpack-builder are affected. The CVE concerns an incomplete fix for GHSA-6m52-m754-pw2g in versions 3.15.4–3.21.6 and 4.0.0–4.4.6, where the dev server could leak source code if bound to a non-loopback address and a malicious site is o...

5.9CVSS5.3AI score0.0028EPSS
Exploits1References5Affected Software2
Vulnrichment
Vulnrichment
added 2026/06/12 12:51 p.m.8 views

CVE-2026-45670 Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack /...

5.9CVSS5.2AI score0.00208EPSS
Exploits1References3
EUVD
EUVD
added 2026/06/12 12:51 p.m.10 views

EUVD-2026-36419

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack /...

5.9CVSS5.2AI score0.00208EPSS
Exploits1References3
CVE
CVE
added 2026/06/12 12:51 p.m.42 views

CVE-2026-45670

Summary (CVE-2026-45670) Nuxt.js dev-server exposure issue affects @nuxt/webpack-builder and @nuxt/rspack-builder. An incomplete fix for GHSA-4gf7-ff8x-hq99 allowed source-code leakage when the dev server is bound to a non-loopback address (for example, nuxt dev --host) and a user visits a malici...

5.9CVSS5.2AI score0.00208EPSS
Exploits1References3Affected Software2
Cvelist
Cvelist
added 2026/06/12 12:51 p.m.29 views

CVE-2026-45670 Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack /...

5.9CVSS0.00208EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.16 views

PT-2026-48868

Name of the Vulnerable Software and Affected Versions @nuxt/rspack-builder versions 3.15.4 through 3.21.6 @nuxt/rspack-builder versions 4.0.0 through 4.4.6 @nuxt/webpack-builder versions 3.15.4 through 3.21.6 @nuxt/webpack-builder versions 4.0.0 through 4.4.6 Description An incomplete fix in the...

5.9CVSS5.3AI score0.0028EPSS
Exploits1References9
OSV
OSV
added 2026/05/29 10:16 p.m.8 views

GHSA-JMFC-HFJQ-PXCP stigmem-node's federation insecure transport settings may allow non-loopback cleartext federation

Impact Stigmem nodes with federation enabled could be configured to run without mTLS outside loopback-only local development. In affected deployments, federation traffic may traverse the network without the intended transport protection. Impacted users are operators who enabled federation and...

9.1CVSS5.8AI score
Exploits0References2
Rows per page
Query Builder