Lucene search
K

405 matches found

Cvelist
Cvelist
added 2 days ago31 views

CVE-2026-55778 Parse Server: Stored XSS via non-standard file extension bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type,...

2.1CVSS0.00406EPSS
Exploits0References7
CVE
CVE
added 2 days ago20 views

CVE-2026-55778

Parse Server is affected by a stored XSS vulnerability where the default fileUpload.fileExtensions blocklist can be bypassed using non-standard or compound extensions paired with a dangerous Content-Type. This enables attacker-supplied content to be served by storage adapters (e.g., S3, GCS) and ...

2.1CVSS5.6AI score0.00406EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added 2026/06/23 6:38 a.m.4 views

samba: Remote Code Execution in SAMR

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper...

9.8CVSS6AI score0.02501EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/06/23 1:24 a.m.5 views

samba: Remote Code Execution in SAMR

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper...

9.8CVSS6AI score0.02501EPSS
Exploits0References5
OSV
OSV
added 2026/06/19 7:36 p.m.7 views

GHSA-V8X7-R927-CC93 parse-server: Stored XSS via non-standard file extension bypassing file upload extension blocklist

Impact Parse Server's default fileUpload.fileExtensions blocklist is intended to prevent uploading files that browsers render as active content such as HTML and SVG, which can be used to perform stored cross-site scripting XSS attacks against other users. The blocklist could be bypassed by...

2.1CVSS5.7AI score0.00406EPSS
Exploits0References4
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.8 views

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: mmc: core: Fixed a kernel panic that occurred when removing a non-standard SDIO card. The SDIO tuple is only allocated for standard SDIO cards. Non-standard SDIO cards can cause memory corruption issues when they are removed. Thi...

5.9AI score0.00184EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/17 10:20 p.m.9 views

CVE-2026-48817

A flaw was found in Starlette, a lightweight Asynchronous Server Gateway Interface ASGI framework. An attacker can exploit this vulnerability by sending a specially crafted HTTP request that uses a non-standard HTTP method. This can cause the framework to invoke internal methods not intended for...

5.3CVSS5.2AI score0.00213EPSS
Exploits0References5
NVD
NVD
added 2026/06/17 8:17 p.m.10 views

CVE-2026-48817

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an...

5.3CVSS0.00213EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.17 views

PT-2026-48680

Name of the Vulnerable Software and Affected Versions free5GC UDR affected versions not specified Description Improper input validation exists in the EE subscription handlers of the free5GC UDR. The system uses a regular expression to validate the ueId variable that includes a catch-all...

7.1CVSS6AI score0.00084EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/06/10 12:31 p.m.13 views

samba: Remote Code Execution in SAMR

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper...

9.8CVSS5.7AI score0.02501EPSS
Exploits0References5
NVD
NVD
added 2026/06/09 11:16 a.m.15 views

CVE-2026-11607

Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to...

7.6CVSS0.00238EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/06/05 12:0 a.m.7 views

X.Org Server 缓冲区错误漏洞

X.Org X Server is an X Window system display server developed by the X.Org Foundation. Xwayland is an open-source communication protocol developed by Xwayland that defines the communication method between the display server and its clients. Both X.Org X Server and Xwayland have security...

7.8CVSS6.1AI score0.00161EPSS
Exploits0References10
RedHat Linux
RedHat Linux
added 2026/06/03 3:28 a.m.54 views

samba: Remote Code Execution in SAMR

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper...

9.8CVSS5.9AI score0.02501EPSS
Exploits0References5
Slackware Linux
Slackware Linux
added 2026/06/02 3:8 a.m.20 views

[slackware-security] kernel

New kernel packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/linux-5.15.209/kernel-generic-5.15.209-i586-1.txz: Upgraded. This update fixes security issues: rxrpc: Fix missing validation of ticke...

9.8CVSS5.8AI score0.00514EPSS
Exploits0
CVE
CVE
added 2026/05/28 7:10 p.m.28 views

CVE-2026-49129

Music Player Daemon (MPD) <= 0.24.10 contains a server-side request forgery (SSRF) in CurlInputPlugin by setting CURLOPT_FOLLOWLOCATION without CURLOPT_REDIR_PROTOCOLS_STR. This allows unauthenticated attackers to bypass the http/https scheme restriction and redirect to non-HTTP protocols (e.g...

6.9CVSS5.8AI score0.00281EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/28 7:10 p.m.9 views

CVE-2026-49129

Music Player Daemon MPD before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPTFOLLOWLOCATION is set without CURLOPTREDIRPROTOCOLSSTR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP...

6.9CVSS5.8AI score0.00281EPSS
Exploits0References7
OSV
OSV
added 2026/05/28 9:16 a.m.12 views

ALPINE-CVE-2026-4408

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper...

9.8CVSS5.9AI score0.02501EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 9:16 a.m.21 views

CVE-2026-4408

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper...

9.8CVSS0.02501EPSS
Exploits0References18
Cvelist
Cvelist
added 2026/05/28 7:25 a.m.54 views

CVE-2026-4408 Samba: remote code execution in samr

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper...

9CVSS0.02501EPSS
Exploits0References17
AlpineLinux
AlpineLinux
added 2026/05/28 7:25 a.m.16 views

CVE-2026-4408

A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper...

9.8CVSS5.9AI score0.02501EPSS
Exploits0References18
Rows per page
Query Builder