CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added yesterday•16 views

CVE-2026-56129

6.8CVSS0.00121EPSS

NVD•added 2 days ago•8 views

CVE-2026-56244

Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to...

7.1CVSS0.00194EPSS

CVE•added 2 days ago•5 views

CVE-2026-56244

CVE-2026-56244 (Capgo) affects Capgo prior to 12.128.2. The issue arises because non-admin API keys can read webhook signing secrets via Supabase REST due to insufficient row-level security on the webhooks table. This enables attackers to retrieve the webhook secret and forge valid X-Capgo-Signat...

7.1CVSS5.9AI score0.00194EPSS

EUVD•added 2 days ago•8 views

EUVD-2026-38741

7.1CVSS5.9AI score0.00194EPSS

EUVD•added 2 days ago•7 views

EUVD-2026-38681

The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24blockenqueuescripts function being hooked to enqueueblockeditorassets and, for any non-administrator user, falling back to loading...

4.3CVSS5.8AI score0.0021EPSS

EUVD•added 3 days ago•9 views

EUVD-2026-35140

Snipe-IT: Bulk editing users allowed ldapimport and activatedin bulk editing users...

7.1CVSS5.8AI score0.00194EPSS

Cvelist•added 3 days ago•24 views

CVE-2026-48493 Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment

Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/theirownid and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc. The issue is...

5.5CVSS0.0019EPSS

Positive Technologies•added 3 days ago•6 views

PT-2026-51619

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.0 Description Improper access control in the CSV user import functionality allows a user with only the import permission to bypass user-edit authorization. By uploading a CSV file in update mode, an attacker can...

6.5CVSS5.9AI score0.00037EPSS

Exploits0References4

Github Security Blog•added 4 days ago•5 views

motionEye has an Arbitrary File Read via Path Traversal in Picture/Movie Preview Endpoint

Summary motionEye v0.43.1 latest stable is vulnerable to path traversal in the picture and movie API endpoints, like /picture/id/preview/filename. Neither the API handlers, nor the mediafiles.py functions like getmediapreview check for .. sequences in the filename parameter, except getmediaconten...

6.5CVSS5.9AI score0.00418EPSS

Exploits0References2Affected Software1

Positive Technologies•added 2026/06/17 12:0 a.m.•13 views

PT-2026-50589

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The terminal-server reverse proxy in backend/open webui/routers/terminals.py fails to properly confine the user-controlled path segment before forwarding it to an admin-configured terminal server...

7.7CVSS5.9AI score0.00349EPSS

Exploits0References8

NVD•added 2026/06/12 10:16 p.m.•9 views

CVE-2026-47124

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users...

6.5CVSS0.0027EPSS

NVD•added 2026/06/12 9:16 p.m.•10 views

CVE-2026-54362

An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or...

5.3CVSS0.00207EPSS

Vulnrichment•added 2026/06/12 9:3 p.m.•8 views

CVE-2026-47124 Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members

6.5CVSS5.2AI score0.0027EPSS

EUVD•added 2026/06/12 8:8 p.m.•6 views

EUVD-2026-36580

5.3CVSS5.4AI score0.00207EPSS

Vulnrichment•added 2026/06/12 8:8 p.m.•6 views

CVE-2026-54362 MISP template builder exposes non-visible custom galaxies across organisations

5.3CVSS5.3AI score0.00207EPSS

CVE•added 2026/06/12 8:8 p.m.•13 views

CVE-2026-54362

The CVE concerns MISP's event template builder where an incorrect visibility condition allowed authenticated non-site-admin users to see galaxies outside their organisation. The root cause is a PHP comparison expression used instead of a query condition, causing enabled galaxies, including organi...

5.3CVSS5.4AI score0.00207EPSS

CVE•added 2026/06/12 6:51 p.m.•16 views

CVE-2026-50552

Koel (open-source music streaming) is affected prior to version 9.7.1 by a Server-Side Request Forgery (SSRF) in the radio station creation endpoint (POST /api/radio/stations). The url validation rules are declared without bail, allowing the HasAudioContentType rule to issue HTTP requests even af...

6.3CVSS5.5AI score0.0016EPSS

Positive Technologies•added 2026/06/12 12:0 a.m.•11 views

PT-2026-48994

5.3CVSS5.3AI score0.00207EPSS