CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

34249 matches found

EUVD•added 2026/05/11 6:31 p.m.•8 views

EUVD-2026-29104

In Meari IoT Cloud alert image storage on Alibaba OSS latest observed; storage service version not disclosed, motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows...

7.5CVSS5.8AI score0.00293EPSS

Exploits0References3

EUVD•added 2026/05/11 6:31 p.m.•11 views

EUVD-2026-29082

Stored cross-site scripting XSS vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules. User-controlled PostgreSQL object names database, schema, table, column, etc. were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute...

4.8CVSS5.7AI score0.00163EPSS

Exploits1References3

NVD•added 2026/05/11 6:16 p.m.•21 views

CVE-2026-43896

jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jvobjectmergerecursive allows a crafted jq program to crash the process with a segfault. The function is reachable through the operator when both operands are objects...

6.2CVSS0.00154EPSS

Exploits1References1

UbuntuCve•added 2026/05/11 6:16 p.m.•6 views

CVE-2026-43896

6.2CVSS5.8AI score0.00154EPSS

Exploits1References2

OSV•added 2026/05/11 6:16 p.m.•6 views

UBUNTU-CVE-2026-43896

6.2CVSS5.8AI score0.00154EPSS

Exploits1References4

Cvelist•added 2026/05/11 5:24 p.m.•43 views

CVE-2026-43896 jq: Stack Overflow in Recursive Object Merge

6.2CVSS0.00154EPSS

Exploits1References1

EUVD•added 2026/05/11 5:24 p.m.•12 views

EUVD-2026-29174

6.2CVSS5.8AI score0.00154EPSS

Exploits1References1

ATTACKERKB•added 2026/05/11 5:24 p.m.•10 views

CVE-2026-43896

6.2CVSS5.8AI score0.00154EPSS

Exploits1References2Affected Software1

CVE•added 2026/05/11 5:24 p.m.•24 views

CVE-2026-43896

CVE-2026-43896 (jq) : In jq versions 1.8.1 and earlier, unbounded recursion in the function jv_object_merge_recursive() can cause a crafted jq program to crash the process with a segfault when using the object operator (*) on two objects. Affected component is the jq JSON processor; the vulnerabi...

6.2CVSS5.8AI score0.00154EPSS

Exploits1References1Affected Software1

AlpineLinux•added 2026/05/11 5:24 p.m.•9 views

CVE-2026-43896

6.2CVSS5.8AI score0.00154EPSS

Exploits1References1

NVD•added 2026/05/11 5:16 p.m.•35 views

CVE-2026-33359

7.5CVSS0.00293EPSS

Exploits0References2

OSV•added 2026/05/11 4:10 p.m.•2 views

GHSA-MHWJ-73QX-JQXM @theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function

Summary @theecryptochad/merge-guard versions prior to 1.0.1 are vulnerable to Prototype Pollution via the deepMerge function. An attacker who controls the source object can inject proto keys that mutate Object.prototype, affecting all objects in the Node.js runtime. Details The deepMerge function...

7.5CVSS5.9AI score

Exploits0References3

Snyk•added 2026/05/11 4:9 p.m.•8 views

Prototype Pollution

Overview @rvf/set-get is an Internal utilities and types for working with deeply nested data. This is primarily used internally by RVF and it's various packages. It isn't recommended for use by most people. Affected versions of this package are vulnerable to Prototype Pollution via the setPath...

8.8CVSS6.3AI score0.00271EPSS

Exploits0References2

Github Security Blog•added 2026/05/11 4:9 p.m.•9 views

@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)

Summary setPath in @rvf/set-get used by @rvf/core to flatten incoming form data into a nested object does not block the keys proto, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData and through...

8.2CVSS6AI score0.00271EPSS

Exploits0References3Affected Software1

Vulnrichment•added 2026/05/11 4:3 p.m.•6 views

CVE-2026-33359 Meari unauthenticated alert image access in cloud object storage

7.5CVSS5.8AI score0.00293EPSS

Exploits0References2

ATTACKERKB•added 2026/05/11 4:3 p.m.•4 views

CVE-2026-33359

7.5CVSS5.8AI score0.00293EPSS

Exploits0References3

CVE•added 2026/05/11 4:3 p.m.•11 views

CVE-2026-33359

Meari IoT Cloud uses Alibaba OSS for alert image storage; motion snapshots can be retrieved without authentication, signed URLs, or expiry enforcement. This affects motion alert images exposed as direct object references, with URLs remaining valid beyond expected windows. Root cause is lack of ac...

7.5CVSS5.8AI score0.00293EPSS

Exploits0References2

ATTACKERKB•added 2026/05/11 3:54 p.m.•6 views

CVE-2026-42843

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin UsersController::update allows any...

8.8CVSS5.8AI score0.0035EPSS

Exploits1References2Affected Software1

Vulnrichment•added 2026/05/11 3:54 p.m.•12 views

CVE-2026-42843 grav-plugin-api: Grav API Privilege Escalation to Super Admin

8.8CVSS5.8AI score0.0035EPSS

Exploits1References1

Snyk•added 2026/05/11 2:48 p.m.•9 views

Incorrect Behavior Order: Validate Before Canonicalize

Overview Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the parsing of Git objects with malformed or ambiguous commit or tag objects. An attacker can cause inconsistent interpretation of object metadata or signature validation by...

7.5CVSS5.8AI score0.00159EPSS

Exploits0References2

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by