Lucene search
K

15102 matches found

Cvelist
Cvelist
added 2026/06/22 9:4 p.m.21 views

CVE-2026-56348 n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint

n8n before 2.20.0 contains a credential exfiltration vulnerability in the POST /rest/dynamic-node-parameters/options endpoint that allows authenticated users to bypass Allowed HTTP Request Domains restrictions. Attackers with credential access can cause the n8n server to issue HTTP requests with...

9.1CVSS0.00262EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/22 9:4 p.m.19 views

CVE-2026-56221 Cap-go - SQL Injection in Cloudflare Analytics Engine Queries via cloudflare.ts

Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can injec...

7.1CVSS0.00276EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/06/22 9:1 p.m.4 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

7.5CVSS6.8AI score0.01945EPSS
Exploits0References8
OSV
OSV
added 2026/06/22 6:16 p.m.4 views

DEBIAN-CVE-2026-53537

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

5.3CVSS5.9AI score0.00177EPSS
Exploits0References1
NVD
NVD
added 2026/06/22 6:16 p.m.12 views

CVE-2026-53537

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

5.3CVSS0.00177EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 4:57 p.m.31 views

CVE-2026-53537 Python-Multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

3.7CVSS0.00177EPSS
Exploits0References1
CVE
CVE
added 2026/06/22 4:57 p.m.27 views

CVE-2026-53537

Python-Multipart: Prior to 0.0.30, parse_options_header could decode RFC 2231/5987 extended parameters (filename*=, name*=, etc.) via email.message, leading to the filename/field name being surfaced in ways that RFC 7578 forbids. This allowed parameter smuggling where an attacker could bypass ups...

5.3CVSS5.9AI score0.00177EPSS
Exploits0References1Affected Software1
Snyk
Snyk
added 2026/06/22 2:22 p.m.4 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion in the NestedParamsEncoder module through the dehash routine. An attacker can cause the application to crash and exhaust system resources by submitting a deeply nested query string that triggers uncontrolled...

8.7CVSS5.9AI score0.00391EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.12 views

PT-2026-51402

Name of the Vulnerable Software and Affected Versions Cap-go versions prior to 12.128.2 Description Multiple SQL injection issues exist in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization...

7.1CVSS6AI score0.00276EPSS
Exploits0References5
Amazon
Amazon
added 2026/06/22 12:0 a.m.9 views

Important: containerd

Issue Overview: The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated client...

10CVSS5.9AI score0.005EPSS
Exploits0
EUVD
EUVD
added 2026/06/20 3:24 p.m.8 views

EUVD-2026-38126

Capgo before 12.128.2 contains an open redirect vulnerability in stripeportal and stripecheckout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for...

4.8CVSS5.9AI score0.00152EPSS
Exploits0References2
OSV
OSV
added 2026/06/20 6:52 a.m.2 views

SUSE-SU-2026:22193-1 Security update for mcphost

This update for mcphost fixes the following issues - CVE-2026-25680,CVE-2026-25681,CVE-2026-27136,CVE-2026-42502,CVE-2026-42506: golang.org/x/net/html: multiple issues when parsing HTML files bsc1267109. - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad...

10CVSS5.9AI score0.00781EPSS
Exploits0References25
OSV
OSV
added 2026/06/20 6:52 a.m.2 views

SUSE-SU-2026:22226-1 Security update for mcphost

This update for mcphost fixes the following issues - CVE-2026-25680,CVE-2026-25681,CVE-2026-27136,CVE-2026-42502,CVE-2026-42506: golang.org/x/net/html: multiple issues when parsing HTML files bsc1267109. - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad...

10CVSS5.9AI score0.00781EPSS
Exploits0References25
Github Security Blog
Github Security Blog
added 2026/06/19 10:10 p.m.20 views

@jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing

Arbitrary Cloudinary API Parameter Signing in @jhb.software/payload-cloudinary-plugin Summary @jhb.software/payload-cloudinary-plugin v0.3.4 exposes a server-side signing endpoint POST /api/cloudinary-generate-signature that passes attacker-supplied paramsToSign directly to...

6.1AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/19 7:35 p.m.9 views

GHSA-98M9-HRRM-R99R Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters

Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth. A crafted query string such as: text axxxx...x=1 causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash...

7.5CVSS5.7AI score0.00391EPSS
Exploits1References6
Cvelist
Cvelist
added 2026/06/19 7:23 p.m.18 views

CVE-2026-49345 Mercator CVE Configuration Vulnerable to Server-Side Request Forgery (SSRF)

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery SSRF vulnerability exists in Mercator's CVE configuration panel /admin/config/parameters. The testProvider method in ConfigurationController passes...

5.3CVSS0.0054EPSS
Exploits0References1
NVD
NVD
added 2026/06/19 6:16 p.m.16 views

CVE-2026-49287

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could...

7.4CVSS0.0027EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/19 5:11 p.m.15 views

CVE-2019-25751 Joomla J-ClassifiedsManager 3.0.5 SQL Injection

Joomla Component J-ClassifiedsManager 3.0.5 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the categorySearch, adType, and citySearch...

8.8CVSS0.00366EPSS
Exploits0References4
CVE
CVE
added 2026/06/19 5:11 p.m.9 views

CVE-2019-25751

CVE-2019-25751 affects Joomla’s J-ClassifiedsManager component, version 3.0.5. The vulnerability is an SQL injection in the displayads flow that does not require authentication. An attacker can inject malicious SQL through POST parameters, specifically categorySearch, adType, and citySearch, to e...

8.8CVSS6.2AI score0.00366EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/19 4:17 p.m.4 views

EUVD-2017-18997

Joomla! Component Twitch Tv 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username and id parameters. Attackers can send GET requests to index.php with option=comtwitchtv and view paramete...

8.8CVSS6.2AI score0.0027EPSS
Exploits0References4
Rows per page
Query Builder