Lucene search
K

1765 matches found

Cvelist
Cvelist
added yesterday6 views

CVE-2026-8384

In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker only...

5.3CVSS0.00191EPSS
Exploits1References1
OSV
OSV
added 3 days ago2 views

MAL-2026-10214 Malicious code in babel-preset-lib-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4274de0136aa69f8b0f4eba03412c7809a1b8c2446bb3ed7f6de1333475aa4c4 index.js, the package main, runs a load-time IIFE that collects OS platform and architecture, hostname, username, private and public IP via...

6.1AI score
Exploits0References5
OSV
OSV
added 5 days ago3 views

CVE-2026-55472 Snipe-IT: API Location Creation Bypasses FMCS Parent-Child Company Boundary Validation

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, when Full Multiple Companies Support and scopelocationsfmcs are enabled, the API location creation endpoint detects an invalid parent-child company mismatch but does not return immediately, allowing creation of a child location...

4.3CVSS6.1AI score0.00197EPSS
Exploits0References5
CVE
CVE
added 5 days ago9 views

CVE-2026-55472

Snipe-IT (IT asset/license management) prior to version 8.6.2 permits creating a child location under a parent from a different company when Full Multiple Companies Support and scope_locations_fmcs are enabled. The API location creation endpoint detects an invalid parent-child company mismatch bu...

4.3CVSS6.1AI score0.00197EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 5 days ago31 views

CVE-2026-55472 Snipe-IT: API Location Creation Bypasses FMCS Parent-Child Company Boundary Validation

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, when Full Multiple Companies Support and scopelocationsfmcs are enabled, the API location creation endpoint detects an invalid parent-child company mismatch but does not return immediately, allowing creation of a child location...

4.3CVSS0.00197EPSS
Exploits0References3
Cvelist
Cvelist
added 6 days ago30 views

CVE-2026-49274 Kirby: `pages.access` permission is not checked in the pages picker for parent pages

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page...

5.3CVSS0.00275EPSS
Exploits0References7
CVE
CVE
added 6 days ago8 views

CVE-2026-59215

Open WebUI prior to 0.10.0 contains a cross-channel thread context exposure bug: channel thread parent_id binding did not bind to the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose thread context across channels. The issue is fixed in ve...

3.1CVSS5.9AI score0.00255EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 6 days ago9 views

EUVD-2026-42630

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, channel thread parent and reply handling did not bind parentid to the channel in the URL, allowing an authenticated user to reference a message from another private or DM channel and disclose...

3.1CVSS5.9AI score0.00255EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 6 days ago4 views

io.netty/netty-resolver-dns: Netty has Insufficient Bailiwick Validation for NS Records

A flaw was found in Netty's DnsResolveContext. An attacker controlling an authoritative name server for a subdomain can exploit this vulnerability by providing crafted NS records that are insufficiently validated. This allows the attacker to poison the DNS cache for parent domains, bypassing...

10CVSS5.9AI score0.00292EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added last week6 views

CVE-2026-44918

A flaw was found in OpenStack Ironic. An authenticated project manager can change the node associated with Volume Connectors or Volume Target objects, potentially changing the project permitted to access the object. Volume Connectors contain secrets in environments configuring boot from volume wi...

8.7CVSS5.9AI score0.00426EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added last week3 views

kernel: procfs: fix missing RCU protection when reading real_parent in do_task_stat()

A flaw was found in the Linux kernel's procfs component. When reading /proc/pid/stat, the dotaskstat function accesses task-realparent without proper Read-Copy-Update RCU protection. This missing protection creates a race condition, which can lead to a Use-After-Free UAF vulnerability. A local...

7.8CVSS5.9AI score0.0012EPSS
Exploits0References5
OSV
OSV
added 2026/07/08 1:16 a.m.5 views

DEBIAN-CVE-2026-59996

scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...

5.4CVSS6AI score0.00241EPSS
Exploits0References1
NVD
NVD
added 2026/07/08 1:16 a.m.7 views

CVE-2026-59996

scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...

5.4CVSS0.00241EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/07/08 12:7 a.m.4 views

CVE-2026-59996

scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...

5.4CVSS6AI score0.00241EPSS
Exploits0
EUVD
EUVD
added 2026/07/08 12:7 a.m.7 views

EUVD-2026-42138

scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...

4.2CVSS6AI score0.00241EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/08 12:7 a.m.124 views

CVE-2026-59996

scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...

4.2CVSS0.00241EPSS
Exploits0References3
AlpineLinux
AlpineLinux
added 2026/07/08 12:7 a.m.5 views

CVE-2026-59996

scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations...

5.4CVSS6AI score0.00241EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/07/07 8:2 p.m.4 views

kernel: procfs: fix missing RCU protection when reading real_parent in do_task_stat()

A flaw was found in the Linux kernel's procfs component. When reading /proc/pid/stat, the dotaskstat function accesses task-realparent without proper Read-Copy-Update RCU protection. This missing protection creates a race condition, which can lead to a Use-After-Free UAF vulnerability. A local...

7.8CVSS6.5AI score0.0012EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/07/07 7:35 p.m.7 views

kernel: procfs: fix missing RCU protection when reading real_parent in do_task_stat()

A flaw was found in the Linux kernel's procfs component. When reading /proc/pid/stat, the dotaskstat function accesses task-realparent without proper Read-Copy-Update RCU protection. This missing protection creates a race condition, which can lead to a Use-After-Free UAF vulnerability. A local...

7.8CVSS5.9AI score0.0012EPSS
Exploits0References5
OSV
OSV
added 2026/07/07 11:45 a.m.5 views

PYSEC-2026-1494 Kinto Attachment's attachments can be replaced on read-only records

Impact The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent collection or bucket. And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request...

8.6CVSS5.9AI score0.00702EPSS
Exploits0References7
Rows per page
Query Builder