Lucene search
K

146 matches found

Nuclei
Nuclei
added 8 hours ago291 views

OpenMetadata - Authentication Bypass

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The JwtFilter handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request...

9.8CVSS7.1AI score0.73255EPSS
Exploits5References5
NVD
NVD
added last week9 views

CVE-2026-9181

Esri ArcGIS Server contains a directory traversal vulnerability. ArcGIS Enterprise on Kubernetes is not impacted. An unauthenticated attacker could exploit this issue by sending crafted path parameters. Successful exploitation could allow overwriting sensitive files on the system. Abuse of this...

9.8CVSS0.00727EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added last week7 views

CVE-2026-9181 Directory Traversal in ArcGIS Server

Esri ArcGIS Server contains a directory traversal vulnerability. ArcGIS Enterprise on Kubernetes is not impacted. An unauthenticated attacker could exploit this issue by sending crafted path parameters. Successful exploitation could allow overwriting sensitive files on the system. Abuse of this...

9.8CVSS6AI score0.00727EPSS
Exploits0References1
EUVD
EUVD
added last week4 views

EUVD-2026-41897

ArcGIS Server contains a directory traversal vulnerability. An unauthenticated attacker could exploit this issue by sending crafted path parameters. Successful exploitation could allow access to sensitive files on the system. This issue impacts all versions of ArcGIS Server 12.0 and prior...

9.8CVSS6AI score0.00727EPSS
Exploits0References1
NVD
NVD
added 2026/07/01 12:16 p.m.8 views

CVE-2026-14198

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to...

9.1CVSS0.00299EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/29 5:51 p.m.7 views

EUVD-2026-40146

A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the...

9.3CVSS5.8AI score0.00374EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.13 views

PT-2026-53652

Name of the Vulnerable Software and Affected Versions googleapis/mcp-toolbox affected versions not specified Description A path traversal issue exists in the HTTP tool URL builder. When constructing downstream API requests, the tool substitutes user-controlled pathParams into the configured tool...

9.3CVSS6AI score0.00374EPSS
Exploits0References5
CVE
CVE
added 2026/06/26 1:47 p.m.18 views

CVE-2026-13426

The Mattermost Go module github.com/mattermost/mattermost/server/public versions

5.4CVSS5.8AI score0.00197EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:33 p.m.10 views

CVE-2026-9495

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

7.3CVSS5.7AI score0.0036EPSS
Exploits0References1
NVD
NVD
added 2026/05/26 7:16 a.m.12 views

CVE-2026-9495

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

7.3CVSS0.0036EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/26 5:0 a.m.43 views

CVE-2026-9495

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

7.3CVSS0.0036EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/26 5:0 a.m.8 views

CVE-2026-9495

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

7.3CVSS5.9AI score0.0036EPSS
Exploits0References5
CVE
CVE
added 2026/05/26 5:0 a.m.40 views

CVE-2026-9495

CVE-2026-9495 affects the npm package @koa/router, specifically versions 14.0.0 and earlier than 15.0.0. The issue is an Access Control Bypass caused by middleware being silently dropped from the execution chain when the router prefix contains path parameters. This can enable bypass of authentica...

7.3CVSS5.9AI score0.0036EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/26 5:0 a.m.15 views

EUVD-2026-31792

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

7.3CVSS5.9AI score0.0036EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.23 views

PT-2026-43190

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...

7.3CVSS5.9AI score0.0036EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.10 views

@koa/router 安全漏洞

@koa/router is a routing middleware developed by Koa.js. Versions from 14.0.0 to 15.0.0 of @koa/router had a security vulnerability. This vulnerability occurred when the router prefix contained path parameters, causing the middleware to silently discard requests, which could lead to access contro...

7.3CVSS5.8AI score0.0036EPSS
Exploits0References4
CVE
CVE
added 2026/05/15 6:36 p.m.15 views

CVE-2021-47967

CVE-2021-47967 affects PHP Timeclock 1.04 with multiple cross-site scripting (XSS) vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can target login.php, timeclock.php, audit.php, and timerpt.php endpoints...

6.1CVSS5.9AI score0.00211EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/15 6:36 p.m.8 views

CVE-2021-47967 PHP Timeclock 1.04 Multiple Cross-Site Scripting via Parameters

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, o...

6.1CVSS5.9AI score0.00211EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/15 6:1 p.m.17 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the generic download endpoint when the disk and path parameters are supplied in the request. An attacker can access unrelated files stored on configured storage disks by manipulating...

7.7CVSS5.8AI score0.00262EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/22 8:28 p.m.10 views

i18next-locize-backend has URL Injection via Unsanitized Path Parameters

Summary Versions of i18next-locize-backend prior to 9.0.2 interpolate lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of...

6.5CVSS5.7AI score0.00224EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder