Lucene search
K

5686 matches found

Cvelist
Cvelist
added 6 days ago31 views

CVE-2026-50003 OFFIS DCMTK Toolkit Path Traversal

A malicious or compromised server can make a DCMTK client using bit-preserving C-GET storage mode write files outside the chosen output directory, using both relative ../ paths and absolute paths...

9.8CVSS0.00435EPSS
Exploits0References3
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-40352

Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in rundir agent/src/swarm/store.py. A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary...

4.2CVSS5.9AI score0.00253EPSS
Exploits0References4
Cvelist
Cvelist
added 6 days ago30 views

CVE-2026-6556 @fastify/express vulnerable to middleware bypass via non-string mount paths in prefixed plugins

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths arrays of paths and regular expressions are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms doe...

9.1CVSS0.00295EPSS
Exploits0References2
CVE
CVE
added 6 days ago9 views

CVE-2026-6556

The CVE concerns @fastify/express 4.0.6 and earlier, where non-string mount paths (arrays/regex) are not prefixed inside prefixed plugin scopes. This causes middleware registered with those forms to not match the actual prefixed request path, potentially bypassing path-scoped security middleware ...

9.1CVSS5.8AI score0.00295EPSS
Exploits0References2Affected Software1
OSV
OSV
added 6 days ago2 views

DEBIAN-CVE-2026-49877

Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/ paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from...

8.1CVSS5.8AI score0.0051EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-49877

Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/ paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from...

8.1CVSS5.8AI score0.0051EPSS
Exploits0References2Affected Software1
CVE
CVE
added 6 days ago9 views

CVE-2026-49877

CVE-2026-49877 documents an Improper Authorization vulnerability in Apache ActiveMQ. An authenticated, low-privilege Web Console user can access "/admin/*" paths because Jetty default settings fail to restrict those paths to admins. Affected versions are before 5.19.8 and before 6.2.7 (i.e., 6.0....

8.1CVSS5.8AI score0.0051EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 6 days ago6 views

PT-2026-53878

Name of the Vulnerable Software and Affected Versions @fastify/express versions prior to 4.0.7 Description A middleware scoping flaw exists where plugin prefixes are not applied to middleware mount paths when the mount path is provided as an array or a regular expression. This occurs due to...

9.1CVSS6AI score0.00295EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 6 days ago7 views

PT-2026-53840

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions prior to 5.19.8 Apache ActiveMQ versions 6.0.0 through 6.2.6 Description An improper authorization issue exists where an authenticated user with low privileges can access the /admin/ endpoints in the Web Console. This...

8.1CVSS5.9AI score0.0051EPSS
Exploits0References7
Wiz blog
Wiz blog
added last week10 views

Bridging the Visibility Gap: A Unified Security Operating Model for Hybrid Cloud Teams

Move beyond chasing vulnerabilities to a unified hybrid risk strategy. The Sensor Workload Scanner is now GA and extends our risk prioritization engine to on-premise environments to identify the critical attack paths across your hybrid cloud...

5.8AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/29 5:2 a.m.8 views

CVE-2026-53632

A flaw was found in launch-editor. This component, used in Node.js to open files, can be tricked into accessing arbitrary paths, including Windows Universal Naming Convention UNC paths. When a malicious UNC path is opened, Windows automatically attempts NTLM authentication to a remote server...

5.5CVSS6AI score0.00322EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/28 12:0 a.m.11 views

Linux Distros Unpatched Vulnerability : CVE-2026-53156

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - nvmem: core: fix use-after-free bugs in error paths Fix several instances of error paths in which we call nvmemdeviceput - which may end up freeing the underlyi...

6AI score0.00168EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/27 5:33 a.m.6 views

CVE-2026-12404

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS5.8AI score0.00281EPSS
Exploits0References9
SUSE CVE
SUSE CVE
added 2026/06/27 1:52 a.m.6 views

SUSE CVE-2026-55092

Trivy is a security scanner. Prior to 0.71.1, when Trivy downloads an OCI artifact, it uses the org.opencontainers.image.title annotation from the artifact manifest as the destination filename without validation. An attacker who can make Trivy fetch an attacker-controlled artifact can supply a...

8.8CVSS5.9AI score0.00292EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/27 12:30 a.m.7 views

EUVD-2026-39923

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths...

9.8CVSS6AI score0.00839EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/26 11:21 p.m.13 views

EUVD-2026-38068

gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host...

8.1CVSS5.9AI score0.00269EPSS
Exploits0References2
NVD
NVD
added 2026/06/26 11:17 p.m.12 views

CVE-2026-28701

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths...

9.8CVSS0.00839EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/26 10:40 p.m.10 views

CVE-2026-48935

A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system. Mitigation Mitigation for this issue is either not...

3.3CVSS5.6AI score0.00154EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/26 10:40 p.m.6 views

CVE-2026-28701

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths...

9.8CVSS6AI score0.00839EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/26 10:40 p.m.32 views

CVE-2026-28701 Daktronics Controller Firmware Path Traversal

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths...

9.8CVSS0.00839EPSS
Exploits0References2
Rows per page
Query Builder