Lucene search
+L

3393 matches found

CVE
CVE
added 12 hours ago11 views

CVE-2026-9602

Mattermost Desktop App vulnerable versions:

6.5CVSS5.4AI score
Exploits0References1
Cvelist
Cvelist
added 12 hours ago13 views

CVE-2026-9602 Mattermost Desktop App crashes when malformed arguments are provided to some exposed IPC methods

Mattermost Desktop App versions =6.2 6.0.2 5.6.13.0 fail to validate payloads sent from the Mattermost Web App to the Desktop App which allows a malicious server owner to crash the Mattermost Desktop App via changing the payload of a method to a malformed one. Mattermost Advisory ID: MMSA-2026-00...

6.5CVSS
Exploits0References1
Cvelist
Cvelist
added yesterday33 views

CVE-2026-44019 Docling Core has insufficient validation of image reference URIs

Docling Core defines core data types and transformations for the document processing application Docling. In versions 2.5.0 and above, prior to 2.74.1, docling-core could allow local file:// image references and accepted inline data: content without a decoded-size limit. In applications that acce...

8.1CVSS0.0004EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday47 views

Webmin < 1.920 - Authenticated Remote Code Execution

rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialisevariable makes an eval call. NOTE: the WebminServersIndex documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must...

8.8CVSS7.1AI score0.38038EPSS
Exploits4References5
NVD
NVD
added yesterday7 views

CVE-2026-13767

The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. This is due to insufficient escaping on the user-supplied 'pages' parameter persisted by the qsmajaxsavepages AJAX handler sanitizetextfield only and lack o...

6.5CVSS0.00249EPSS
Exploits0References5
NVD
NVD
added 2 days ago6 views

CVE-2026-48795

AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user.proto.polluted and constructor.prototype still caused lodash .set via @poppinss/utils to create...

8.6CVSS0.0054EPSS
Exploits0References5
Cvelist
Cvelist
added 2 days ago36 views

CVE-2026-48795 Incomplete fix for CVE-2026-25754 in @adonisjs/bodyparser

AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user.proto.polluted and constructor.prototype still caused lodash .set via @poppinss/utils to create...

8.6CVSS0.0054EPSS
Exploits0References5
CVE
CVE
added 2 days ago26 views

CVE-2026-48795

Summary (CVE-2026-48795): AdonisJS’s bodyparser (/@adonisjs/bodyparser) has an incomplete fix for CVE-2026-25754 in certain pre-release ranges. The issue arises in nested multipart/form-data payloads (for example involving proto or constructor.prototype) that allow lodash _.set() through @poppins...

8.6CVSS6.1AI score0.0054EPSS
Exploits0References5
Cvelist
Cvelist
added 2 days ago30 views

CVE-2026-61436 PraisonAI before 4.6.78 Missing Webhook Signature Verification

PraisonAI before 4.6.78 fails to verify Svix webhook signatures in AgentMail webhook mode, allowing unauthenticated attackers to forge message.received events. Attackers can send crafted JSON payloads to the webhook endpoint to invoke configured agents with arbitrary sender addresses and message...

8.8CVSS0.0029EPSS
Exploits0References4
NVD
NVD
added 3 days ago4 views

CVE-2026-48761

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlAttributeSanitizer::getSupportedAttributes omitted URL-bearing attributes on , , , and , and URLs inside content bypassed URL sanitization, allowing...

6.1CVSS0.00268EPSS
Exploits0References5
OSV
OSV
added 3 days ago4 views

CVE-2026-48761 Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlAttributeSanitizer::getSupportedAttributes omitted URL-bearing attributes on , , , and , and URLs inside content bypassed URL sanitization, allowing...

5.3CVSS6.1AI score0.00268EPSS
Exploits0References7
NVD
NVD
added 3 days ago4 views

CVE-2026-45077

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the server:log listener Symfony\Bridge\Monolog\Command\ServerLogCommand binds to 0.0.0.0:9911 by default and processes each received frame with...

8.6CVSS0.00447EPSS
Exploits0References6
OSV
OSV
added 3 days ago3 views

CVE-2026-45077 Symfony: Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, the server:log listener Symfony\Bridge\Monolog\Command\ServerLogCommand binds to 0.0.0.0:9911 by default and processes each received frame with...

8.3CVSS6.1AI score0.00447EPSS
Exploits0References8
CVE
CVE
added 3 days ago40 views

CVE-2026-45077

CVE-2026-45077 concerns Symfony’s server:log listener (part of Symfony\Bridge\Monolog) which binds to 0.0.0.0:9911 by default and processes each frame with unserialize(base64_decode($message)) without authentication or an allowed-classes allowlist. This permits any reachable host to submit attack...

8.6CVSS6.1AI score0.00447EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-43310

A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information PII and secrets, to persistent logs. This sensitive data, including bearer tokens and...

7.5CVSS6AI score0.00259EPSS
Exploits0References3
NVD
NVD
added 4 days ago5 views

CVE-2026-9708

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via...

4.9CVSS0.0021EPSS
Exploits0References1
NVD
NVD
added 4 days ago5 views

CVE-2026-15574

A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information PII and secrets, to persistent logs. This sensitive data, including bearer tokens and...

7.5CVSS0.00259EPSS
Exploits0References2
CVE
CVE
added 4 days ago10 views

CVE-2026-15574

The CVE-2026-15574 issue affects the vllm-orchestrator-gateway component, where the production binary logs incoming authorization headers and full chat payloads, potentially exposing PII, secrets, bearer tokens, and conversation content. This data exposure arises from a hard-coded debug/default l...

7.5CVSS6AI score0.00259EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-15574 Vllm-orchestrator-gateway: vllm-orchestrator-gateway: authorization header and full chat payloads logged at hard-coded debug default

A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information PII and secrets, to persistent logs. This sensitive data, including bearer tokens and...

7.5CVSS0.00259EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 4 days ago8 views

CVE-2026-15574

A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information PII and secrets, to persistent logs. This sensitive data, including bearer tokens and...

7.5CVSS6AI score0.00259EPSS
Exploits0References3
Rows per page
Query Builder