Lucene search
+L

128 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 3 days ago9 views

Malicious code in @hibachi-xyz/ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 308aa7f8a3746a346bbed305975f68d110bcf6b98815b7bf9f579e37089fd78b The package is published under the name @hibachi-xyz/ui with description 'UI components' but ships no UI code. Its index.js, executed on require,...

6.1AI score
Exploits0References1
EUVD
EUVD
added 4 days ago4 views

EUVD-2026-44622

Authorization Bypass Through User-Controlled Key CWE-639 in the Excel import handlers CustomerImport, LeadImport, ProductImport in Roskus Prospero Flow CRM before 5.14.0 allows a remote, authenticated user of any role or company to create customer, lead, and product records inside another company...

6.9CVSS6.1AI score0.0047EPSS
Exploits0References3
CVE
CVE
added 2026/07/07 8:37 p.m.17 views

CVE-2026-59707

CVE-2026-59707 : LocalAI exposes an unauthenticated SSRF via POST /models/apply. The endpoint forwards unsanitized gallery URL fields to gallery.GetGalleryConfigFromURLWithContext, allowing requests to internal/private/loopback URLs and leaking partial responses in error messages. No exploitation...

9.2CVSS6.1AI score0.0036EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/22 9:4 p.m.8 views

EUVD-2026-38365

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement. Attackers can repeatedly invoke this endpoint to generate...

5.3CVSS5.9AI score0.00272EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/22 9:4 p.m.25 views

CVE-2026-56255 Capgo - Denial of Service via Unlimited Demo App Creation

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement. Attackers can repeatedly invoke this endpoint to generate...

5.3CVSS0.00272EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.19 views

PT-2026-51403

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description A denial of service issue exists in the 'POST /app/demo' endpoint. Authenticated users with organization write permissions can create an unlimited number of demo applications because the system lack...

5.3CVSS5.8AI score0.00272EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/17 6:49 p.m.14 views

Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation

Summary A critical missing authorization flaw exists in Avo's association attach workflow. The UI and GET /resources/:resource/:id/:related/new path can check attach?, but the actual write endpoint, POST /resources/:resource/:id/:related, does not run the same authorization check before mutating...

9.6CVSS5.4AI score0.00331EPSS
Exploits0References8Affected Software1
Cvelist
Cvelist
added 2026/06/08 3:30 p.m.50 views

CVE-2026-46442 Flowise: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When...

9.4CVSS0.0082EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/08 12:0 a.m.30 views

VulnCheck KEV: CVE-2026-5027

The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences '../'...

8.8CVSS5.6AI score0.31405EPSS
In wildExploits4References27
RedhatCVE
RedhatCVE
added 2026/06/05 7:31 p.m.13 views

CVE-2026-33431

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config//show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and it...

7.1CVSS5.6AI score0.00392EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:26 p.m.14 views

CVE-2026-40590

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already...

4.3CVSS5.5AI score0.00214EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:11 p.m.12 views

CVE-2026-44554

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collectionname and an overwrite query parameter default: True. It performs no authorization check on whether t...

8.1CVSS5.5AI score0.00295EPSS
Exploits1References1
NVD
NVD
added 2026/06/04 2:16 p.m.14 views

CVE-2019-25744

WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the posttitle parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads...

5.4CVSS0.00171EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/04 1:22 p.m.34 views

CVE-2019-25744 WordPress Popup Builder 3.49 Persistent Cross-Site Scripting

WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the posttitle parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads...

5.4CVSS0.00171EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/04 1:22 p.m.10 views

CVE-2019-25744 WordPress Popup Builder 3.49 Persistent Cross-Site Scripting

WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the posttitle parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads...

5.4CVSS5.7AI score0.00171EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/04 1:22 p.m.10 views

EUVD-2019-20180

WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the posttitle parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads...

6.4CVSS5.7AI score0.00171EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.15 views

PT-2026-46214

WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post title parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payload...

6.4CVSS5.7AI score0.00171EPSS
Exploits0References5
NVD
NVD
added 2026/05/29 4:16 p.m.15 views

CVE-2018-25400

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the ajax/formpost.php endpoint with crafted SQL payloads to extract...

8.8CVSS0.00334EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/29 2:46 p.m.10 views

CVE-2018-25400 The Open ISES Project 3.30A SQL Injection via form_post.php

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the ajax/formpost.php endpoint with crafted SQL payloads to extract...

8.8CVSS6.1AI score0.00334EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/29 2:46 p.m.29 views

CVE-2018-25400 The Open ISES Project 3.30A SQL Injection via form_post.php

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the ajax/formpost.php endpoint with crafted SQL payloads to extract...

8.8CVSS0.00334EPSS
Exploits0References4
Rows per page
Query Builder