119516 matches found
CVE-2026-15331
A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function addurl/addpackage of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal. The attack may be initiated...
CVE-2026-15330
A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function buildimagecontent/downloadtodataurl of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack c...
CVE-2026-15321
A vulnerability was found in MyEMS up to 6.4.0. The affected element is the function onpost of the file myems-api/core/svg.py of the component Admin Backend. The manipulation of the argument newvalues'data' results in cross site scripting. The attack can be launched remotely. The exploit has been...
CVE-2026-15331 zhayujie CowAgent Skill Installation service.py _add_package path traversal
A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function addurl/addpackage of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal. The attack may be initiated...
CVE-2026-15331
The CVE-2026-15331 vulnerability affects zhayujie CowAgent up to 2.1.0. The issue resides in the Skill Installation Handler’s component, specifically the _add_url/_add_package functions in agent/skills/service.py, where manipulation of the Name argument enables path traversal. A remote attack is ...
CVE-2026-15331
A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function addurl/addpackage of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal. The attack may be initiated...
EUVD-2026-42789
A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function addurl/addpackage of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal. The attack may be initiated...
CVE-2026-15330 zhayujie CowAgent Vision Tool vision.py _download_to_data_url server-side request forgery
A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function buildimagecontent/downloadtodataurl of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack c...
CVE-2026-15330
CVE-2026-15330 affects zhayujie CowAgent — Vision Tool, specifically the file vision.py, function _build_image_content/_download_to_data_url. The vulnerability arises from manipulating the input image argument, enabling remote SSRF via the Vision Tool component. Attacker could trigger remotely; e...
CVE-2026-15330
A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function buildimagecontent/downloadtodataurl of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack c...
EUVD-2026-42788
A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function buildimagecontent/downloadtodataurl of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack c...
KubePi <= v1.6.4 LoginLogsSearch - Unauthorized Access
KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds. id: CVE-2023-22478 info: name: KubePi = v1.6.4 LoginLogsSearch - Unauthorized Access autho...
KubeOperator Foreground `kubeconfig` - File Download
KubeOperator is an open source Kubernetes distribution focused on helping enterprises plan, deploy and operate production-level K8s clusters. In KubeOperator versions 3.16.3 and below, API interfaces with unauthorized entities and can leak sensitive information. This vulnerability could be used t...
Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting XSS vulnerability via Post content. id: CVE-2022-42096 info: name: Backdrop CMS version 1.23.0 - Cross Site Scripting Stored author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was...
NexusPHP <1.7.33 - Cross-Site Scripting
NexusPHP before 1.7.33 contains multiple cross-site scripting vulnerabilities via the secret parameter in /login.php; q parameter in /user-ban-log.php; query parameter in /log.php; text parameter in /moresmiles.php; q parameter in myhr.php; or id parameter in /viewrequests.php. An attacker can...
Masa CMS - Authentication Bypass
Masa CMS 7.2, 7.3, and 7.4-beta are susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the...
Contao <4.13.3 - Cross-Site Scripting
Contao prior to 4.13.3 contains a cross-site scripting vulnerability. It is possible to inject arbitrary JavaScript code into the canonical tag. id: CVE-2022-24899 info: name: Contao 4.13.3 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Contao prior to 4.13.3 contains...
WordPress Elementor Website Builder <= 3.5.5 - DOM Cross-Site Scripting
WordPress Elementor Website Builder plugin 3.5.5 and prior contains a reflected cross-site scripting vulnerability via the document object model. id: CVE-2022-29455 info: name: WordPress Elementor Website Builder = 3.5.5 - DOM Cross-Site Scripting author: rotembar,daffainfo severity: medium...
Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting XSS vulnerability via the Page content. id: CVE-2022-42095 info: name: Backdrop CMS version 1.23.0 - Cross Site Scripting Stored author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was...
KubePi JwtSigKey - Admin Authentication Bypass
KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermor...