Lucene search
K

133 matches found

EUVD
EUVD
added 6 days ago6 views

EUVD-2026-40703

Race in WebRTC in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Medium...

5.8AI score0.00197EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/15 7:24 p.m.11 views

Malicious code in vend-utilities (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89ed34c4d09a0f8bb373f141d18157203eb73efec9461434a7957dfe17ba72f1 package.json declares preinstall: node index.js, causing index.js to run automatically on npm install. The script collects installer host identity...

5.4AI score
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/11 2:59 a.m.9 views

CVE-2026-53675

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary userid because the getitemspermissionscheck meth...

5.3CVSS5.6AI score0.00193EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/10 12:31 a.m.13 views

EUVD-2026-35879

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary userid because the getitemspermissionscheck meth...

5.3CVSS5.6AI score0.00193EPSS
Exploits0References4
NVD
NVD
added 2026/06/05 3:16 p.m.13 views

CVE-2020-25900

HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. The client side was changed in 2019 to encrypt that database...

5.3CVSS0.00201EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/11 2:42 p.m.8 views

CVE-2026-44201 Wagtail: Improper restriction handling on Documents and Images API

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This...

5.3CVSS5.8AI score0.00256EPSS
Exploits0References1
OSV
OSV
added 2026/05/07 9:16 p.m.13 views

GHSA-RJ4G-RQGH-RX9H Ech0 comment model's Email field returned on public /api/comments endpoints

Summary The Comment model serializes its Email field through the public comment-listing API. internal/model/comment/comment.go:33 uses json:"email", while adjacent PII fields IPHash, UserAgent correctly use json:"-". The public endpoints GET /api/comments?echoid=X and GET...

5.3CVSS5.8AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/06 10:22 p.m.6 views

Lemmy may expose private community data through community, saved, liked, and modlog API views

NOTE: Only affects development version. Summary Lemmy applies private-community checks in PostView and CommentView, but several adjacent API views skip the accepted-follower filter. Bob, a registered user who is not an accepted follower, can read private community sidebar and summary fields. Alic...

5.5AI score
Exploits0References3Affected Software1
NVD
NVD
added 2026/04/23 2:16 a.m.4 views

CVE-2026-41243

OpenLearn is open-source educational forum software. Prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, when safeMode is enabled, unapproved forum posts are hidden from the public list, but the direct post-read procedure still returns the full post to anyone with the post UUID. Commit...

6.9CVSS0.00177EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/08 4:41 p.m.5 views

CVE-2026-33461

Incorrect Authorization CWE-863 in Kibana can lead to information disclosure via Privilege Abuse CAPEC-122. A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be...

7.7CVSS5.9AI score0.00282EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/04/08 3:31 p.m.4 views

EUVD-2026-20463

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...

5.5CVSS5.9AI score0.00255EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/31 8:38 p.m.29 views

CVE-2026-34395 AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin...

6.5CVSS0.00316EPSS
Exploits1References1
NVD
NVD
added 2026/03/19 10:16 p.m.5 views

CVE-2026-33410

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the targetgroups parameter was passed direct...

5.4CVSS0.00156EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/19 9:57 p.m.2 views

CVE-2026-33410 Discourse hardens chat DM channel creation and expansion

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the targetgroups parameter was passed direct...

5.4CVSS5.9AI score0.00156EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/19 9:57 p.m.24 views

CVE-2026-33410 Discourse hardens chat DM channel creation and expansion

Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the targetgroups parameter was passed direct...

5.4CVSS0.00156EPSS
Exploits0References1
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/18 12:0 a.m.8 views

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

8.2CVSS5.9AI score0.00264EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/02/11 12:0 a.m.10 views

PT-2026-7771

Name of the Vulnerable Software and Affected Versions iOS versions prior to 26.3 iPadOS versions prior to 26.3 Description A logic issue existed where a user with Live Caller ID app extensions disabled could have identifying information leaked to those extensions. The issue was resolved through...

5.4AI score0.00144EPSS
Exploits0References3
CVE
CVE
added 2026/01/28 8:7 p.m.12 views

CVE-2026-23743

Summary of CVE-2026-23743 (Discourse) : Prior to versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks to access-restricted resources (private topics/categories/posts/hidden tags) could redirect to URLs containing the resource slug in the Location header or 404 search box, leaking potent...

7.5CVSS5.9AI score0.00245EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/01/27 7:34 p.m.7 views

EUVD-2026-4750

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control...

5.3CVSS5.9AI score0.00457EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/01/22 10:1 p.m.3 views

CVE-2026-0798 Gitea Release Email Notifications Leak Private Repository Release Details After Access Revocation

Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags,...

5.3AI score0.00237EPSS
Exploits0References4
Rows per page
Query Builder