Lucene search
+L

122228 matches found

OSV
OSV
added 5 days ago4 views

CVE-2026-48736 Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.0 to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, NoPrivateNetworkHttpClient and IpUtils::PRIVATESUBNETS omitted IPv6 transition prefixes such as 6to4, NAT64, Teredo, and IPv4-compatible IPv6, allowi...

6.9CVSS6.1AI score0.0046EPSS
Exploits0References8
NVD
NVD
added 5 days ago9 views

CVE-2026-50657

Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally...

4.7CVSS0.00412EPSS
Exploits1References1
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-15637

Improper authorization in the PAM SSH key and certificate retrieval endpoints in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to disclose the private key of an SSH key or certificate PAM credential via a direct object reference to the credential identifier...

0.00192EPSS
Exploits0References1
CVE
CVE
added 5 days ago6 views

CVE-2026-15637

CVE-2026-15637 affects Devolutions Server 2026.2.11 and 2026.1.22: improper authorization in the PAM SSH key and certificate retrieval endpoints allows an authenticated low-privileged user to disclose the private key of an SSH key or certificate PAM credential via a direct object reference to the...

7.5CVSS6.1AI score0.00192EPSS
Exploits0References1
Microsoft CVE
Microsoft CVE
added 5 days ago13 views

Microsoft Defender for Endpoint for Mac Information Disclosure Vulnerability

Exposure of private personal information to an unauthorized actor in Microsoft Defender allows an authorized attacker to disclose information locally...

4.7CVSS6.1AI score0.00412EPSS
Exploits1
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-60097

Name of the Vulnerable Software and Affected Versions nebula-mesh affected versions not specified Description The web handler renderMobileBundle passes a pki.CAResolver to the mobilebundle.Build function, which decrypts the CA's ed25519 private key into a pki.CAManager. However, the Build functio...

8.7CVSS6.2AI score
Exploits0References6
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-58485

Name of the Vulnerable Software and Affected Versions Microsoft Defender for Endpoint on Mac versions prior to 101.26042.0020 Description An issue in Microsoft Defender allows an authorized attacker to locally disclose private personal information to an unauthorized actor. Recommendations Update...

4.7CVSS6.1AI score0.00412EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 5 days ago9 views

PT-2026-58675

Name of the Vulnerable Software and Affected Versions Devolutions Server version 2026.2.11 Devolutions Server version 2026.1.22 Description Improper authorization in the PAM SSH key and certificate retrieval endpoints allows an authenticated low-privileged user to disclose the private key of an S...

7.5CVSS5.2AI score0.00192EPSS
Exploits0References3
NVD
NVD
added 6 days ago7 views

CVE-2026-58489

HedgeDoc is an open source, real-time collaborative markdown notes application. Prior to 1.11.0, the GitHub Gist export flow created an OAuth2 state value but only checked that it was present rather than validating it against the value expected for the user's session. Because the state was not...

6.8CVSS0.00126EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-62242 Spring Boot Admin Server < 4.1.2 SSRF via Unauthenticated Instance Registration

Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managementUrl parameters without validation against private IP ranges or metadata endpoints. Attackers can...

8.6CVSS0.00283EPSS
Exploits0References5
CVE
CVE
added 6 days ago8 views

CVE-2026-12385

CVE-2026-12385 affects the Smart Slider 3 WordPress plugin up to version 3.5.1.37. The issue is a Sensitive Information Exposure via the keyword parameter, enabling authenticated attackers with contributor-level access and above to extract titles and full content excerpts from private, draft, pen...

4.3CVSS6.1AI score0.00242EPSS
Exploits0References7
CVE
CVE
added 6 days ago13 views

CVE-2026-49969

Vulnerability overview: Laravel-Mediable

7.4CVSS6.2AI score0.00241EPSS
Exploits0References3
CVE
CVE
added 6 days ago8 views

CVE-2026-9820

Mattermost versions 11.7.x &lt;= 11.7.2 and 10.11.x

3.8CVSS6.1AI score0.00152EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 6 days ago8 views

EUVD-2026-43312

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a private channel to trigger interactive post actions on posts in th...

6.5CVSS6.1AI score0.00174EPSS
Exploits0References2
EUVD
EUVD
added 6 days ago5 views

EUVD-2026-43290

The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated users with subscriber-level access to enroll in paid or...

7.1CVSS6.2AI score0.00171EPSS
Exploits0References2
NVD
NVD
added 6 days ago4 views

CVE-2026-10106

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a private channel to trigger interactive post actions on posts in th...

6.5CVSS0.00174EPSS
Exploits0References1
Cvelist
Cvelist
added 6 days ago37 views

CVE-2026-10106 Unauthorized users can trigger interactive post actions in private channels via action cookie channel mismatch in Mattermost

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a private channel to trigger interactive post actions on posts in th...

6.5CVSS0.00174EPSS
Exploits0References1
CVE
CVE
added 6 days ago15 views

CVE-2026-10106

Mattermost vulnerable versions: 11.7.x ≤ 11.7.2, 11.6.x ≤ 11.6.4, and 10.11.x ≤ 10.11.19. The issue stems from failing to verify that the channel referenced in an action cookie matches the target post’s channel, enabling an authenticated user without access to a private channel to trigger interac...

6.5CVSS6.1AI score0.00174EPSS
Exploits0References1Affected Software1
NVD
NVD
added 6 days ago5 views

CVE-2026-12397

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level self-registerable account to read other employers' private account email addresses by enumerating job...

4.3CVSS0.00162EPSS
Exploits0References1
NVD
NVD
added 6 days ago5 views

CVE-2026-12275

The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated users with subscriber-level access to enroll in paid or...

7.1CVSS0.00171EPSS
Exploits0References1
Rows per page
Query Builder