Lucene search
K

1175 matches found

CVE
CVE
added 2026/05/12 4:34 p.m.32 views

CVE-2026-20751

The CVE-2026-20751 entry concerns Intel Data Center Graphics Driver for VMware ESXi, vulnerable in versions before 2.0.2. The issue is an out-of-bounds read in Ring 1 device drivers, which may allow a local-privileged attacker with low complexity and no user interaction to cause a denial of servi...

8.3CVSS5.7AI score0.0012EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/11 6:31 p.m.10 views

EUVD-2026-29102

In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization a...

7.7CVSS5.8AI score0.00274EPSS
Exploits0References3
NVD
NVD
added 2026/05/11 4:17 p.m.17 views

CVE-2026-42609

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that alread...

8.1CVSS0.00463EPSS
Exploits1References4
CVE
CVE
added 2026/05/11 3:20 p.m.19 views

CVE-2026-42611

Grav CVE-2026-42611 is a stored XSS in Grav Core + Admin Plugin (versions around v1.7.49.5 / v1.10.49.1) that a low-privileged user can exploit via page content to exfiltrate admin context, including the admin nonce, potentially bypass CSRF protections and enable further actions on sensitive admi...

8.9CVSS5.8AI score0.003EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/05/09 7:9 p.m.10 views

EUVD-2026-28929

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/id. The endpoint directly persists the admin attribute from user input, and the escalated accou...

8.3CVSS5.7AI score0.00261EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.15 views

PT-2026-38882

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged...

6CVSS5.8AI score0.00101EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/05/07 2:23 a.m.11 views

SUSE CVE-2026-7573

An authorization bypass CWE-639 in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy roles and permissions for any user across all organizations by supplying targeted Name and Org...

7.7CVSS5.8AI score0.00255EPSS
Exploits0References3
OSV
OSV
added 2026/05/06 2:46 p.m.6 views

BIT-JAVA-MIN-2026-22003

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged...

6CVSS7.3AI score0.00101EPSS
Exploits0References2
OSV
OSV
added 2026/05/05 9:29 p.m.5 views

GHSA-RR73-568V-28F8 Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic

Summary A business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account'...

8.1CVSS5.8AI score0.00463EPSS
Exploits1References6
OSV
OSV
added 2026/05/04 9:18 p.m.7 views

GHSA-4FM3-GGG2-C6QX AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption

Summary The /api/internal/stationid/liquidsoap/action endpoint is accessible from the public web interface because it lacks the RequireInternalConnection middleware that protects other internal endpoints /sftp-auth, /sftp-event. Combined with a logic flaw where the $asAutoDj flag is set based on...

6.3CVSS6AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/04 12:0 a.m.14 views

PT-2026-36800

Name of the Vulnerable Software and Affected Versions Norton Secure VPN affected versions not specified Description A privilege escalation issue occurs during the installation of the software via the Microsoft Store. A low-privilege user can replace files during the installation process,...

8.8CVSS5.9AI score0.00127EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 2026/04/29 12:0 a.m.6 views

Juniper Junos OS Vulnerability (JSA100078)

The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA100078 advisory. - An Improper Access Control vulnerability in the User Interface UI of Juniper Networks Junos OS allows a local, low-privileged attacker to bring down an interface, leading...

6.8CVSS5.6AI score0.00136EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/04/29 12:0 a.m.6 views

Juniper Junos OS Vulnerability (JSA92860)

The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA92860 advisory. - An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in the command-line interface CLI of Juniper Networks Junos OS on SRX Series devices allows a...

6.8CVSS5.7AI score0.00168EPSS
Exploits0References2
NVD
NVD
added 2026/04/28 4:16 p.m.3 views

CVE-2026-38948

Cross-Site Scripting XSS vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code...

5.4CVSS0.00165EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/04/27 12:0 a.m.4 views

Cisco IOS XE Software DoS (cisco-sa-iosxe-mntc-dos-LZweQcyq)

According to its self-reported version, Cisco IOS-XE Software is affected by a vulnerability. - A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to cause a denial of service DoS condition on an affected device. This vulnerability exists because...

6.5CVSS8.6AI score0.00092EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/22 9:16 p.m.28 views

CVE-2026-41171 SSRF via Jint Scripting Engine HTTP Functions Due to Missing SSRF Protection on "Jint" HttpClient

Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery SSRF vulnerability due to missing SSRF protection on the Jint HTTP client used by scripting engine functions getJSON, request, etc.. An authenticate...

8.6CVSS0.00215EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.8 views

PT-2026-34118

Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware component: Microsoft Active Directory. The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows low privileged attacker with network access via LDAP to compromise Orac...

5.9CVSS5.7AI score0.00175EPSS
Exploits0References3
CVE
CVE
added 2026/04/21 12:0 a.m.10 views

CVE-2026-30452

CVE-2026-30452 affects Textpattern CMS 4.9.0. A Broken Access Control flaw in the article management workflow lets authenticated users with low privileges modify articles owned by higher-privilege users. By altering the article ID parameter during the duplicate-and-save process in textpattern/inc...

6.5CVSS5.8AI score0.00247EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/17 7:46 a.m.3 views

CVE-2026-33392

In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass...

7.2CVSS5.7AI score0.00426EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 1:35 a.m.4 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the GymConfigUpdateView. An attacker can gain unauthorized control over installation-wide configuration and modify other users' records by submitting changes to the /config/gym-config/edit endpoint as a...

7.6CVSS5.8AI score0.00333EPSS
Exploits1References2
Rows per page
Query Builder