CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

1815 matches found

CVE-2026-54232

vLLM is an inference and serving engine for large language models LLMs. Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index flashinfer.ai/whl/ using --extra-index-url, but the...

8.8CVSS0.00273EPSS

Exploits0References1

RedhatCVE•added yesterday•6 views

CVE-2026-33245

A flaw was found in React Router. This vulnerability, a type of Cross-Site Scripting XSS, affects applications utilizing React Router's unstable React Server Components RSC APIs. A remote attacker could exploit this by sending untrusted redirects, leading to the execution of malicious scripts in...

8CVSS6AI score0.00176EPSS

Exploits0References4

NVD•added 5 days ago•10 views

CVE-2025-10560

Worksnaps before version 1.6.20260201 contains hardcoded cloud credentials and related secret material in the Worksnaps client application binaries. The exposed credentials included AWS access keys, S3 bucket names, and related cloud access information. The originally exposed AWS credentials...

9.3CVSS0.0048EPSS

Exploits1References3

EUVD•added 5 days ago•9 views

EUVD-2025-210275

9.3CVSS5.4AI score0.0048EPSS

Exploits1References2

Cvelist•added 5 days ago•22 views

CVE-2025-10560 Hardcoded cloud credentials in Worksnaps client application binaries expose production cloud resources

9.3CVSS0.0048EPSS

Exploits1References2

CVE•added 5 days ago•15 views

CVE-2025-10560

The CVE-CWE entry documents a vulnerability in Worksnaps before version 1.6.20260201 where hardcoded cloud credentials and related secret material were embedded in Worksnaps client binaries. The exposed data included AWS access keys and S3 bucket information, and the credentials authenticated as ...

9.3CVSS5.3AI score0.0048EPSS

Exploits1References3

Positive Technologies•added 2026/06/16 12:0 a.m.•8 views

PT-2026-50022

Name of the Vulnerable Software and Affected Versions Oracle Complex Maintenance, Repair and Overhaul versions 12.2.3 through 12.2.15 Description An issue exists in the Production component of Oracle Complex Maintenance, Repair and Overhaul within Oracle E-Business Suite. A low privileged attacke...

8.5CVSS5.8AI score0.00311EPSS

Exploits0References3

EUVD•added 2026/06/15 2:16 p.m.•7 views

EUVD-2026-36727

Zephyr's native TCP stack iterates the global connection list in nettcpforeach subsys/net/ip/tcp.c using the SYSSLISTFOREACHCONTAINERSAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcplock while invoking the per-connection callback and re-acquired...

4.8CVSS5.4AI score0.00162EPSS

Exploits0References2

EUVD•added 2026/06/12 6:22 p.m.•8 views

EUVD-2026-36535

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains...

8.7CVSS5.2AI score0.00907EPSS

Exploits0References3

NVD•added 2026/06/12 4:16 p.m.•19 views

CVE-2026-50084

The Aqara Cloud Production API open-cn.aqara.com/v3.0/open/api would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N 9.6 Critical. When combined with...

9.6CVSS0.00213EPSS

Exploits0References2

NVD•added 2026/06/11 7:16 p.m.•8 views

CVE-2026-47174

In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisf...

9.5CVSS0.00312EPSS

Exploits0References1

NVD•added 2026/06/11 7:16 p.m.•7 views

CVE-2026-47172

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks ou...

9.5CVSS0.00324EPSS

Exploits0References2

EUVD•added 2026/06/11 6:46 p.m.•8 views

EUVD-2026-36290

9.5CVSS5.3AI score0.00312EPSS

Exploits0References1

CVE•added 2026/06/11 6:46 p.m.•11 views

CVE-2026-47174

Technical details such as affected components, versions, exploit paths, and fixes are not provided in the supplied documents; monitor for updates.

9.5CVSS5.3AI score0.00312EPSS

Exploits0References1

Vulnrichment•added 2026/06/11 6:46 p.m.•7 views

CVE-2026-47174 Duck Site: Untrusted pull request code can trigger privileged production deployment

9.5CVSS5.3AI score0.00312EPSS

Exploits0References1

Cvelist•added 2026/06/11 6:46 p.m.•21 views

CVE-2026-47174 Duck Site: Untrusted pull request code can trigger privileged production deployment

9.5CVSS0.00312EPSS

Exploits0References1

EUVD•added 2026/06/11 6:28 p.m.•48 views

EUVD-2026-36300

9.5CVSS5.5AI score0.00324EPSS

Exploits0References2

CVE•added 2026/06/11 6:28 p.m.•13 views

CVE-2026-47172

Quest Bot (open-source Discord bot) contains a privilege escalation in the deploy workflow prior to v1.0.3. The repository’s privileged deploy workflow runs after the unprivileged build, and when a PR from a main branch is opened, the deploy workflow can check out the PR head_sha, build it into a...

9.5CVSS5.5AI score0.00324EPSS

Exploits0References2

Cvelist•added 2026/06/11 6:28 p.m.•62 views

CVE-2026-47172 Quest Bot: Untrusted pull request code can be built and deployed by privileged `workflow_run` deployment.

9.5CVSS0.00324EPSS

Exploits0References2

Vulnrichment•added 2026/06/11 6:28 p.m.•7 views

CVE-2026-47172 Quest Bot: Untrusted pull request code can be built and deployed by privileged `workflow_run` deployment.

9.5CVSS5.5AI score0.00324EPSS

Exploits0References2

Rows per page