CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2 days ago•4 views

CVE-2026-34837

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/aiassistance/texttools/:id contains an authorization failure. Context data e.g., a group or organization supplied to be used in the AI prompt were not checked if they are accessible f...

5.3CVSS5.5AI score0.00034EPSS

RedhatCVE•added 2 days ago•6 views

CVE-2026-39309

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission...

5.5CVSS5.9AI score0.00005EPSS

RedhatCVE•added 2 days ago•3 views

CVE-2026-44222

vLLM is an inference and serving engine for large language models LLMs. From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder...

7.5CVSS5.5AI score0.00014EPSS

Exploits1References1

RedhatCVE•added 2 days ago•4 views

CVE-2026-41271

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery SSRF vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests t...

8.3CVSS7.2AI score0.00115EPSS

Exploits1References1

RedhatCVE•added 2 days ago•6 views

CVE-2026-9255

Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin. We recommend you to upgrade to kiro-cli version...

8.4CVSS5.8AI score0.00013EPSS

Microsoft Secure•added 3 days ago•5 views

Updating the taxonomy of failure modes in agentic AI systems: What a year of red teaming taught us

In this article 1. Why the Taxonomy Needed Updating 2. Seven new failure modes 3. Operational findings: What red teaming showed 4. New mitigations 5. What to do this quarter When the Microsoft AI Red Team published the Taxonomy of Failure Modes in Agentic AI Systems in April 2025, the goal was a...

8.8CVSS7.2AI score0.00121EPSS

Exploits5

RedhatCVE•added 5 days ago•11 views

CVE-2026-0088

In getCallingAppLabel of CertInstaller.java, there is a possible way to hide a sensitive security dialogue due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

7.8CVSS5.9AI score0.00005EPSS

Packet Storm News•added 5 days ago•5 views

Domain-Conditioned Safety in Frontier Computer-Using Agents: A 793-Episode Browser Benchmark, a Coding-Domain Cross-Reference, and a Reproducibility Audit of Recent Red-Teaming

Recent computer-using-agent CUA red-teaming papers report prompt-injection attack success rates ASR of 42-98%, but these headline numbers cluster on retired models and on the most-vulnerable model in each paper's panel. We ask whether those techniques, reproduced as hand-crafted templates, still...

5.5AI score

Exploits0

Vulnrichment•added 6 days ago•7 views

CVE-2026-0088

5.9AI score0.00005EPSS

ATTACKERKB•added 6 days ago•6 views

CVE-2026-0061

In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

5.9AI score0.00005EPSS

Exploits0References2Affected Software1

RedhatCVE•added 2026/05/30 8:13 a.m.•11 views

CVE-2026-10044

Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/filename endpoint on Windows deployments that allows unauthenticated remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal...

SUSE CVE•added 2026/05/29 1:20 a.m.•6 views

SUSE CVE-2026-45134

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS fetch and deserialize prompt manifests from...

7.1CVSS5.8AI score0.00036EPSS

Exploits0References3

EUVD•added 2026/05/29 12:38 a.m.•8 views

EUVD-2026-33061

NVD•added 2026/05/28 10:16 p.m.•7 views

CVE-2026-10044

8.2CVSS0.00067EPSS

Cvelist•added 2026/05/28 9:2 p.m.•28 views

CVE-2026-10044 ai-goofish-monitor Unauthenticated Arbitrary File Read via GET /api/prompts/

8.2CVSS0.00067EPSS

Vulnrichment•added 2026/05/28 9:2 p.m.•7 views

CVE-2026-10044 ai-goofish-monitor Unauthenticated Arbitrary File Read via GET /api/prompts/

CVE•added 2026/05/28 9:2 p.m.•13 views

CVE-2026-10044

Usagi-org ai-goofish-monitor on Windows is affected by an unauthenticated arbitrary file read via GET /api/prompts/{filename}. The vulnerability arises from an incomplete path traversal guard that blocks only forward slashes and '..'; attackers can supply absolute Windows paths or backslash-based...

ATTACKERKB•added 2026/05/28 9:2 p.m.•5 views

CVE-2026-10044

6AI score0.00067EPSS