Lucene search
K

119 matches found

Cvelist
Cvelist
added last week36 views

CVE-2026-58213 NATS Server: MQTT SUBSCRIBE Protocol Injection via Leaf Node/Route Forwarding allows arbitrary NATS command injection

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupti...

7.1CVSS0.00441EPSS
Exploits0References8
OSV
OSV
added last week4 views

CVE-2026-58213 NATS Server: MQTT SUBSCRIBE Protocol Injection via Leaf Node/Route Forwarding allows arbitrary NATS command injection

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupti...

7.1CVSS6.1AI score0.00441EPSS
Exploits0References10
OSV
OSV
added 2026/06/30 6:2 p.m.3 views

RLSA-2026:33514 Important: ruby:2.5 security update

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fixes: ruby/net-imap: ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments CVE-2026-42258 net-imap: ruby: Net::IMAP: Information...

7.4CVSS5.8AI score0.00813EPSS
Exploits0References3
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/29 4:10 p.m.15 views

Security Bulletin: Multiple Vulnerabilities in bcprov package bundled with IBM Fusion, IBM Fusion HCI, IBM Fusion Data Cataloging, and IBM Fusion Content-Aware Storage

Summary IBM Fusion, IBM Fusion HCI, IBM Fusion Data Cataloging, and IBM Fusion Content-Aware Storage include bcprov library, which is susceptible to use of broken cryptographic algorithm, Improper neutralization, covert timing channel vulnerabilities CVE-2025-14813, CVE-2026-0636, CVE-2026-5598...

9.9CVSS6.7AI score0.00691EPSS
Exploits0Affected Software2
Cvelist
Cvelist
added 2026/06/26 4:39 p.m.35 views

CVE-2026-47206 Dragonfly: RESP Protocol Injection via Lua redis.error_reply() in EvalSerializer

Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.errorreply in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing...

2.3CVSS0.00283EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/26 4:39 p.m.7 views

CVE-2026-47206

Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.errorreply in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing...

2.3CVSS5.9AI score0.00283EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:34 p.m.9 views

CVE-2026-10549

LDAP filter injection vulnerability in Yandex Database prior to 25.3.1.25 allows a remote attacker with valid LDAP credentials to bypass group membership checks resulting in unauthorized access to the database...

5.3CVSS5.5AI score0.00268EPSS
Exploits0References1
OSV
OSV
added 2026/05/05 6:27 p.m.4 views

GHSA-V8H7-RR48-VMMV Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection

Summary Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri. The constructors reject CRLF and whitespace characters that would break the start-line, but setUri does not apply the same...

5.3CVSS5.9AI score0.00307EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/18 1:13 a.m.5 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the internal stream buffers SmtpStream, ImapStream, and Pop3Stream not being flushed during the STARTTLS upgrade process. An attacker c...

7.1CVSS5.8AI score0.00223EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/17 3:36 p.m.4 views

LDAP Injection

Overview Affected versions of this package are vulnerable to LDAP Injection in the LdapProfileService class, which accepts ID-based search parameters in multiple methods. A privileged attacker can execute unauthorized LDAP queries and perform arbitrary directory operations. Remediation Upgrade...

8.8CVSS5.9AI score0.00608EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/04/17 12:6 p.m.10 views

SUSE CVE-2026-0636

Improper neutralization of special elements used in an LDAP query 'LDAP injection' vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all prov modules. This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.80.2, from...

5.3CVSS5.8AI score0.00527EPSS
Exploits0References5
Hacker One
Hacker One
added 2026/04/05 8:31 p.m.125 views

curl: SMTP Command Injection via CRLF in libcurl MAIL_FROM / MAIL_RCPT (lib/smtp.c)

Summary libcurl’s SMTP implementation fails to properly sanitize CRLF sequences in user-controlled inputs passed via CURLOPTMAILFROM and CURLOPTMAILRCPT. The function smtpparseaddress lib/smtp.c:277 extracts any data following the closing character as a raw suffix and incorporates it directly int...

6.2AI score
Exploits0
OSV
OSV
added 2026/04/03 6:31 a.m.4 views

GHSA-8JR8-V43G-5C57 Roundcube Webmail: Unsanitized IMAP SEARCH command arguments

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search...

3.1CVSS5.9AI score0.00283EPSS
Exploits0References9
Github Security Blog
Github Security Blog
added 2026/04/03 2:41 a.m.6 views

Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows

Impact On Windows, app.setAsDefaultProtocolClientprotocol did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes, potentially hijacking existing protocol...

7.5CVSS6AI score0.0024EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/04/03 12:0 a.m.9 views

Roundcube Webmail 参数注入漏洞

Roundcube Webmail is an open-source browser-based IMAP client developed by Roundcube. It supports address book management, information search, spelling checking, etc. Versions of Roundcube Webmail prior to 1.5.14 and 1.6.14 had a parameter injection vulnerability. This vulnerability stemmed from...

3.1CVSS5.7AI score0.00283EPSS
Exploits0References7
EUVD
EUVD
added 2026/03/27 9:31 a.m.7 views

EUVD-2026-16573

If authusernamechars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out authusernamechars, or install fixed version. No publicly available exploits are...

3.7CVSS6AI score0.00286EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/24 3:21 p.m.8 views

CVE-2025-71275 Zimbra Collaboration Suite PostJournal 8.8.15 Unauthenticated Remote Code Execution via SMTP Injection

Zimbra Collaboration Suite ZCS PostJournal service version 8.8.15 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by exploiting improper sanitization of the RCPT TO parameter via SMTP injection. Attackers can inject shell...

9.8CVSS6.8AI score0.00462EPSS
Exploits3References3
CVE
CVE
added 2026/03/20 12:0 a.m.11 views

CVE-2026-33369

Zimbra Collaboration (ZCS) versions 10.0 and 10.1 are affected by an LDAP injection in the Mailbox SOAP service (FolderAction). The issue arises from improper sanitization of user input in LDAP search filters, allowing an authenticated attacker to craft a SOAP request that manipulates the LDAP qu...

4.3CVSS5.8AI score0.00227EPSS
Exploits0References4Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/03/20 12:0 a.m.6 views

AlmaLinux 10 : python3.12 (ALSA-2026:4713)

The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:4713 advisory. cpython: wsgiref.headers.Headers allows header newline injection in Python CVE-2026-0865 cpython: IMAP command injection in user-controlled commands...

6CVSS7.2AI score0.0056EPSS
Exploits0References6
OSV
OSV
added 2026/03/17 12:0 a.m.7 views

ALSA-2026:4713 Moderate: python3.12 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

6CVSS7.2AI score0.0056EPSS
Exploits0References10
Rows per page
Query Builder