CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2026/05/20 1:35 p.m.•37 views

CVE-2026-47068 Cross-session PubSub topic injection via URL parameter in phoenix_storybook

Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...

2.3CVSS0.00054EPSS

Exploits0References4

Fedora•added 2026/05/18 1:24 a.m.•15 views

[SECURITY] Fedora 42 Update: valkey-8.0.9-1.fc42

Valkey is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing s...

8.8CVSS5.8AI score0.00103EPSS

Exploits1

Fedora•added 2026/05/18 12:59 a.m.•11 views

[SECURITY] Fedora 43 Update: valkey-8.1.7-1.fc43

8.8CVSS5.8AI score0.00103EPSS

Exploits1

EUVD•added 2026/04/10 8:18 p.m.•1 views

EUVD-2026-21150

Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering...

3.1CVSS5.8AI score0.00018EPSS

Exploits0References4

NVD•added 2026/04/09 9:16 p.m.•1 views

CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

3.1CVSS0.00018EPSS

CVE•added 2026/04/09 9:6 p.m.•3 views

CVE-2026-40109

CVE-2026-40109 affects Flux notification-controller (GitOps Toolkit) prior to version 1.8.3. The vulnerability lies in the gcr Receiver type not validating the email claim of Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to authenticate against th...

3.1CVSS5.9AI score0.00018EPSS

EUVD•added 2026/03/27 7:52 p.m.•1 views

EUVD-2026-16785

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.5.x branch prior to 4.5.8 and on the 4.4.x branch prior to 4.4.15, an attacker that knows of a quote before it has reached a server can prevent it from being correctly processed on that server. The...

4.8CVSS5.8AI score0.0006EPSS

SUSE CVE•added 2026/03/25 12:28 a.m.•4 views

SUSE CVE-2026-24004

Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet's Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet...

6.3CVSS6.1AI score0.00103EPSS

The Hacker News•added 2026/03/20 9:30 a.m.•4 views

Magento PolyShell Flaw Enables Unauthenticated Uploads, RCE and Account Takeover

Sansec is warning of a critical security flaw in Magento's REST API that could allow unauthenticated attackers to upload arbitrary executables and achieve code execution and account takeover. The vulnerability has been codenamed PolyShell by Sansec owing to the fact that the attack hinges on...

6.8AI score

Fedora•added 2026/03/07 12:33 a.m.•4 views

[SECURITY] Fedora 44 Update: valkey-9.0.3-1.fc44

8.5CVSS5.8AI score0.00127EPSS

Fedora•added 2026/03/05 1:13 a.m.•2 views

[SECURITY] Fedora 42 Update: valkey-8.0.7-1.fc42

8.5CVSS6AI score0.00023EPSS

Fedora•added 2026/03/05 12:57 a.m.•2 views

[SECURITY] Fedora 43 Update: valkey-8.1.6-1.fc43

8.5CVSS6AI score0.00023EPSS

RedhatCVE•added 2026/02/27 4:13 a.m.•1 views

CVE-2026-24004

Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet...

6.3CVSS5.5AI score0.00103EPSS

OSV•added 2026/02/27 2:17 a.m.•2 views

GO-2026-4563 Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint in github.com/fleetdm/fleet

Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint in github.com/fleetdm/fleet...

6.3CVSS5.8AI score0.00103EPSS

RedhatCVE•added 2026/02/26 10:35 p.m.•2 views

CVE-2026-27704

The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client dart pub and flutter pub extracts a package in the pub cache, a malicious package archive can...

8.7CVSS5.4AI score0.00071EPSS

Github Security Blog•added 2026/02/26 7:38 p.m.•5 views

Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint

Summary A vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet management. Impact If Android MDM is enabled, an attacker could send a craft...

6.3CVSS5.6AI score0.00103EPSS

Exploits0References4Affected Software1

OSV•added 2026/02/26 7:38 p.m.•3 views

GHSA-9PM7-6G36-6J78 Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint

6.3CVSS5.7AI score0.00103EPSS

Exploits0References4

Snyk•added 2026/02/26 6:18 a.m.•1 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the Pub/Sub endpoint. An attacker can cause unauthorized removal of Android devices from management by sending crafted unauthenticated requests. Remediation Upgrade...

6.9CVSS6AI score0.00103EPSS

Exploits0References2

NVD•added 2026/02/26 3:16 a.m.•4 views

CVE-2026-24004

6.3CVSS0.00103EPSS