Lucene search
K

66 matches found

NVD
NVD
added 3 days ago5 views

CVE-2026-57474

Deloitte AI Assist for Customer disclosed some configuration information through public-facing API endpoints that accepted unauthenticated requests. This information could reduce an attacker’s reconnaissance effort. On 2026-03-25, AI Assist for Customer restricted network access and enforced...

6.9CVSS0.00279EPSS
Exploits0References4
CVE
CVE
added 3 days ago6 views

CVE-2026-57475

Deloitte AI Assist for Customer had an unauthenticated POST vulnerability on public API endpoints that allowed a remote attacker to perform limited additions to the configuration. These changes were not used by the system. On 2026-03-25, access was restricted and authentication enforced for the e...

6.9CVSS6.2AI score0.0034EPSS
Exploits0References4
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-42974

Deloitte AI Assist for Customer disclosed some configuration information through public-facing API endpoints that accepted unauthenticated requests. This information could reduce an attacker’s reconnaissance effort. On 2026-03-25, AI Assist for Customer restricted network access and enforced...

6.9CVSS6.1AI score0.00279EPSS
Exploits0References4
CVE
CVE
added 3 days ago9 views

CVE-2026-57474

The CVE entry CVE-2026-57474 concerns Deloitte AI Assist for Customer. Public-facing API endpoints accepted unauthenticated requests, exposing configuration information that could aid an attacker’s reconnaissance. The root cause is exposure of configuration data via unauthenticated access to API ...

6.9CVSS6.1AI score0.00279EPSS
Exploits0References4
CVE
CVE
added 3 days ago8 views

CVE-2026-57994

phpMyFAQ is affected: versions before 4.1.5 expose inactive content through public API endpoints due to inconsistent active flag and publication-date filtering. Specifically, GET /api/v3.1/faq/{categoryId}/{faqId} returns inactive title and full answer, while GET /api/v3.1/faqs/tags/{tagId} and G...

6.9CVSS6.1AI score0.00214EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-42892

phpMyFAQ before 4.1.5 applies inconsistent active=yes and publication-date filtering across its public FAQ API endpoints, allowing unauthenticated attackers to retrieve inactive draft or review-only FAQ content. Specifically, GET /api/v3.1/faq/categoryId/faqId returns the inactive FAQ title and...

6.9CVSS6.1AI score0.00214EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.14 views

PT-2026-55499

Name of the Vulnerable Software and Affected Versions MotoPress Appointment Booking versions prior to 2.4.5 Description The plugin contains an authorization bypass issue allowing unauthenticated users to modify booking details. The POST /motopress/appointment/v1/bookings endpoint is accessible to...

5.3CVSS5.9AI score0.00342EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/06/23 8:34 p.m.6 views

CVE-2026-47378

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on...

6.9CVSS6AI score0.00239EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/23 8:34 p.m.27 views

CVE-2026-47378 NocoDB: Hidden Column Exposure in Public Shared View Endpoints

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on...

6.9CVSS0.00239EPSS
Exploits0References1
Packet Storm News
Packet Storm News
added 2026/06/12 12:0 a.m.26 views

FortiSandbox Endpoint Validation Tool

This Python script is a utility designed to evaluate the exposure and configuration state of a FortiSandbox deployment through publicly reachable management endpoints...

5.3AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.9 views

CVE-2026-41428

Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public no-auth endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint ...

9.1CVSS5.5AI score0.00445EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.12 views

CVE-2026-41278

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...

8.7CVSS5.4AI score0.00421EPSS
Exploits1References1
CERT
CERT
added 2026/06/03 12:0 a.m.11 views

Securly Chrome Extension contains multiple weak encryption and access control vulnerabilities

Overview Version 3.0.7 of the Securly Chrome Extension contains multiple vulnerabilities involving insecure data transmission, weak cryptography, and improper access control. These issues may expose sensitive filtering rules, enable the manipulation of downloaded configuration files, and allow...

7.5CVSS5.5AI score0.00432EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/05/12 8:56 p.m.9 views

CVE-2026-44262 Scramble: Remote code execution via evaluation of user-controlled input in validation rules

Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of...

9.4CVSS6.1AI score0.0586EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/07 9:16 p.m.12 views

Exposure of Private Personal Information to an Unauthorized Actor

Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor via the Email field in the Comment model exposed through unauthenticated public API endpoints. An attacker can obtain the email addresses of all guest commenters by makin...

6.9CVSS5.8AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/07 9:16 p.m.14 views

Ech0 comment model's Email field returned on public /api/comments endpoints

Summary The Comment model serializes its Email field through the public comment-listing API. internal/model/comment/comment.go:33 uses json:"email", while adjacent PII fields IPHash, UserAgent correctly use json:"-". The public endpoints GET /api/comments?echoid=X and GET...

5.8AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/24 7:17 p.m.5 views

CVE-2026-41428

Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public no-auth endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint ...

9.1CVSS5.5AI score0.00445EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/04/24 7:17 p.m.19 views

CVE-2026-41428

Budibase (open-source low-code platform) before version 3.35.4 is affected. The authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url, and because Koa’s ctx.request.url includes the query string, an attacker can include a ...

9.1CVSS5.5AI score0.00445EPSS
Exploits1References1Affected Software1
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.14 views

Budibase 授权问题漏洞

Budibase is an open-source platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.35.4 contained an authorization vulnerability. This vulnerability stemmed from authenticated...

9.1CVSS5.8AI score0.00445EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/17 9:34 p.m.6 views

Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs

Summary The GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image...

8.7CVSS5.8AI score0.00421EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder