Lucene search
K

6151 matches found

CVE
CVE
added 4 days ago12 views

CVE-2026-41515

OP-TEE (Trusted Execution Environment for Arm Cortex-A TrustZone) has a vulnerability in the RSA-OAEP decryption path within the NXP CAAM crypto driver. From version 3.9.0 up to, but not including, 4.11.0, the driver uses non-constant-time memcmp() for label hash verification, exposing a Manger-s...

3.3CVSS6AI score0.00094EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-41859

A flaw was found in Red Hat Advanced Cluster Security for Kubernetes RHACS. Central does not limit the depth of GraphQL queries served on the authenticated GraphQL API. An authenticated user with a valid API token can send deeply nested queries that cause excessive resource consumption in Central...

7.7CVSS5.9AI score0.00319EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-41856

Uncontrolled Resource Consumption vulnerability in Apache IoTDB. Some interface fails to impose reasonable limits on the time span and aggregation interval of the query. An attacker can construct a request with extreme parameters e.g., a very large time range combined with a minimal interval. Thi...

7.5CVSS6AI score0.00546EPSS
Exploits0References1
CVE
CVE
added 4 days ago13 views

CVE-2026-24012

CVE-2026-24012 – Apache IoTDB Denial of Service via Resource Exhaustion Description: An interface fails to cap the time span and aggregation interval of queries. An attacker can request an extremely large time range with a tiny interval, causing the DataNode to build an enormous result set in mem...

7.5CVSS6AI score0.00546EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 4 days ago4 views

CVE-2026-49099

Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection', Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Salesforce Component. The camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search,...

6AI score0.00341EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 4 days ago4 views

EUVD-2026-41825

Deserialization of Untrusted Data vulnerability in Apache Camel. The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering 'java.;javax.;org.apache.camel.;!', or the no-'javax.' variant in the aggregation-repository component...

8.1CVSS6AI score0.00546EPSS
Exploits0References1
CVE
CVE
added 4 days ago11 views

CVE-2026-42527

CVE-2026-42527 describes a deserialization of untrusted data in Apache Camel. A permissive default ObjectInputFilter pattern (covering java., javax. , org.apache.camel.**) can serialize HashMap-like structures containing java.net.URL keys, causing DNS lookups as a side-channel via hashCode/equals...

8.1CVSS6AI score0.00546EPSS
Exploits0References2Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/07/03 12:0 a.m.6 views

Elasticsearch 8.0.x < 8.19.17 / 9.0.x < 9.3.6 / 9.4.x < 9.4.3 Multiple DoS

The version of Elasticsearch installed on the remote host is 8.0 prior to 8.19.17, 9.0 prior to 9.3.6, or 9.4.0 prior to 9.4.3. It is, therefore, affected by multiple denial of service vulnerabilities: - Uncontrolled recursion in Elasticsearch allows an authenticated user to submit a specially...

6.5CVSS6AI score0.00324EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/07/01 7:17 p.m.6 views

CVE-2026-58521

A flaw was found in the Mediawiki - Cargo Extension. This vulnerability allows an attacker to inject malicious commands into database queries. This could lead to unauthorized access to sensitive information, modification of data, or disruption of the database's availability...

9.8CVSS5.8AI score0.00283EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.7 views

PT-2026-54863

Name of the Vulnerable Software and Affected Versions Elasticsearch versions prior to 8.19.17 Elasticsearch versions prior to 9.3.6 Elasticsearch versions prior to 9.4.3 Description An authenticated user can trigger a denial of service by submitting a specially crafted query. This occurs due to...

6.5CVSS5.7AI score0.00309EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/30 9:32 p.m.16 views

CVE-2026-54514

A flaw was found in jackson-databind, a library used for processing JSON data. This vulnerability allows a remote attacker to force the application to perform an attacker-chosen DNS Domain Name System query. This occurs when untrusted JSON input containing specific network address information is...

5.3CVSS5.7AI score0.00219EPSS
Exploits0References6
CVE
CVE
added 2026/06/30 7:21 p.m.17 views

CVE-2026-13772

CVE-2026-13772 affects IBM WebSphere eXtreme Scale (OQL engine) on versions 8.6.1.0–8.6.1.6. The issue arises from attacker-supplied class names being resolved via Class.forName() and their constructors invoked at three sinks (SELECT NEW, enum literals, reflection-based comparators) without an al...

9.9CVSS6.1AI score0.00283EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/06/30 10:16 a.m.9 views

CVE-2026-9711

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress full is vulnerable to SQL Injection via the WordPress 'search' parameter in versions up to, and including, 5.0.11 due to insufficient escaping on the user supplied parameter and lack of preparation on the existing SQL quer...

9.8CVSS0.00438EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/30 9:31 a.m.6 views

EUVD-2026-40273

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress full is vulnerable to SQL Injection via the WordPress 'search' parameter in versions up to, and including, 5.0.11 due to insufficient escaping on the user supplied parameter and lack of preparation on the existing SQL quer...

9.8CVSS5.8AI score0.00438EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/29 10:53 p.m.3 views

Improper Neutralization of Special Elements in Data Query Logic

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the checkUserPassword process. An attacker can execute arbitrary queries on the backend database by injecting specially crafted input into the password field of a Graph...

8.7CVSS6.2AI score0.00484EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/29 5:22 p.m.35 views

CVE-2026-57955 SigNoz 0.130.1 - SQL Injection in Alert History Endpoints via Rule ID Parameter

SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated...

8.5CVSS0.00235EPSS
Exploits0References2
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-527 Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API

Summary A SQL injection vulnerability in FilterEngine.createpostgresquery allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint GET /dids//dids/search. When the external metadata plugin postgresmeta is...

9.9CVSS6.7AI score0.00301EPSS
Exploits0References5
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-489 SQLAlchemyDA unauthenticated arbitrary SQL query execution

Impact The vulnerability allows unauthenticated execution of arbitrary SQL statements on the database the SQLAlchemyDA instance is connected to. All users are affected. Patches The problem has been patched in version 2.2. Workarounds There is no workaround. All users are urged to upgrade to versi...

9.8CVSS6.1AI score0.00881EPSS
Exploits0References6
NVD
NVD
added 2026/06/26 9:16 p.m.12 views

CVE-2026-54350

Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write...

10CVSS0.00538EPSS
Exploits2References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 8:44 p.m.9 views

CVE-2026-54350

Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write...

10CVSS5.8AI score0.00538EPSS
Exploits2References2Affected Software1
Rows per page
Query Builder