Lucene search
K

877 matches found

CVE
CVE
added 2026/03/26 8:40 p.m.10 views

CVE-2026-33620

CVE-2026-33620 concerns PinchTab, a standalone HTTP server that exposes a Chrome-control API. The affected range is PinchTab versions v0.7.8–v0.8.3, which accepted an API credential via a token URL query parameter in addition to the Authorization header. When a valid credential is passed in the U...

4.3CVSS5.8AI score0.00273EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/26 8:40 p.m.2 views

CVE-2026-33620

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through...

4.3CVSS5.8AI score0.00273EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/26 8:40 p.m.5 views

CVE-2026-33620 PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through...

4.3CVSS6.3AI score0.00273EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/03/26 3:9 p.m.4 views

CVE-2026-33768

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and xastropath query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel...

9.1CVSS5.8AI score0.00331EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:8 p.m.6 views

CVE-2026-33332

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...

7.5CVSS5.7AI score0.00599EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/26 12:30 p.m.4 views

EUVD-2018-21669

ASP.NET jVideo Kit 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the 'query' parameter in the search functionality. Attackers can submit malicious SQL payloads via GET or POST requests to the /search endpoint to extract sensitive...

8.8CVSS5.9AI score0.00267EPSS
Exploits0References4
NVD
NVD
added 2026/03/26 12:16 p.m.8 views

CVE-2018-25205

ASP.NET jVideo Kit 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the 'query' parameter in the search functionality. Attackers can submit malicious SQL payloads via GET or POST requests to the /search endpoint to extract sensitive...

8.8CVSS0.00267EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/26 11:39 a.m.22 views

CVE-2018-25205 ASP.NET jVideo Kit 1.0 SQL Injection via query Parameter

ASP.NET jVideo Kit 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the 'query' parameter in the search functionality. Attackers can submit malicious SQL payloads via GET or POST requests to the /search endpoint to extract sensitive...

8.8CVSS0.00267EPSS
Exploits0References3
CVE
CVE
added 2026/03/26 11:39 a.m.7 views

CVE-2018-25205

CVE-2018-25205 concerns ASP.NET jVideo Kit 1.0, where a vulnerability in the search functionality allows unauthenticated SQL injection via the query parameter in the /search endpoint. Attackers can submit malicious payloads through GET or POST requests to extract sensitive database information us...

8.8CVSS5.9AI score0.00267EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/26 11:39 a.m.6 views

CVE-2018-25205 ASP.NET jVideo Kit 1.0 SQL Injection via query Parameter

ASP.NET jVideo Kit 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the 'query' parameter in the search functionality. Attackers can submit malicious SQL payloads via GET or POST requests to the /search endpoint to extract sensitive...

8.8CVSS5.9AI score0.00267EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/03/26 12:0 a.m.7 views

Mediasoftpro ASP.NET jVideo Kit SQL注入漏洞

Mediasoftpro ASP.NET jVideo Kit is a video management and publishing component suite developed by Mediasoftpro. Version 1.0 of Mediasoftpro ASP.NET jVideo Kit contains a SQL injection vulnerability, which stems from insufficient validation of query parameter inputs, potentially allowing SQL...

8.8CVSS5.9AI score0.00267EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/03/26 12:0 a.m.7 views

RHEL 8 : osbuild-composer (RHSA-2026:5853)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:5853 advisory. A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building...

7.5CVSS5.9AI score0.01945EPSS
Exploits2References6
Snyk
Snyk
added 2026/03/24 7:33 p.m.4 views

Use of GET Request Method With Sensitive Query Strings

Overview Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings in the token URL query parameter, which is accepted by the authentication process. An attacker can obtain sensitive API credentials by accessing logs, browser history, clipboard...

5.3CVSS5.9AI score0.00273EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/03/24 7:33 p.m.4 views

PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems

Summary PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through request URIs recorded by intermediaries or client-side tooling, such as reverse proxy...

4.3CVSS5.8AI score0.00273EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/24 12:0 a.m.6 views

PT-2026-27487

Name of the Vulnerable Software and Affected Versions Astro versions prior to 10.0.2 Description Astro, a web framework, contains a flaw in the @astrojs/vercel serverless entrypoint. Versions prior to 10.0.2 do not authenticate requests using the x-astro-path header or x astro path query paramete...

9.1CVSS5.9AI score0.00331EPSS
Exploits1References10
Positive Technologies
Positive Technologies
added 2026/03/24 12:0 a.m.5 views

PT-2026-27627

Name of the Vulnerable Software and Affected Versions PinchTab versions v0.7.8 through v0.8.3 Description PinchTab versions v0.7.8 through v0.8.3 accepted API tokens from both the Authorization header and a token URL query parameter. When a valid API credential was sent in the URL, it could be...

4.3CVSS5.9AI score0.00273EPSS
Exploits1References5
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.10 views

Astro 安全漏洞

Astro is a content-driven website framework developed by Astro OpenSource. Versions of Astro prior to 10.0.2 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authentication when reading the x-astro-path header and the xastropath query parameters, which could lead...

9.1CVSS5.8AI score0.00331EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/03/24 12:0 a.m.7 views

Alibaba Cloud Linux 3 : 0060: container-tools (ALINUX3-SA-2026:0060)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2026:0060 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-61726: The net/url package does n...

10CVSS7.3AI score0.01945EPSS
Exploits2References4
Patchstack
Patchstack
added 2026/03/23 9:56 a.m.8 views

WordPress Injection Guard plugin <= 1.2.9 - Unauthenticated Stored Cross-Site Scripting via Query Parameter Name vulnerability

Unauthenticated Stored Cross-Site Scripting via Query Parameter Name vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Injection Guard versions = 1.2.9...

7.2CVSS5.8AI score0.00321EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/03/22 6:30 a.m.4 views

EUVD-2026-14275

The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the isDashboardOrProfileRequest method in the Menu Editor module using an insecure strpos check against $SERVER'REQUESTURI' to...

8.8CVSS5.9AI score0.00286EPSS
Exploits0References5
Rows per page
Query Builder