Lucene search
K

871 matches found

CVE
CVE
added 2026/05/25 2:0 p.m.31 views

CVE-2026-47075

CVE-2026-47075 describes a CRLF injection in Hackney’s URL query handling. Hackney does not percent-encode CR/LF characters in the query string before forming the HTTP/1.1 request target, allowing an attacker who controls the URL to inject raw CRLF sequences and potentially perform HTTP header in...

7.5CVSS5.9AI score0.00421EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/05/22 7:50 a.m.12 views

EUVD-2026-31421

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handleplaylistendpoint function hooked to templateredirect accepting a user-controlled playlist ID via the audioigniterplaylistid query var or the...

7.5CVSS5.8AI score0.01508EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/05/21 7:57 p.m.10 views

CVE-2026-47068

Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...

2.3CVSS5.8AI score0.00449EPSS
Exploits0References1
OSV
OSV
added 2026/05/21 4:30 p.m.16 views

RLSA-2026:3752 Important: osbuild-composer security update

A service for building customized OS artifacts, such as VM images and OSTree commits, that uses osbuild under the hood. Besides building images for local usage, it can also upload images directly to cloud. It is compatible with composer-cli and cockpit-composer clients. Security Fixes: crypto/x50...

7.5CVSS7.1AI score0.01945EPSS
Exploits4References5
Vulnrichment
Vulnrichment
added 2026/05/20 7:41 p.m.9 views

CVE-2026-35016 Open ISES Tickets < 3.44.2 Reflected XSS via search.php frm_query Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frmquery POST parameter directly into an HTML input field VALUE attribute. Attackers...

5.1CVSS5.8AI score0.00221EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/20 7:41 p.m.29 views

CVE-2026-35016 Open ISES Tickets < 3.44.2 Reflected XSS via search.php frm_query Parameter

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frmquery POST parameter directly into an HTML input field VALUE attribute. Attackers...

5.1CVSS0.00221EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.17 views

PT-2026-42177

Name of the Vulnerable Software and Affected Versions phoenix storybook versions 0.4.0 through 1.0.x Description An authorization bypass occurs due to user-controlled keys, allowing cross-session PubSub topic injection via a URL query parameter. The function handle params/3 in...

2.3CVSS5.5AI score0.00449EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.14 views

PT-2026-42258

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm query POST parameter directly into an HTML input field VALUE attribute. Attacker...

5.1CVSS5.8AI score0.00221EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/05/19 1:24 p.m.14 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

7.5CVSS6.9AI score0.01945EPSS
Exploits0References8
CVE
CVE
added 2026/05/16 3:26 p.m.17 views

CVE-2021-47954

LayerBB 1.1.4 contains an unauthenticated SQL injection vulnerability in the search_query parameter. An attacker can send POST requests to /search.php with crafted search_query values (e.g., using CASE WHEN statements) to manipulate queries and extract sensitive database information. No remediati...

8.8CVSS5.9AI score0.00237EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/16 12:0 a.m.11 views

LayerBB SQL注入漏洞

LayerBB is a set of small-scale forum software. Version 1.1.4 of LayerBB contains an SQL injection vulnerability. This vulnerability stems from SQL injection issues, which may allow unauthenticated attackers to inject SQL code through the searchquery parameter, thereby manipulating database queri...

8.8CVSS5.9AI score0.00237EPSS
Exploits0References1
NVD
NVD
added 2026/05/14 7:16 p.m.26 views

CVE-2026-27886

Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessibl...

9.2CVSS0.00612EPSS
Exploits3References1
OSV
OSV
added 2026/05/14 4:33 p.m.3 views

GHSA-JVP4-Q659-95MJ Portainer: JWT accepted in URL query leaks tokens to logs and referers

Summary Portainer's authentication middleware accepts JWT bearer tokens passed as the ?token= URL query parameter on any authenticated API endpoint, in addition to the standard Authorization: Bearer header. URLs are recorded in reverse-proxy access logs, browser history, and HTTP Referer headers ...

7.7CVSS5.8AI score0.00316EPSS
Exploits1References6
RedHat Linux
RedHat Linux
added 2026/05/13 1:20 p.m.13 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

7.5CVSS6.9AI score0.01945EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/05/08 6:31 p.m.15 views

absinthe_plug Has a Cross-site Scripting vulnerability

Improper Neutralization of Input During Web Page Generation XSS vulnerability in absinthe-graphql absintheplug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':jsescape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the...

6.1CVSS5.8AI score0.00282EPSS
Exploits0References6Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/05/08 12:0 a.m.10 views

Linux Distros Unpatched Vulnerability : CVE-2026-39825

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses...

5.3CVSS5.9AI score0.0039EPSS
Exploits0References4
NVD
NVD
added 2026/05/07 10:16 p.m.30 views

CVE-2026-41929

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and componentajax POST parameter. Attackers can craft a malicious link or...

6.1CVSS0.00198EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/07 9:30 p.m.20 views

EUVD-2026-28425

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery...

5.8AI score0.0039EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/07 9:8 p.m.14 views

EUVD-2026-28459

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and componentajax POST parameter. Attackers can craft a malicious link or...

6.1CVSS5.9AI score0.00198EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/07 9:8 p.m.6 views

CVE-2026-41929 Vvveb < 1.0.8.2 Unauthenticated Reflected XSS via Visual Editor

Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and componentajax POST parameter. Attackers can craft a malicious link or...

6.1CVSS5.9AI score0.00198EPSS
Exploits0References4
Rows per page
Query Builder