Lucene search
+L

773 matches found

Nuclei
Nuclei
added yesterday24 views

Eclipse BIRT Viewer - Remote Code Execution

Eclipse BIRT versions 4.8.0 and earlier contain a JSP injection caused by query parameters, letting remote attackers create and access malicious JSP files in the viewer directory, exploit requires sending crafted query parameters. id: CVE-2021-34427 info: name: Eclipse BIRT Viewer - Remote Code...

9.8CVSS7.1AI score0.5771EPSS
Exploits4References3
RedHat Linux
RedHat Linux
added 2 days ago3 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

7.5CVSS6.7AI score0.01945EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 4 days ago7 views

CVE-2026-61498

Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/gengraphs.php endpoint that allows remote unauthenticated attackers to execute arbitrary commands by supplying shell metacharacters in the start, end, key, or format HTTP GET parameters. Attacke...

9.8CVSS6.3AI score0.02165EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added last week9 views

CVE-2026-53448

A flaw was found in Coturn, a free open-source implementation of TURN and STUN Server. The HTTPS administration panel, specifically in the delete-user, delete-secret, and delete-IP operations, does not properly sanitize HTTP query parameters. This allows an authenticated administrator to inject...

7.2CVSS6.4AI score0.00677EPSS
Exploits1References7
RedhatCVE
RedhatCVE
added last week6 views

CVE-2026-59180

A flaw was found in Apprise, an open-source library for sending notifications. HTTP-based notification plugins and HTTP attachment and configuration loaders in Apprise, prior to version 1.11.0, automatically follow HTTP redirects. During these redirects, user-configured authentication headers and...

3.1CVSS6.1AI score0.00195EPSS
Exploits0References7
NVD
NVD
added 2026/07/10 8:16 a.m.9 views

CVE-2026-13347

The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the hewrapperjs and hewrappercss query parameters processed by the elementorassetsfilter function. This is due to the function concatenating user-supplied input directly onto...

7.5CVSS0.00512EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/10 6:51 a.m.7 views

EUVD-2026-42831

The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the hewrapperjs and hewrappercss query parameters processed by the elementorassetsfilter function. This is due to the function concatenating user-supplied input directly onto...

7.5CVSS6.1AI score0.00512EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/07/06 1:3 p.m.5 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

7.5CVSS6.8AI score0.01945EPSS
Exploits0References8
OSV
OSV
added 2026/07/06 8:13 a.m.4 views

CVE-2026-55993 Apache Camel Atmosphere Websocket: The inbound consumer maps externally-supplied WebSocket query parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling influencing internal behaviour

Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery SSRF vulnerability in Apache Camel in Atmosphere Websocket Component. The camel-atmosphere-websocket consumer mapped inbound WebSocket query parameters into the Camel Exchange header...

7.5CVSS6.2AI score0.00536EPSS
Exploits0References5
EUVD
EUVD
added 2026/07/02 7:25 p.m.15 views

EUVD-2026-33256

Mautic has SQL Injection in API Contact Filtering...

7.1CVSS5.8AI score0.00224EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/07/02 12:3 a.m.8 views

Next.js: Next.js: Authorization bypass via crafted query parameters

A flaw was found in Next.js. This vulnerability allows an attacker to bypass security checks in web applications that use Next.js middleware to protect specific web pages. By sending specially crafted web addresses, an attacker can access protected content without proper authorization. This could...

8.1CVSS5.9AI score0.00485EPSS
Exploits2References5
RedHat Linux
RedHat Linux
added 2026/07/01 11:30 a.m.6 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

7.5CVSS6.8AI score0.01945EPSS
Exploits0References8
Fedora
Fedora
added 2026/07/01 1:22 a.m.13 views

[SECURITY] Fedora 43 Update: vmod-querystring-2.0.3-11.fc43

The purpose of this module is to give you a fine-grained control over a URL's query-string in Varnish Cache. It's possible to remove the query-string, clean it, sort its parameters or filter it to only keep a subset of them. This can greatly improve your hit ratio and efficiency with Varnish,...

5.6AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.9 views

PT-2026-54917

Name of the Vulnerable Software and Affected Versions Shenzhen Aitemi M300 Wi-Fi Repeater hardware model MT02 affected versions not specified Description An unauthenticated OS command injection exists in the commuos web backend. Network-adjacent attackers can execute arbitrary shell commands by...

9.8CVSS6AI score0.01671EPSS
Exploits1References9
Cvelist
Cvelist
added 2026/06/30 10:8 p.m.23 views

CVE-2026-56224 Capgo - Login CSRF and Session Fixation via URL Query Parameters

Capgo console.capgo.app/login before 12.128.2 accepts accesstoken and refreshtoken in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs...

5.4CVSS0.00194EPSS
Exploits0References2
NVD
NVD
added 2026/06/29 8:17 p.m.11 views

CVE-2026-57498

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId$teamId before any operation. However, multiple Livewire web UI components accept...

9.6CVSS0.00223EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.14 views

PT-2026-53734

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.474 Description Multiple Livewire web UI components fail to validate team ownership when processing server id and destination uuid passed via URL query parameters. While API controllers correctly use the...

9.6CVSS5.8AI score0.00223EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/06/25 9:3 a.m.4 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

7.5CVSS6.8AI score0.01945EPSS
Exploits0References8
CVE
CVE
added 2026/06/24 3:50 p.m.63 views

CVE-2026-54297

CVE-2026-54297 (Faraday) : Uncontrolled recursion in Faraday::NestedParamsEncoder during decoding of nested query strings can create deeply nested Ruby Hashes, leading to a stack exhaustion DoS. Affected versions are Faraday 1.0.0 through 1.10.6 and 2.14.3. The vulnerability is fixed in 1.10.6 an...

7.5CVSS5.9AI score0.00391EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/06/23 6:3 p.m.2 views

GHSA-J4H9-PM27-4RFW OctoPrint has possible file exfiltration via query parameters on upload endpoints

Impact OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the FILEUPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be...

7CVSS5.9AI score
Exploits0References2
Rows per page
Query Builder