CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2 hours ago•4 views

CVE-2026-45327 TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection

8.2CVSS

Vulnrichment•added 2 hours ago•2 views

CVE-2026-45327 TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection

8.2CVSS

ATTACKERKB•added 2 hours ago•3 views

CVE-2026-45327

8.2CVSS5.5AI score

Exploits0References4Affected Software1

Github Security Blog•added 3 hours ago•3 views

NocoDB: User Enumeration via Sign-In Timing

Summary Sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. Details The unknown-user branch in auth.service.ts now performs a bcrypt.compare against a fixed dummy hash so the response ti...

5.5AI score

Exploits0References3Affected Software1

NVD•added yesterday•6 views

CVE-2026-43926

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

6.3CVSS

ATTACKERKB•added yesterday•3 views

CVE-2026-43926

Exploits0References3Affected Software1

EUVD•added yesterday•4 views

EUVD-2026-34255

CVE•added yesterday•7 views

CVE-2026-43926

FOSSBilling prior to 0.8.0 allows probing the password-reset flow because the non-API controller for /client/reset-password-confirm/:hash is not rate-limited like /api/* endpoints. The endpoint may reveal valid vs invalid tokens (200 vs 302), enabling unlimited token guessing until expiry. Token ...

Vulnrichment•added yesterday•4 views

CVE-2026-43926 FOSSBilling's password reset confirmation endpoint lacks rate limiting

Cvelist•added yesterday•23 views

CVE-2026-43926 FOSSBilling's password reset confirmation endpoint lacks rate limiting

6.3CVSS

Positive Technologies•added yesterday•10 views

PT-2026-46229

Vulnrichment•added 2 days ago•5 views

CVE-2026-36607

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint code=10, which lacks the rate limiting applied to the login endpoint code=7. An attacker on the adjacent network can attempt unlimited passwords without...

5.8AI score0.00016EPSS

ATTACKERKB•added 2 days ago•3 views

CVE-2026-36607

8.8CVSS5.8AI score0.00016EPSS

Cvelist•added 2 days ago•34 views

CVE-2026-36607

0.00016EPSS

EUVD•added 2 days ago•5 views

EUVD-2026-34146

8.8CVSS5.8AI score0.00016EPSS

CVE•added 2 days ago•5 views

CVE-2026-36607

Mercusys AC12G (EU) V1 router, firmware AC12G(EU)_V1_200909, is affected by CVE-2026-36607. The TDDP password change endpoint (code=10) allows unauthenticated brute-force attempts without rate limiting, unlike the login endpoint (code=7). An attacker on an adjacent network can attempt unlimited p...

8.8CVSS5.8AI score0.00016EPSS

SUSE CVE•added 6 days ago•10 views

SUSE CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

3.7CVSS5.8AI score0.00057EPSS