Lucene search
+L

1512 matches found

cve
cve
added 2026/06/30 6:44 p.m.31 views

CVE-2026-58138

CVE-2026-58138 affects Orkes Conductor 3.21.21 up to, but not including, 3.30.2. The vulnerability arises from unsandboxed GraalVM evaluators built with HostAccess.ALL (or allowAllAccess(true)) used by INLINE, LAMBDA, DO_WHILE, and SWITCH task types, enabling an unauthenticated attacker to submit...

9.8CVSS6.6AI score0.00938EPSS
Exploits2References5
nvd
nvd
added 2026/06/30 5:16 p.m.14 views

CVE-2026-58371

SeaweedFS before 4.30 reflects the callback query parameter verbatim into responses served with Content-Type application/javascript in the shared writeJson helper weed/server/common.go, with no callback-name validation, no X-Content-Type-Options: nosniff header, and no CORS allow-list. Every JSON...

3.1CVSS0.0021EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/06/30 12:0 a.m.8 views

PT-2026-53929

Name of the Vulnerable Software and Affected Versions SeaweedFS versions prior to 4.30 Description An issue exists where the callback query parameter is reflected verbatim into responses served with the Content-Type application/javascript in the shared writeJson function weed/server/common.go. Th...

3.1CVSS5.9AI score0.0021EPSS
Exploits0References10
nvd
nvd
added 2026/06/26 2:16 a.m.12 views

CVE-2026-50745

A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input t...

6.1CVSS0.00224EPSS
Exploits1References1
euvd
euvd
added 2026/06/26 1:11 a.m.10 views

EUVD-2026-39605

A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input t...

4.7CVSS5.8AI score0.00224EPSS
Exploits1References1
cvelist
cvelist
added 2026/06/26 1:11 a.m.45 views

CVE-2026-50745

A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input t...

4.7CVSS0.00224EPSS
Exploits1References1
attackerkb
attackerkb
added 2026/06/26 1:11 a.m.8 views

CVE-2026-50745

A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input t...

4.7CVSS5.8AI score0.00224EPSS
Exploits1References2
osv
osv
added 2026/06/26 1:11 a.m.4 views

CVE-2026-50745

A missing sanitisation vulnerability exists with user input in the stats-video.php script. The way URLs to this script were constructed did not follow best practices, and the output of the Smarty custom helper function url was neither properly encoded nor sanitised, allowing user‑supplied input t...

4.7CVSS5.9AI score0.00224EPSS
Exploits1References3
ptsecurity
ptsecurity
added 2026/06/26 12:0 a.m.15 views

PT-2026-52652

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description A missing sanitisation issue exists in the stats-video.php script. The construction of URLs to this script does not follow best practices, and the output of the...

6.1CVSS5.7AI score0.00224EPSS
Exploits1References7
nvd
nvd
added 2026/06/22 6:16 p.m.12 views

CVE-2026-54290

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make...

7.1CVSS0.00248EPSS
Exploits0References1
nvd
nvd
added 2026/06/22 6:16 p.m.13 views

CVE-2026-54269

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names...

5.3CVSS0.00238EPSS
Exploits0References1
cvelist
cvelist
added 2026/06/22 5:15 p.m.41 views

CVE-2026-54290 Hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, with credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make...

7.1CVSS0.00248EPSS
Exploits0References1
cve
cve
added 2026/06/22 6:0 a.m.14 views

CVE-2026-4259

The CVE-2026-4259 entry concerns the Ultimate WooCommerce Auction Pro WordPress plugin (

7.1CVSS5.8AI score0.00146EPSS
Exploits0References1
snyk
snyk
added 2026/06/15 8:16 p.m.12 views

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview starlette is a The little ASGI library that shines. Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' when dispatching HTTP requests to endpoint attributes via getattr. An attacker can invoke internal...

6.3CVSS5.5AI score0.00213EPSS
Exploits0References2
cve
cve
added 2026/06/12 9:2 p.m.80 views

CVE-2026-46717

CVE-2026-46717 affects Nezha Monitoring (versions 1.4.0 through before 2.0.8). A RoleMember can abuse the /api/v1/notification endpoints (POST and PATCH) wired through commonHandler instead of adminHandler to trigger a synchronous HTTP request to a user-controlled URL. The response body from the ...

7.7CVSS5.2AI score0.0027EPSS
Exploits0References1
osv
osv
added 2026/06/12 9:2 p.m.5 views

CVE-2026-46717 Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin Role==0 and RoleMember Role==1. The notification routes POST /api/v1/notification and PATCH...

7.7CVSS5.9AI score0.0027EPSS
Exploits0References3
github
github
added 2026/06/11 5:10 p.m.14 views

Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset

Summary Several Kolibri API endpoints accept an unvalidated baseurl parameter and fetch attacker-controlled URLs from the Kolibri server, reflecting the response body back to the caller. The original report identified two endpoints on the RemoteFacilityUser viewsets; remediation review found two...

5.8AI score0.00047EPSS
Exploits0References3Affected Software1
osv
osv
added 2026/06/11 5:10 p.m.6 views

GHSA-4MJ9-PF4R-CQRC Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset

Summary Several Kolibri API endpoints accept an unvalidated baseurl parameter and fetch attacker-controlled URLs from the Kolibri server, reflecting the response body back to the caller. The original report identified two endpoints on the RemoteFacilityUser viewsets; remediation review found two...

5.8CVSS5.8AI score0.00047EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/11 12:0 a.m.15 views

PT-2026-48808

Name of the Vulnerable Software and Affected Versions Kolibri versions prior to 0.19.4 Description Several API endpoints accept an unvalidated baseurl parameter, allowing the server to fetch attacker-controlled URLs and reflect the response body back to the caller. This occurs because the baseurl...

5.8CVSS6.1AI score0.00047EPSS
Exploits0References8
redhatcve
redhatcve
added 2026/06/10 9:4 p.m.16 views

CVE-2026-25557

Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can...

5.4CVSS5.5AI score0.00187EPSS
Exploits0References1
Rows per page
Query Builder