CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/06/11 6:28 p.m.•7 views

EUVD-2026-36299

8.8CVSS5.4AI score0.00324EPSS

Positive Technologies•added 2026/06/04 12:0 a.m.•13 views

PT-2026-46324

Unauthenticated Local File Inclusion in Rosaleen = 2.8 versions...

8.1CVSS5.2AI score0.00435EPSS

Exploits0References3

Snyk•added 2026/05/20 9:41 a.m.•5 views

Incorrect Authorization

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Incorrect Authorization via Environment::createTemplate when sandboxing is enabled selectively through SourcePolicyInterface. An attacker can bypass Twig sandbox...

7.4CVSS5.8AI score0.00031EPSS

Positive Technologies•added 2026/05/06 12:0 a.m.•7 views

PT-2026-38252

Name of the Vulnerable Software and Affected Versions Nitro versions prior to 2.13.4 Nitro versions prior to 3.0.260429-beta Description An issue exists where an attacker can transform a redirect route rule using wildcards into a cross-host redirect by inserting an extra slash after the rule...

5.3CVSS5.8AI score0.00237EPSS

Exploits0References9

Positive Technologies•added 2026/05/06 12:0 a.m.•13 views

PT-2026-38253

Name of the Vulnerable Software and Affected Versions Nitro versions prior to 2.13.4 Nitro versions prior to 3.0.260429-beta Description An attacker can bypass proxy route rules by sending percent-encoded path traversal sequences ..%2f in the URL. This occurs when Nitro treats these characters as...

5.3CVSS5.8AI score0.00392EPSS

Exploits0References11

ATTACKERKB•added 2026/05/05 2:49 p.m.•2 views

CVE-2026-5766

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to ...

6.3CVSS5.8AI score0.00423EPSS

Exploits0References4Affected Software1

Snyk•added 2026/04/22 8:23 p.m.•8 views

Uncontrolled Recursion

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to Uncontrolled...

8.7CVSS5.5AI score0.00557EPSS

Snyk•added 2026/04/21 1:17 a.m.•9 views

Malicious Package

Overview cktool.api is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.7AI score

RedhatCVE•added 2026/03/31 10:58 p.m.•2 views

CVE-2026-28228

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the Author role can inject Velocity directives into a reminder email template. When the reminder is processed...

NVD•added 2026/03/30 9:17 p.m.•3 views

CVE-2026-28228

8.8CVSS0.00414EPSS

CVE•added 2026/03/30 8:31 p.m.•15 views

CVE-2026-28228

OpenOLAT SAS/Velocity SSTI vulnerability (CVE-2026-28228) allows an authenticated author to inject Velocity directives into a reminder email; when processed, directives are evaluated server-side via Velocity #set chained with Java reflection, enabling arbitrary Java class execution (e.g., Process...

Exploits0References1Affected Software1

ATTACKERKB•added 2026/03/30 8:31 p.m.•1 views

CVE-2026-28228

Exploits0References2Affected Software1

Vulnrichment•added 2026/03/30 8:31 p.m.•2 views

CVE-2026-28228 OpenOLAT: Server-Side Template Injection (SSTI) in Velocity templates allows Remote Code Execution

EUVD•added 2026/03/30 8:31 p.m.•2 views

EUVD-2026-17201

Cvelist•added 2026/03/30 8:31 p.m.•21 views

CVE-2026-28228 OpenOLAT: Server-Side Template Injection (SSTI) in Velocity templates allows Remote Code Execution

8.8CVSS0.00414EPSS

Positive Technologies•added 2026/03/30 12:0 a.m.•2 views

PT-2026-29118

Name of the Vulnerable Software and Affected Versions OpenOlat versions prior to 19.1.31 OpenOlat versions prior to 20.1.18 OpenOlat versions prior to 20.2.5 Description OpenOlat is a web-based e-learning platform. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the...

8.8CVSS6AI score0.00414EPSS

Exploits0References6

CNNVD•added 2026/03/30 12:0 a.m.•5 views

OpenOLAT 安全漏洞

OpenOLAT is an open-source web-based e-learning platform used for teaching, learning, assessment, and communication. It serves as a Learning Management System. Versions of OpenOLAT prior to 19.1.31, 20.1.18, and 20.2.5 had security vulnerabilities. These vulnerabilities stemmed from allowing...

8.8CVSS5.8AI score0.00414EPSS