Lucene search
K

38 matches found

Cvelist
Cvelist
added 2026/07/01 7:27 p.m.34 views

CVE-2026-58593 NodeBB - ActivityPub Author Spoofing via Unvalidated attributedTo Mapped to Local User

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedT...

8.7CVSS0.00191EPSS
Exploits1References3
EUVD
EUVD
added 2026/07/01 7:27 p.m.8 views

EUVD-2026-41131

NodeBB does not bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. The inbound middleware verifies the HTTP-signature actor and checks the origin of object.id, but never validates that attributedTo corresponds to the sender. In the object mock, attributedT...

8.7CVSS6AI score0.00191EPSS
Exploits1References3
CVE
CVE
added 2026/07/01 7:27 p.m.24 views

CVE-2026-58593

NodeBB is affected by CVE-2026-58593 where inbound ActivityPub objects are not correctly bound to the authenticated remote actor. The middleware verifies the HTTP-signature actor and origin of object.id but does not validate that attributedTo corresponds to the sender, treating attributedTo as a ...

8.7CVSS6AI score0.00191EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.11 views

PT-2026-54922

Name of the Vulnerable Software and Affected Versions NodeBB affected versions not specified Description NodeBB fails to bind the claimed author of an inbound ActivityPub object to the authenticated remote actor. While the inbound middleware verifies the HTTP-signature actor and the origin of the...

8.7CVSS5.9AI score0.00191EPSS
Exploits1References8
CVE
CVE
added 2026/06/05 7:7 p.m.77 views

CVE-2026-11401

The CVE-2026-11401 entry describes an untrusted search path vulnerability in the GlobalDatabasePlugin of the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL. A remote authenticated low-privilege actor can escalate to other Amazon RDS user privileges (including rds_superuser) via a crafted fu...

8.6CVSS5.5AI score0.00305EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/15 7:57 p.m.12 views

CVE-2026-8596

Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for special...

8.5CVSS6.2AI score0.00439EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/07 5:3 p.m.3 views

CVE-2026-34148

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or...

7.5CVSS6AI score0.00551EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2025/02/21 10:48 p.m.17 views

Leantime allows Cross-Site Request Forgery (CSRF)

CSRF Summary A cross-site request forgery vulnerability allows a remote actor to create an account with Owner privileges. By luring an Owner or Administrator into clicking a button on an attacker-controlled website, a request will be issued, generating an account with the attacker's information a...

7.1AI score
Exploits0References2Affected Software1
OSV
OSV
added 2024/08/06 10:40 p.m.35 views

GO-2024-3031 Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server

Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server...

4.3CVSS4.5AI score0.00276EPSS
Exploits0References3
OSV
OSV
added 2024/08/06 10:40 p.m.38 views

GO-2024-3022 Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server

Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server...

4.3CVSS4.5AI score0.00175EPSS
Exploits0References3
OSV
OSV
added 2024/08/06 10:40 p.m.28 views

GO-2024-3020 Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server

Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server...

8.7CVSS7.2AI score0.0046EPSS
Exploits0References3
OSV
OSV
added 2024/08/06 10:3 p.m.137 views

GO-2024-3023 Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server

Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server...

7.1CVSS6AI score0.00362EPSS
Exploits0References3
OSV
OSV
added 2024/08/01 3:32 p.m.10 views

GHSA-762M-4CX6-6MF4 Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5, 9.8.x = 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled...

6.8CVSS7.3AI score0.0046EPSS
Exploits0References4
OSV
OSV
added 2024/08/01 3:32 p.m.53 views

GHSA-VG67-CHM7-8M3J Mattermost allows remote actor to create/update/delete posts in arbitrary channels

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5, 9.8.x = 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels...

7CVSS6AI score0.00362EPSS
Exploits0References4
OSV
OSV
added 2024/08/01 3:32 p.m.62 views

GHSA-9FPW-C9X7-CV3J Mattermost allows remote actor to set arbitrary RemoteId values for synced users

Mattermost versions 9.9.x = 9.9.0 and 9.5.x = 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote...

5.1CVSS4.3AI score0.00175EPSS
Exploits0References5
OSV
OSV
added 2024/08/01 3:32 p.m.16 views

GHSA-JR9X-3X7M-4J75 Mattermost allows a remote actor to make an arbitrary local channel read-only

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5 and 9.8.x = 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only...

5.1CVSS4.5AI score0.00276EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2024/08/01 3:32 p.m.26 views

Mattermost allows a remote actor to make an arbitrary local channel read-only

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5 and 9.8.x = 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only...

4.3CVSS6.9AI score0.00276EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2024/08/01 3:32 p.m.16 views

Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5, 9.8.x = 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled...

8.7CVSS6.8AI score0.0046EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2024/08/01 12:0 a.m.4 views

PT-2024-29301 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.5.x through 9.5.6 Mattermost versions 9.7.x through 9.7.5 Mattermost versions 9.8.x through 9.8.1 Mattermost versions 9.9.x through 9.9.0 Description: The issue allows a malicious remote actor to make an arbitrary local...

5.1CVSS7.3AI score0.00276EPSS
Exploits0References11
OSV
OSV
added 2023/08/29 4:15 p.m.2 views

DEBIAN-CVE-2023-38283

In OpenBGPD before 8.1, incorrect handling of BGP update data length of path attributes set by a potentially distant remote actor may cause the system to incorrectly reset a session. This is fixed in OpenBSD 7.3 errata 006...

5.3CVSS6.9AI score0.01119EPSS
Exploits1References1
Rows per page
Query Builder