Lucene search
K

3009180 matches found

OSV
OSV
added yesterday3 views

GHSA-MCQQ-FQGF-RXWM Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`

Summary coder config-ssh wrote server-supplied SSH settings HostnameSuffix, SSHConfigOptions into the user's /.ssh/config without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration. Note: Practical exploitatio...

8.3CVSS6.6AI score
Exploits0References3
OSV
OSV
added yesterday3 views

GHSA-7V6W-C3F4-9WPQ OpenRemote has an incomplete fix for CVE-2026-40882: XXE in KNXProtocol.startAssetImport() allows arbitrary file read via unprotected XMLInputFactory

Summary The fix for CVE-2026-40882 addressed only the Velbus asset import handler. The KNX asset import handler KNXProtocol processes user-uploaded ETS project ZIP files through Saxon XSLT and XMLInputFactory.newInstance with no XXE protection, allowing any authenticated user to read arbitrary...

7.6CVSS6AI score
Exploits0References3
Github Security Blog
Github Security Blog
added yesterday3 views

OpenRemote has an incomplete fix for CVE-2026-40882: XXE in KNXProtocol.startAssetImport() allows arbitrary file read via unprotected XMLInputFactory

Summary The fix for CVE-2026-40882 addressed only the Velbus asset import handler. The KNX asset import handler KNXProtocol processes user-uploaded ETS project ZIP files through Saxon XSLT and XMLInputFactory.newInstance with no XXE protection, allowing any authenticated user to read arbitrary...

7.6CVSS6AI score0.00249EPSS
Exploits1References3Affected Software1
CVE
CVE
added yesterday3 views

CVE-2026-34038

CVE-2026-34038 affects Coolify prior to 4.0.0-beta.469. An authenticated user with application write permissions could trigger remote command execution via the deployment handling pipeline, and exfiltrate sensitive environment variables through deployment logs (e.g., via dockerfile_location and d...

9.9CVSS6.6AI score
Exploits1References4
EUVD
EUVD
added yesterday5 views

EUVD-2026-41943

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution...

9.9CVSS6.6AI score
Exploits1References4
Cvelist
Cvelist
added yesterday13 views

CVE-2026-34038 Coolify authenticated remote command injection leading to RCE and secret exfiltration

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution...

9.9CVSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-34038

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, an authenticated remote command injection vulnerability in application deployment handling allows users with application write permissions to achieve remote code execution...

9.9CVSS6.6AI score
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

GoFiber never set HSTS header in helmet middleware due to incorrect protocol check

Summary The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security HSTS response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol — which returns the HTTP protocol version string e.g., "HTTP/1.1", "HTTP/2.0" —...

5.9AI score
Exploits0References2Affected Software1
OSV
OSV
added yesterday2 views

GHSA-GV83-GQW6-9J2C GoFiber never set HSTS header in helmet middleware due to incorrect protocol check

Summary The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security HSTS response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol — which returns the HTTP protocol version string e.g., "HTTP/1.1", "HTTP/2.0" —...

4.8CVSS5.9AI score
Exploits0References2
Github Security Blog
Github Security Blog
added yesterday2 views

Langroid: handle_message() executes user-supplied tool JSON without sender verification

Summary A Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with use=False, handle=True. Details enablemessage..., use=False, handle=True only prevents the LLM from being instructed to generate...

6AI score
Exploits0References2Affected Software1
OSV
OSV
added yesterday2 views

GHSA-GJGQ-W2M6-WR5Q Langroid: handle_message() executes user-supplied tool JSON without sender verification

Summary A Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with use=False, handle=True. Details enablemessage..., use=False, handle=True only prevents the LLM from being instructed to generate...

8.1CVSS6AI score
Exploits0References2
OSV
OSV
added yesterday2 views

GHSA-Q9P7-WQXG-MRHC Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent

Advisory Details Title: Sandbox Escape to Remote Code Execution via Incomplete eval Mitigation in TableChatAgent Description: Summary Langroid is vulnerable to a critical Sandbox Escape leading to Remote Code Execution RCE in its TableChatAgent and VectorStore capabilities. When these agents...

10CVSS6.3AI score
Exploits0References2
Github Security Blog
Github Security Blog
added yesterday3 views

Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent

Advisory Details Title: Sandbox Escape to Remote Code Execution via Incomplete eval Mitigation in TableChatAgent Description: Summary Langroid is vulnerable to a critical Sandbox Escape leading to Remote Code Execution RCE in its TableChatAgent and VectorStore capabilities. When these agents...

6.3AI score
Exploits0References2Affected Software1
OSV
OSV
added yesterday2 views

GHSA-6XC5-4R68-67FC Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls

SQLChatAgent validatequery dangerous-pattern regex is bypassable via quoted/commented/qualified function names Summary The SQLChatAgent SQL-injection mitigation, with default allowdangerousoperations=False, combines a raw-text regex blocklist DANGEROUSSQLPATTERNS with a sqlglot SELECT-only...

9.3CVSS6.2AI score
Exploits0References2
Github Security Blog
Github Security Blog
added yesterday3 views

Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls

SQLChatAgent validatequery dangerous-pattern regex is bypassable via quoted/commented/qualified function names Summary The SQLChatAgent SQL-injection mitigation, with default allowdangerousoperations=False, combines a raw-text regex blocklist DANGEROUSSQLPATTERNS with a sqlglot SELECT-only...

9.8CVSS6.2AI score0.00409EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added yesterday3 views

EUVD-2026-41939

Improper Neutralization of Special Elements in the metrics-service retention policy management component in Amazon mcp-gateway-registry before 1.0.13 might allow an authenticated remote user to execute arbitrary SQL queries via a crafted tablename value that is interpolated into SQL statements in...

8.6CVSS6.3AI score
Exploits0References3
Cvelist
Cvelist
added yesterday13 views

CVE-2026-14471 Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-registry

Improper Neutralization of Special Elements in the metrics-service retention policy management component in Amazon mcp-gateway-registry before 1.0.13 might allow an authenticated remote user to execute arbitrary SQL queries via a crafted tablename value that is interpolated into SQL statements in...

8.6CVSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-14471

Improper Neutralization of Special Elements in the metrics-service retention policy management component in Amazon mcp-gateway-registry before 1.0.13 might allow an authenticated remote user to execute arbitrary SQL queries via a crafted tablename value that is interpolated into SQL statements in...

8.6CVSS6.3AI score
Exploits0References4Affected Software1
CVE
CVE
added yesterday7 views

CVE-2026-14471

The CVE affects Amazon mcp-gateway-registry’s metrics-service retention policy management component (pre-1.0.13). An authenticated remote user can exploit an SQL injection via a crafted table_name value interpolated into SQL statements in the identifier position, potentially impacting confidentia...

8.6CVSS6.3AI score
Exploits0References3
OSV
OSV
added yesterday3 views

GHSA-CHWM-M7G7-685G Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile

Summary The Dragonfly scheduler's v1 gRPC service contains an unauthenticated Server-Side Request Forgery SSRF. When a peer reports a successful download of a TINY task, the scheduler calls Peer.DownloadTinyFile and issues an HTTP GET to a host and port taken verbatim from the attacker-controlled...

6.9CVSS6.3AI score
Exploits0References11
Rows per page
Query Builder