Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

250659 matches found

RedhatCVE
RedhatCVEadded 2026/06/01 1:19 p.m.7 views

CVE-2026-45372

A flaw was found in cpp-httplib, a C++ library for handling web requests. A remote attacker could exploit this vulnerability by sending a specially crafted web request. The server incorrectly processes certain encoded characters within the request's header information before checking their...

9.9CVSS5.9AI score0.00056EPSS
Exploits1References2
Rapid7 Blog
Rapid7 Blogadded 2026/06/01 1:0 p.m.21 views

CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED)

Overview Rapid7 Labs conducted a zero-day research project against an HP Poly VVX 450 Voice over Internet Protocol VoIP phone. This research resulted in the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-0826. A remote attacker can leverage CVE-2026-08...

9.2CVSS7.1AI score0.00279EPSS
Exploits0
Cvelist
Cvelistadded 2026/06/01 11:30 a.m.29 views

CVE-2026-10532 Logback deserialization whitelist bypass for Proxy objects

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core HardenedObjectInputStream logback-core modules allows Object Injection, albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer...

6.3CVSS0.00113EPSS
Exploits0References1
GithubExploit
GithubExploitadded 2026/06/01 11:12 a.m.47 views

Legacy-TJNULL-OSCP-

HackTheBox: Legacy Writeup An elegant, professional walkthroug...

6.4AI score
Exploits0
Snyk
Snykadded 2026/06/01 10:29 a.m.4 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the XCom PATCH endpoint PATCH /api/v2/xcomEntries/key that allows an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that...

8.8CVSS5.6AI score0.0007EPSS
Exploits0References2
Snyk
Snykadded 2026/06/01 10:29 a.m.4 views

Improper Input Validation

Overview org.apache.activemq:activemq-all is a package that puts together an ActiveMQ jar bundle. Affected versions of this package are vulnerable to Improper Input Validation over the /api/jolokia MBeans interface. A user can execute arbitrary code on the broker's JVM by invoking operations with...

8.8CVSS7.1AI score0.83461EPSS
Exploits12References2
Snyk
Snykadded 2026/06/01 10:29 a.m.5 views

Improper Input Validation

Overview org.apache.activemq:activemq-broker is a high performance Apache 2.0 licensed Message Broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Improper Input Validation over the /api/jolokia MBeans interface. A user can execute arbitrary code on the broker's...

8.8CVSS7AI score0.83461EPSS
Exploits12References2
Snyk
Snykadded 2026/06/01 10:29 a.m.5 views

Improper Input Validation

Overview org.apache.activemq:activemq-all is a package that puts together an ActiveMQ jar bundle. Affected versions of this package are vulnerable to Improper Input Validation through the addNetworkConnector function exposed via the Jolokia JMX-HTTP bridge. An attacker can achieve arbitrary code...

8.6CVSS6.2AI score0.00081EPSS
Exploits1References2
OSV
OSVadded 2026/06/01 9:16 a.m.4 views

PYSEC-2026-186

Apache Airflow's scheduler-side deadline-reference decoder SerializedCustomReference.deserializereference imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler — t...

7.3CVSS6AI score0.00086EPSS
Exploits0References3
PyPA
PyPAadded 2026/06/01 9:16 a.m.6 views

PYSEC-0000-CVE-2026-42359

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

8.8CVSS5.8AI score0.0007EPSS
Exploits0References3Affected Software1
OSV
OSVadded 2026/06/01 9:16 a.m.3 views

PYSEC-2026-185

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

8.8CVSS5.8AI score0.002EPSS
Exploits0References3
NVD
NVDadded 2026/06/01 9:16 a.m.9 views

CVE-2026-42359

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

8.8CVSS0.0007EPSS
Exploits0References3
EUVD
EUVDadded 2026/06/01 9:4 a.m.8 views

EUVD-2026-33614

SOPlanning does not verify uploaded file extension. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file, which is extracted on the server. When combined with CVE-2026-40547 Path...

8.8CVSS5.8AI score0.00088EPSS
Exploits0References2
Vulnrichment
Vulnrichmentadded 2026/06/01 9:4 a.m.7 views

CVE-2026-40548 Unrestricted Upload of File with Dangerous Type in SOPlanning

SOPlanning does not verify uploaded file extension. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file, which is extracted on the server. When combined with CVE-2026-40547 Path...

6.4CVSS5.8AI score0.00051EPSS
Exploits0References2
Patchstack
Patchstackadded 2026/06/01 8:20 a.m.9 views

WordPress Crawlomatic Multipage Scraper Post Generator plugin <= 2.7.2 - Authenticated (Author+) Remote Code Execution vulnerability

Authenticated Author+ Remote Code Execution vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin Crawlomatic Multisite Scraper Post Generator versions = 2.7.2...

8.8CVSS5.8AI score0.00264EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichmentadded 2026/06/01 7:49 a.m.5 views

CVE-2026-42359 Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

5.8AI score0.0007EPSS
Exploits0References3
EUVD
EUVDadded 2026/06/01 7:49 a.m.12 views

EUVD-2026-33588

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

8.8CVSS5.8AI score0.002EPSS
Exploits0References3
CVE
CVEadded 2026/06/01 7:49 a.m.11 views

CVE-2026-42359

CVE-2026-42359 (Apache Airflow) : A bug in the XCom PATCH endpoint (PATCH /api/v2/xcomEntries/{key}) allows an authenticated UI/API user with XCom write permission on a DAG to set XCom entries under reserved keys (e.g., return_value) that bypass a prior validation on the POST path. The endpoint c...

8.8CVSS5.8AI score0.0007EPSS
Exploits0References3Affected Software1
Cvelist
Cvelistadded 2026/06/01 7:49 a.m.30 views

CVE-2026-42359 Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

0.0007EPSS
Exploits0References3
ATTACKERKB
ATTACKERKBadded 2026/06/01 7:49 a.m.7 views

CVE-2026-42359

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

8.8CVSS5.8AI score0.002EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder