Lucene search
K

1772 matches found

Cvelist
Cvelist
added 2 hours ago7 views

CVE-2026-55441 mise: Arbitrary command execution via task-include files in an untrusted, config-less repository

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files mise.toml, .tool-versions through trustcheck, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir mise-tasks/,...

8.6CVSS
Exploits0References1
CVE
CVE
added 2 hours ago14 views

CVE-2026-55441

CVE-2026-55441 affects the Mise toolchain. The root cause is that, prior to 2026.6.4, task-include files loaded from directories without config files bypass trust checks and render task fields with a Terraform-like template engine that registers an exec() function. If a directory contains a task-...

8.6CVSS5.9AI score
Exploits0References1
Nuclei
Nuclei
added 16 hours ago367 views

JFrog Artifactory 6.7.3 - Admin Login Bypass

JFrog Artifactory 6.7.3 is vulnerable to an admin login bypass issue because by default the access-admin account is used to reset the password of the admin account. While this is only allowable from a connection directly from localhost, providing an X-Forwarded-For HTTP header to the request allo...

9.8CVSS7.3AI score0.53879EPSS
Exploits3References5
NVD
NVD
added 2 days ago6 views

CVE-2026-52801

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddres...

8.1CVSS0.00569EPSS
Exploits0References4
CVE
CVE
added 2 days ago6 views

CVE-2026-52810

CVE-2026-52810 affects Gogs (Git self-hosted) where the authorization policy is derived from the client-supplied service parameter (e.g., service=git-upload-pack) instead of the actual RPC path. Consequently, requests to the write endpoint /repo.git/git-receive-pack can be treated as read, while ...

7.1CVSS5.9AI score0.00427EPSS
Exploits0References4
CVE
CVE
added 2 days ago14 views

CVE-2026-52801

Gogs contains CVE-2026-52801 where Mirror Settings lacks validation of the SaveAddress function, enabling an authenticated user to import local repositories from the server filesystem. The issue stems from insufficient input validation in Mirror Settings, as opposed to the secure New Migration fl...

8.1CVSS5.9AI score0.00569EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2 days ago3 views

CVE-2026-52801

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddres...

8.1CVSS5.9AI score0.00569EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2 days ago18 views

CVE-2026-52801 Gogs: Ability to import local repositories via Mirror Settings

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddres...

8.1CVSS0.00569EPSS
Exploits0References4
Cvelist
Cvelist
added 2 days ago15 views

CVE-2026-52795 Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity

Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead returns 404 when the user CAN read instead o...

4.3CVSS0.00168EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 days ago4 views

CVE-2026-52795

Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead returns 404 when the user CAN read instead o...

4.3CVSS5.9AI score0.00168EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2 days ago6 views

Out Of Band Data Exfiltration

Claude Code is vulnerable to Out-of-Band Data Exfiltration. The vulnerability is due to the pre-approval of the hostname huggingface.co as a bare hostname for the WebFetch tool, where any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission...

6CVSS5.9AI score0.00416EPSS
Exploits0References1Affected Software1
Snyk
Snyk
added 3 days ago2 views

Directory Traversal

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Directory Traversal via the Clone or Push operations in the Git node when a local filesystem path is supplied as the source or target repository, bypassing the intended file sandbox. An attacker can...

7.7CVSS6.5AI score0.00502EPSS
Exploits0References2
NVD
NVD
added 3 days ago5 views

CVE-2026-49465

n8n is an open source workflow automation platform. Prior to 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows could supply a local filesystem path as the source repository in the Git node's Clone operation, or as the target repository in the Push...

7.7CVSS0.00502EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 3 days ago7 views

Gogs allows users to write to readonly repositories using receive-pack + service=git-upload-pack confusion

Summary Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string so ?service=git-upload-pack is evaluated as read access while routing still runs git receive-pack, allowing push where only read should be allowed. Details Gogs' Git Smart HTTP handler for...

7.1CVSS6.1AI score0.00427EPSS
Exploits0References5Affected Software1
CVE
CVE
added 3 days ago8 views

CVE-2026-49465

Summary (CVE-2026-49465) : The n8n open source workflow automation platform before versions 1.123.48, 2.21.8, and 2.22.4 is affected. An authenticated user with permission to create or modify workflows could pass a local filesystem path as the source repository in the Git node’s Clone operation, ...

7.7CVSS5.8AI score0.00502EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 3 days ago32 views

CVE-2026-49465 n8n: Git Node Clone and Push Operations Bypass File Sandbox

n8n is an open source workflow automation platform. Prior to 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows could supply a local filesystem path as the source repository in the Git node's Clone operation, or as the target repository in the Push...

6CVSS0.00502EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 3 days ago9 views

Gogs has the ability to import local repositories via Mirror Settings

Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. Details Here is the function implementation o...

8.1CVSS5.8AI score0.00569EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 3 days ago10 views

PT-2026-51459

Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Description An information disclosure issue exists in the Mirror Settings functionality, which allows authenticated users to import local repositories from the server filesystem. This occurs due to a lack o...

8.1CVSS5.8AI score0.00569EPSS
Exploits0References11
Github Security Blog
Github Security Blog
added 4 days ago7 views

Gogs Missing Authorization in Attachment Download

Summary In Gogs 0.14.1, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRESIGNINVIEW = false, we confirmed that an unauthenticated user ca...

7.5CVSS5.8AI score0.00422EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-38206

A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing an on-path attacker to perform man-in-the-middle attacks and compromise mirrored repositories...

8.8CVSS5.8AI score0.00139EPSS
Exploits0References1
Rows per page
Query Builder