Lucene search
K

121628 matches found

NVD
NVD
added 2026/04/24 12:17 p.m.6 views

CVE-2026-4313

AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser. Critically, this...

2.4CVSS0.0059EPSS
Exploits0References2
SUSE Linux
SUSE Linux
added 2026/04/24 11:48 a.m.6 views

Security update for tomcat

This update for tomcat fixes the following issues: Security fixes: CVE-2026-24880: Request smuggling via invalid chunk extension bsc1261850. CVE-2026-25854: Occasionally open redirect bsc1261851. CVE-2026-29129: TLS cipher order is not preserved bsc1261852. CVE-2026-29145: OCSP checks sometimes...

8.7CVSS5.6AI score0.03494EPSS
Exploits1References40
OSV
OSV
added 2026/04/24 11:48 a.m.6 views

SUSE-SU-2026:1604-1 Security update for tomcat

This update for tomcat fixes the following issues: Security fixes: - CVE-2026-24880: Request smuggling via invalid chunk extension bsc1261850. - CVE-2026-25854: Occasionally open redirect bsc1261851. - CVE-2026-29129: TLS cipher order is not preserved bsc1261852. - CVE-2026-29145: OCSP checks...

9.1CVSS5.4AI score0.15831EPSS
Exploits6References21
OSV
OSV
added 2026/04/24 11:47 a.m.4 views

SUSE-SU-2026:1603-1 Security update for tomcat10

This update for tomcat10 fixes the following issues: Security fixes: - CVE-2026-24880: Request smuggling via invalid chunk extension bsc1261850. - CVE-2026-25854: Occasionally open redirect bsc1261851. - CVE-2026-29129: TLS cipher order is not preserved bsc1261852. - CVE-2026-29145: OCSP checks...

9.1CVSS5.4AI score0.15831EPSS
Exploits6References21
OSV
OSV
added 2026/04/24 9:10 a.m.8 views

BIT-GITLAB-2026-4922 Cross-Site Request Forgery (CSRF) in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protection...

8.1CVSS5.5AI score0.00178EPSS
Exploits0References4
CVE
CVE
added 2026/04/24 8:28 a.m.10 views

CVE-2026-6272

The CVE-2026-6272 issue affects the production kuksa.val.v2 gRPC API, specifically the OpenProviderStream path used with a ProvideSignalRequest. A client that only has a read JWT scope can register as a signal provider, which enables attacker-controlled GetProviderValueResponse forwarding. This l...

8.5CVSS5.3AI score0.00269EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/24 8:28 a.m.4 views

EUVD-2026-25409

A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest. 1. Obtain any valid token with only read scope. 2. Connect to the normal production gRPC API kuksa.val.v2. 3. Open...

8.5CVSS5.3AI score0.00269EPSS
Exploits0References1
NVD
NVD
added 2026/04/24 8:16 a.m.6 views

CVE-2026-3565

The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to a missing nonce verification in the taqnixdeletemyaccount function, where the checkajaxreferer call is explicitly commented out on line 883. This makes it possib...

4.3CVSS0.0017EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/04/24 7:45 a.m.3 views

CVE-2026-3565 Taqnix <= 1.0.3 - Cross-Site Request Forgery to Account Deletion via 'taqnix_delete_my_account' AJAX Action

The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to a missing nonce verification in the taqnixdeletemyaccount function, where the checkajaxreferer call is explicitly commented out on line 883. This makes it possib...

4.3CVSS5.2AI score0.0017EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/04/24 7:45 a.m.24 views

CVE-2026-3565 Taqnix <= 1.0.3 - Cross-Site Request Forgery to Account Deletion via 'taqnix_delete_my_account' AJAX Action

The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to a missing nonce verification in the taqnixdeletemyaccount function, where the checkajaxreferer call is explicitly commented out on line 883. This makes it possib...

4.3CVSS0.0017EPSS
Exploits0References8
NVD
NVD
added 2026/04/24 6:16 a.m.6 views

CVE-2026-1949

Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service...

9.8CVSS0.00611EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/24 5:50 a.m.27 views

CVE-2026-1949 Incorrect calculation of buffer size on the stack in AS320T

Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service...

9.8CVSS0.00611EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/24 5:50 a.m.5 views

CVE-2026-1949 Incorrect calculation of buffer size on the stack in AS320T

Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service...

9.8CVSS5.4AI score0.00611EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:50 a.m.3 views

CVE-2026-1949

Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service...

9.8CVSS6AI score0.00611EPSS
Exploits0References2
CVE
CVE
added 2026/04/24 3:27 a.m.12 views

CVE-2026-5488

The CVE-2026-5488 issue affects the ExactMetrics – Google Analytics Dashboard for WordPress plugin (WordPress). It stems from missing capability checks in two AJAX handlers (get_ads_access_token() and reset_experience()), allowing authenticated users with subscriber-level access or higher to retr...

5.3CVSS5.7AI score0.00258EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/04/24 2:40 a.m.3 views

CVE-2026-41317

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS.press.api.account.createapisecret is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit...

8.7CVSS5.8AI score0.00165EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/24 2:31 a.m.12 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via DoRequestAsync. An attacker in control of a configured endpoint can cause excessive memory consumption and potentially terminate the process by supplying a large HTTP response bod...

8.2CVSS5.8AI score0.00301EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/24 12:31 a.m.7 views

EUVD-2026-25309

Server-side request forgery ssrf in Microsoft Dynamics 365 Online allows an unauthorized attacker to perform spoofing over a network...

9.3CVSS5.8AI score0.00584EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/24 12:31 a.m.5 views

EUVD-2026-25331

OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized...

7.1CVSS5.7AI score0.00112EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/24 12:31 a.m.12 views

EUVD-2026-25306

A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soupmessageheadersappendcommon function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker...

3.7CVSS5.7AI score0.00321EPSS
Exploits1References5
Rows per page
Query Builder