Lucene search
K

121635 matches found

Debian CVE
Debian CVE
added 2026/04/23 9:51 p.m.9 views

CVE-2026-2708

A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soupmessageheadersappendcommon function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker...

5.3CVSS5.2AI score0.00321EPSS
Exploits1
ATTACKERKB
ATTACKERKB
added 2026/04/23 9:37 p.m.5 views

CVE-2026-35431

Server-side request forgery ssrf in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network...

10CVSS5.8AI score0.00511EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/23 8:59 p.m.36 views

CVE-2026-28525 SWUpdate Integer Underflow in Multipart Upload Parser

SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoosemultipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTTP POST request to /upload with a malformed multipart boundary and controlled TCP stream timing...

8.2CVSS0.00316EPSS
Exploits0References2
NVD
NVD
added 2026/04/23 8:16 p.m.4 views

CVE-2026-41272

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers secureAxiosRequest and secureFetch intended to prevent Server-Side Request Forgery SSRF contain multiple logic flaws. These flaws allow attackers to bypass the...

7.1CVSS0.00232EPSS
Exploits1References1
NVD
NVD
added 2026/04/23 8:16 p.m.11 views

CVE-2026-41271

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery SSRF vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests t...

8.3CVSS0.00233EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/23 7:16 p.m.8 views

EUVD-2026-25289

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the core security wrappers secureAxiosRequest and secureFetch intended to prevent Server-Side Request Forgery SSRF contain multiple logic flaws. These flaws allow attackers to bypass the...

7.1CVSS5.8AI score0.00232EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/23 7:15 p.m.4 views

EUVD-2026-25287

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery SSRF protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTPDENYLIST for axios and...

7.1CVSS5.8AI score0.00234EPSS
Exploits1References1
CVE
CVE
added 2026/04/23 7:15 p.m.11 views

CVE-2026-41270

Flowise (drag‑and‑drop UI for building LLM flows) contains an SSRF protection bypass in the Custom Function sandbox prior to version 3.1.0. The app blocks SSRF via HTTP_DENY_LIST for axios and node-fetch, but it allows use of built‑in Node.js http, https, and net modules inside the NodeVM sandbox...

8.3CVSS5.8AI score0.00234EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/23 7:13 p.m.8 views

CVE-2026-41268

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, Flowise is vulnerable to a critical unauthenticated remote command execution RCE vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined wi...

7.7CVSS7.5AI score0.13789EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/04/23 5:29 p.m.4 views

CLSA-2026-1776965343 Fix CVE(s): CVE-2022-29404

SECURITY UPDATE: DoS via unbounded request body in modlua - debian/patches/CVE-2022-29404-part1.patch: set APDEFAULTLIMITREQBODY to 1GB in server/core.c, enforce LimitRequestBody in apsetupclientblock in modules/http/httpfilters.c, remove redundant proxy check in modules/proxy/modproxyhttp.c. -...

7.5CVSS7.2AI score0.05678EPSS
Exploits0References1
NVD
NVD
added 2026/04/23 4:16 p.m.6 views

CVE-2026-40471

hackage-server lacked Cross-Site Request Forgery CSRF protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abus...

9.6CVSS0.00137EPSS
Exploits0References1
NVD
NVD
added 2026/04/23 3:37 p.m.4 views

CVE-2026-41461

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...

8.5CVSS0.00302EPSS
Exploits1References4
EUVD
EUVD
added 2026/04/23 3:35 p.m.4 views

EUVD-2025-5343

Cross-Site Request Forgery CSRF vulnerability in Required Admin Menu Manager allows Cross Site Request Forgery.This issue affects Admin Menu Manager: from n/a through 1.0.3...

4.3CVSS7.3AI score0.0016EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/23 3:7 p.m.6 views

Directory Traversal

Overview psitransfer is a Simple open source self-hosted file sharing solution Affected versions of this package are vulnerable to Directory Traversal through the Store.getFilename path resolution in the upload storage component. An attacker can escape the upload jail and read or overwrite files...

7.7CVSS6.3AI score0.00307EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/23 2:54 p.m.9 views

CVE-2026-34003

A flaw was found in the X.Org X server's XKB key types request validation. A local attacker could send a specially crafted request to the X server, leading to an out-of-bounds memory access vulnerability. This could result in the disclosure of sensitive information or cause the server to crash,...

7.8CVSS5.7AI score0.0025EPSS
Exploits0References38
OSV
OSV
added 2026/04/23 2:28 p.m.11 views

GHSA-RHF7-WVW3-VJVM goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

Summary The PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the GHSA-jrq5-hg6x-j6g3 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS preflight handler httpserver/server.go, any website can wri...

6.5CVSS5.9AI score0.00165EPSS
Exploits1References5
Snyk
Snyk
added 2026/04/23 2:28 p.m.6 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the put function. An attacker can overwrite or create arbitrary files in the webroot by enticing a user to visit a malicious website, which then issues crafted PUT requests through the victim's browse...

7.1CVSS5.9AI score0.00165EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/23 2:28 p.m.9 views

goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

Summary The PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the GHSA-jrq5-hg6x-j6g3 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS preflight handler httpserver/server.go, any website can wri...

6.5CVSS5.9AI score0.00165EPSS
Exploits1References5Affected Software2
Vulnrichment
Vulnrichment
added 2026/04/23 1:45 p.m.6 views

CVE-2026-41461 SocialEngine <= 7.8.0 Blind SSRF via /core/link/preview

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...

8.5CVSS5.9AI score0.00302EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/23 1:45 p.m.3 views

CVE-2026-41461

SocialEngine versions 7.8.0 and prior contain a blind server-side request forgery vulnerability in the /core/link/preview endpoint where user-supplied input passed via the uri request parameter is not sanitized before being used to construct outbound HTTP requests. Authenticated remote attackers...

8.5CVSS5.9AI score0.00302EPSS
Exploits1References4
Rows per page
Query Builder