Lucene search
K

121628 matches found

Github Security Blog
Github Security Blog
added 2026/04/01 12:3 a.m.10 views

Parse Server has a session field immutability bypass via falsy-value guard

Impact An authenticated user can bypass the immutability guard on session fields expiresAt, createdWith by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length...

5.4CVSS5.9AI score0.0021EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/04/01 12:3 a.m.3 views

GHSA-F6J3-W9V3-CQ22 Parse Server has a session field immutability bypass via falsy-value guard

Impact An authenticated user can bypass the immutability guard on session fields expiresAt, createdWith by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length...

5.3CVSS5.9AI score0.0021EPSS
Exploits0References7
Snyk
Snyk
added 2026/04/01 12:1 a.m.1 views

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the image-generation-provider.ts process. An attacker can access internal network resources or sensitive metadata by supplying crafted URLs to the ima...

6CVSS5.9AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/01 12:1 a.m.9 views

OpenClaw affected by SSRF via unguarded image download in fal provider

Summary The fal provider used raw fetches for both provider API traffic and returned image download URLs instead of the existing SSRF-guarded fetch path. Impact A malicious or compromised fal relay could make the gateway fetch internal URLs and expose metadata or internal service responses throug...

8.3CVSS5.9AI score0.00227EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.4 views

PT-2026-29509

Blind server-side request forgery SSRF vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs...

6.9CVSS6AI score0.00195EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/01 12:0 a.m.5 views

IBM Verify Identity Access Container和IBM Verify Identity Access 环境问题漏洞

IBM Verify Identity Access Container and IBM Verify Identity Access are products of IBM Corporation. IBM Verify Identity Access Container is a containerized software that provides authentication and authorization functions for applications. IBM Verify Identity Access is an enterprise-level securi...

5.3CVSS5.9AI score0.00371EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/01 12:0 a.m.5 views

IBM DataPower Gateway 跨站请求伪造漏洞

IBM DataPower Gateway is an enterprise-grade application security gateway that provides API management and traffic control capabilities. A cross-site request forgery vulnerability exists in IBM DataPower Gateway. The vulnerability arises because the system fails to effectively validate the source...

8.8CVSS5.7AI score0.00167EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.4 views

PT-2026-29536

Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request...

5.9AI score0.0026EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.7 views

PT-2026-29669

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.1 Description phpMyFAQ is susceptible to arbitrary file deletion due to missing path traversal validation and CSRF token verification in the MediaBrowserController::index method. Specifically, when the fileRemove...

8.7CVSS6AI score0.00693EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.4 views

PT-2026-29539

Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication MFA configuration via a crafted request. This issue affects Server: from 2026.1.6 through 2026.1.11...

5.9AI score0.00194EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.6 views

PT-2026-29663

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, in src/endpoints/search.js, the hostname is checked against /^d+.d+.d+.d+$/. This only...

5CVSS5.8AI score0.00213EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.4 views

PT-2026-29548

A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request...

9.8CVSS6.2AI score0.01531EPSS
Exploits0References4
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-14437

The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials...

7.5CVSS5.8AI score0.01986EPSS
In wildExploits0References2
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.3 views

PT-2026-29619

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 IBM Security Verify could allow a remote attacker to access sensitive...

5.3CVSS5.9AI score0.00371EPSS
Exploits0References3
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.11 views

VulnCheck KEV: CVE-2022-3254

The WordPress Classifieds Plugin WordPress plugin before 4.3 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection...

9.8CVSS5.9AI score0.05103EPSS
In wildExploits2References2
CNNVD
CNNVD
added 2026/04/01 12:0 a.m.4 views

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server from 2026.1.1 to 2026.1.11, as well as those from 2025.3.1 to 2025.3.17, have security...

4.3CVSS6AI score0.00162EPSS
Exploits0References1
CVE
CVE
added 2026/04/01 12:0 a.m.8 views

CVE-2024-43028

CVE-2024-43028 is a reported command-injection vulnerability in the Jeecg Boot platform, affecting the /jmreport/show component from v3.0.0 to v3.5.3. The issue allows an attacker to execute arbitrary code via a crafted HTTP request, with network access (no authentication) required. The CVSS v3.1...

9.8CVSS6.2AI score0.01531EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.5 views

PT-2026-29549

A vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights could allow an unauthenticated, remote attacker to conduct a server-side request forgery SSRF attack through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attack...

6.1CVSS6.2AI score0.00242EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.5 views

PT-2026-29540

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11...

5.9AI score0.00224EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/01 12:0 a.m.6 views

Frostmourne 代码问题漏洞

Frostmourne is a multi-data-source monitoring and alert system developed by AutohomeCorp. Versions of Frostmourne 1.0 and earlier contained code vulnerabilities. These vulnerabilities stemmed from incorrect operations on the file...

6.5CVSS6.7AI score0.00201EPSS
Exploits0References4
Rows per page
Query Builder