Lucene search
K

2011 matches found

NVD
NVD
added 3 days ago6 views

CVE-2026-13262

The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1.1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio...

6.5CVSS0.00352EPSS
Exploits0References10
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42894

PraisonAI before 4.6.78 contains a prompt injection defense bypass vulnerability where the injection defense only blocks threats classified as CRITICAL, requiring three or more detector families to match simultaneously. Attackers can craft single or double-vector prompt injections that are...

6.9CVSS6.1AI score0.0022EPSS
Exploits0References2
CVE
CVE
added 2026/07/07 9:19 a.m.15 views

CVE-2026-49487

Apache Airflow prior to 3.3.0 exposes secrets in clear text via the REST API. Specifically, the task-instance detail and list endpoints leak a deferred task’s trigger kwargs, so if a deferred operator passes a secret (e.g., a provider API key) into its trigger, any authenticated user with DAG-sco...

6.5CVSS6AI score0.00664EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.9 views

PT-2026-56158

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the streaming worksheet reader used by Rows and GetRows does not enforce the TotalRows limit on the row r attribute, allowing a small XLSX file with a row number above 1048576 and no cell...

8.7CVSS6.1AI score0.00524EPSS
Exploits0References6
Debian CVE
Debian CVE
added 2026/07/02 9:19 p.m.7 views

CVE-2026-12413

An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemblev2incomingfragments would ignore unknown outer payloads but still store these in a fixed size array msgdigest.digestPAYLIMIT...

7.5CVSS6.6AI score0.00597EPSS
Exploits0
EUVD
EUVD
added 2026/07/02 8:31 p.m.13 views

EUVD-2026-37811

Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords...

7.5CVSS5.8AI score0.00185EPSS
Exploits0References4
Snyk
Snyk
added 2026/07/01 9:43 p.m.4 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path through the pushFile process when symlink traversal is possible within the working directory. An attacker can write files outside the intended directory boundary by supplying a crafted blob title th...

6.9CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/01 8:44 p.m.4 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via unsanitized repository URL components in the webhook endpoint when no secret is configured. An attacker can trigger continuous repository re-cloning, increasing network traffic and...

8.3CVSS6AI score0.00506EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/01 7:24 p.m.4 views

External Control of File Name or Path

Overview Magick.NET-Q8-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

8.5CVSS6AI score0.00098EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/26 12:4 a.m.7 views

CVE-2026-13322

A flaw was found in KubeVirt's downward metrics virtio-serial server. The server reads guest requests using textproto.Reader.ReadLine, which buffers input indefinitely until a newline character is received, with no length limit or read deadline. A user with access to a VM guest that has the...

3.8CVSS5.8AI score0.00094EPSS
Exploits0References3
NVD
NVD
added 2026/06/25 8:17 p.m.9 views

CVE-2026-55960

Un-negotiated Raw Public Key RFC 7250 accepted in place of an X.509 certificate, bypassing chain validation. A raw public key has no chain, so ParseCertRelative accepts it without performing any trust verification; it must therefore only be accepted when RPK was actually negotiated for that peer...

8.2CVSS0.00145EPSS
Exploits0References2
OSV
OSV
added 2026/06/25 9:16 a.m.3 views

UBUNTU-CVE-2026-53236

In the Linux kernel, the following vulnerability has been resolved: tcp: restrict SOATTACHFILTER to priv users This patch restricts the use of SOATTACHFILTER cBPF on TCP sockets to users with CAPNETADMIN capability. This blocks potential side-channel attack where an unprivileged application...

5.5CVSS5.7AI score0.00128EPSS
Exploits0References9
CVE
CVE
added 2026/06/25 8:39 a.m.18 views

CVE-2026-53249

CVE-2026-53249 is a Linux kernel vulnerability where the IPOPT_SSRR and IPOPT_LSRR IPv4 options are restricted to CAP_NET_RAW, preventing unprivileged processes from steering packets through attacker-controlled nodes to leak information (e.g., TCP ISN). The issue is patched in multiple OS context...

5.5CVSS5.7AI score0.00128EPSS
Exploits0References8Affected Software1
AstraLinux
AstraLinux
added 2026/06/24 3:11 p.m.5 views

Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12

In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove the class from the active list before deleting it in etsqdiscchange. The vulnerability is a race condition between etsqdiscdequeue and etsqdiscchange. This causes a Use-After-Freeze UAF error on the...

7.5CVSS6.1AI score0.00151EPSS
Exploits0References3
OSV
OSV
added 2026/06/24 11:7 a.m.3 views

BIT-NIFI-2026-54665 Apache NiFi: Missing Validation for Proxy Host Headers

Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict values provided in...

6.3CVSS5.9AI score0.00268EPSS
Exploits0References3
NVD
NVD
added 2026/06/24 7:16 a.m.18 views

CVE-2026-13006

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration...

7CVSS0.00122EPSS
Exploits0References1
The Hacker News
The Hacker News
added 2026/06/24 6:50 a.m.10 views

Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root

Threat actors have begun to exploit a recently disclosed critical security flaw impacting Cisco Unified Communications Manager Unified CM and Unified Communications Manager Session Management Edition Unified CM SME. The vulnerability, tracked as CVE-2026-20230 CVSS score: 8.6, is a case of improp...

8.6CVSS7.7AI score0.41694EPSS
Exploits3
Vulnrichment
Vulnrichment
added 2026/06/24 5:41 a.m.6 views

CVE-2026-13006 Incomplete protection against CVE-2025-11226

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration...

7CVSS6.1AI score0.00122EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/06/24 5:41 a.m.6 views

CVE-2026-13006

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumventing existing protections against CVE-2025-11226 by compromising an existing logback configuration...

7CVSS6.1AI score0.00122EPSS
Exploits0
Jenkins Security Advisories
Jenkins Security Advisories
added 2026/06/24 12:0 a.m.6 views

CSRF vulnerability and missing permission check in contrast-continuous-application-security

contrast-continuous-application-security 3.11 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to a Contrast TeamServer. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, AP...

5.4CVSS5.8AI score0.00167EPSS
Exploits0Affected Software1
Rows per page
Query Builder