Lucene search
K

7718 matches found

Snyk
Snyk
added 2026/06/18 6:35 p.m.8 views

Unsafe Dependency Resolution

Overview @theia/ai-chat is a Theia - AI Chat Extension Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the processing of workspace file and directory names in the AI chat. An attacker can cause the agent to execute attacker-controlled instructions by introduci...

8.8CVSS6.2AI score0.00272EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/18 6:35 p.m.9 views

Unsafe Dependency Resolution

Overview @theia/ai-ide is an AI IDE Agents Extension Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the processing of workspace file and directory names in the AI chat. An attacker can cause the agent to execute attacker-controlled instructions by introducing...

8.8CVSS6.2AI score0.00272EPSS
Exploits0References2
NVD
NVD
added 2026/06/18 4:16 p.m.6 views

CVE-2025-58175

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a GeoServer that uses ENTITYRESOLUTIONALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery SSRF. This vulnerability requires that GeoServer i...

8.2CVSS0.00287EPSS
Exploits0References3
CVE
CVE
added 2026/06/18 2:31 p.m.21 views

CVE-2025-58175

CVE-2025-58175 affects GeoServer prior to 2.26.4 and 2.27.3. When GeoServer is configured to use a proxy base URL and ENTITY_RESOLUTION_ALLOWLIST, an unauthenticated Server-Side Request Forgery (SSRF) can be triggered. The issue only affects installations where the proxy base URL lacks a URL path...

8.2CVSS5.3AI score0.00287EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/06/18 1:48 p.m.17 views

CVE-2026-12039 Docker Sandboxes network egress allowlist bypass via unfiltered DNS resolution

Docker Sandboxes sbx enforces an HTTP/S-only egress allowlist but does not apply it to DNS resolution: the per-network embedded DNS server forwards any queried name to the host resolver whenever the network is internet-connected, without consulting the policy. A workload inside a sandbox, which t...

5.7CVSS0.00103EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/17 6:43 p.m.8 views

EUVD-2026-37781

Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an...

7.5CVSS5.4AI score0.00268EPSS
Exploits0References1
CVE
CVE
added 2026/06/17 6:43 p.m.17 views

CVE-2026-10696

CVE-2026-10696 affects Devolutions UniGetUI 2026.2.0 and earlier. The root cause is an incorrectly resolved name/reference in the pinget backend, which can allow a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog ...

7.5CVSS5.5AI score0.00268EPSS
Exploits0References1Affected Software1
RedHat Linux
RedHat Linux
added 2026/06/17 4:18 p.m.9 views

netty-resolver-dns: Netty: Information disclosure and data manipulation due to improper CNAME record validation

A flaw was found in Netty's DnsResolveContext. This vulnerability allows a remote attacker to achieve information disclosure or data manipulation by crafting malicious DNS responses. The flaw occurs because the DnsResolveContext fails to validate the origin bailiwick of CNAME records in DNS...

10CVSS5.2AI score0.00224EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.10 views

PT-2026-50524

Name of the Vulnerable Software and Affected Versions Devolutions UniGetUI versions prior to 2026.2.1 Description The pinget backend contains an issue where names or references are incorrectly resolved. This allows a WinGet community catalog contributor to correlate an installed application with ...

7.5CVSS5.8AI score0.00268EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/16 7:4 p.m.25 views

Deno: WebSocket API sandbox bypass via missing post-DNS check

Summary When a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a...

5.2CVSS5.4AI score0.00101EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/16 7:2 p.m.8 views

Deno: `fetch()` API sandbox bypass via missing DNS resolution check

Summary When fetch was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP,...

5.2CVSS5.4AI score0.00101EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/16 3:3 p.m.12 views

Symlink Attack

Overview langchain-anthropic is an Integration package connecting Claude Anthropic APIs and LangChain Affected versions of this package are vulnerable to Symlink Attack via the file-search middleware and loaders that resolve filesystem paths and search patterns without confining the resolved path...

6.9CVSS5.9AI score0.00157EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/16 2:33 p.m.8 views

EUVD-2026-35675

Microsoft Security Advisory CVE-2026-45491 – .NET Tampering Vulnerability...

6.2CVSS5.1AI score0.00388EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.18 views

PT-2026-50153

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.8.1 Description When the fetch function is called, the runtime validates the destination hostname against --deny-net rules but fails to re-verify the IP addresses that the hostname resolves to. This allows an...

5.2CVSS5.9AI score0.00101EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.16 views

PT-2026-49775

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.2 Description An environment variable injection exists where the STATE DIRECTORY variable in a workspace .env file can influence bundled runtime dependency roots. This allows attackers to manipulate STATE...

7.1CVSS5.6AI score0.00124EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/15 9:30 p.m.7 views

EUVD-2026-36785

A Server-Side Request Forgery SSRF in the automatic short URL title resolution component of shlink v5.0.1 allows attackers to scan internal resources via supplying a crafted longUrl...

5.2AI score0.00287EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 5:35 p.m.38 views

Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization

Summary Nodemailer's disableFileAccess and disableUrlAccess options are intended to prevent message content and attachments from reading local files or fetching URLs. The normal MIME streaming path enforces those options in MimeNode.getStream. However, jsonTransport serializes messages by calling...

5.5AI score
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/06/15 5:30 p.m.10 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion during the JSON conversion. An attacker can exhaust the call stack and cause the application to crash by supplying crafted protobuf binary data containing deeply nested Any values that are expanded during...

8.7CVSS5.9AI score0.00324EPSS
Exploits0References2
OSV
OSV
added 2026/06/15 4:39 p.m.15 views

GHSA-XRXM-CP7J-8XF6 @angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass

An issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for allowlist validation and t...

8.8CVSS5.7AI score0.00193EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.9 views

PT-2026-49328

Name of the Vulnerable Software and Affected Versions shlink version 5.0.1 Description A Server-Side Request Forgery SSRF exists in the automatic short URL title resolution component. This allows attackers to scan internal resources by providing a crafted longUrl variable. Recommendations At the...

9.1CVSS5.9AI score0.00287EPSS
Exploits0References3
Rows per page
Query Builder