Lucene search
K

4969 matches found

CNNVD
CNNVD
added 2026/05/29 12:0 a.m.9 views

arcane 安全漏洞

Arcan is an open-source Docker management software developed by Arcane. Versions of Arcan prior to 1.19.0 contained security vulnerabilities. These vulnerabilities stemmed from multiple endpoints in the Huma-based REST API that did not call the checkAdmin helper function. Additionally, the...

9.9CVSS5.8AI score0.00387EPSS
Exploits0References2
CVE
CVE
added 2026/05/28 8:29 p.m.26 views

CVE-2026-42071

Summary: CVE-2026-42071 affects MantisBT, specifically versions 2.23.0 through 2.28.1, where a missing authorization check in the file visibility function allows any authenticated user (REPORTER+) to download attachments from private bugnotes via REST API GET /api/rest/issues/{id}/files and SOAP ...

7.2CVSS5.8AI score0.0026EPSS
Exploits0References5
NVD
NVD
added 2026/05/28 6:16 p.m.18 views

CVE-2026-44798

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the currenthead field on the record, which was not intended to be user-editable. Doing so could cause...

7.1CVSS0.00277EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/28 12:38 p.m.10 views

Relative Path Traversal

Overview org.apache.ignite:ignite-core is a memory-centric distributed database, caching, and processing platform for transactional, analytical, and streaming workloads delivering in-memory speeds at petabyte scale. Affected versions of this package are vulnerable to Relative Path Traversal via t...

8.5CVSS5.9AI score0.00526EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/28 12:30 p.m.10 views

EUVD-2025-209980

Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0. Users are recommended to upgrade to version...

8.5CVSS5.8AI score0.00526EPSS
Exploits0References3
NVD
NVD
added 2026/05/28 10:16 a.m.11 views

CVE-2025-48977

Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0. Users are recommended to upgrade to version...

8.5CVSS0.00526EPSS
Exploits0References2
CVE
CVE
added 2026/05/28 8:58 a.m.32 views

CVE-2025-48977

CVE-2025-48977 is a relative path traversal vulnerability in Apache Ignite’s REST API. Authenticated REST API users can read arbitrary server files via a crafted log path using the cmd=log command, affecting Ignite 2.0.0–2.17.0. The issue is fixed in Ignite 2.18.0. If you are running affected ver...

8.5CVSS5.8AI score0.00526EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/05/27 6:16 p.m.14 views

CVE-2026-45089

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directly from the attacker's request body, then propagated...

8.2CVSS0.00243EPSS
Exploits0References2
NVD
NVD
added 2026/05/27 6:16 p.m.18 views

CVE-2026-45088

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through...

7.5CVSS0.00251EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/27 5:35 p.m.13 views

EUVD-2026-32616

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through...

7.5CVSS5.9AI score0.00251EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/27 5:34 p.m.13 views

EUVD-2026-32615

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode dalfox server, the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options...

10CVSS6AI score0.01147EPSS
Exploits2References2
ATTACKERKB
ATTACKERKB
added 2026/05/27 5:34 p.m.11 views

CVE-2026-45087

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode dalfox server, the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options...

10CVSS6AI score0.01147EPSS
Exploits2References4Affected Software1
Cvelist
Cvelist
added 2026/05/27 7:45 a.m.32 views

CVE-2026-3375 LiteSpeed Cache <= 7.7 - Unauthenticated Stored Cross-Site Scripting via QUIC.cloud CCSS/UCSS REST API Endpoints

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notifyccss and /wp-json/litespeed/v1/notifyucss REST API endpoints in all versions up to, and including, 7.7. These endpoints accept CSS content from QUIC.cloud callback notificatio...

7.2CVSS0.00359EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/05/27 1:26 a.m.8 views

CVE-2026-7493

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint /wp-json/ssa/v1/async that calls PHP's sleep function on a...

5.3CVSS5.7AI score0.0035EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/27 1:26 a.m.11 views

CVE-2026-7493 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.11.5 - Unauthenticated Denial of Service

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint /wp-json/ssa/v1/async that calls PHP's sleep function on a...

5.3CVSS5.7AI score0.0035EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 12:5 a.m.5 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the JavaExprAlgorithmExecutionFactory process. An attacker can execute arbitrary code on the underlying operating system by injecting malicious Java expressions through the REST API when authenticated with th...

9.4CVSS6AI score0.00473EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.10 views

dalfox 代码问题漏洞

Dalfox is an automated cross-site script scanning tool developed by HAHWUL. Versions of Dalfox prior to 2.13.0 contained code vulnerabilities. These vulnerabilities stemmed from the REST API server mode, where the output, output-all, and debug fields were deserialized directly from the attacker’s...

8.2CVSS5.9AI score0.00243EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/26 11:47 p.m.17 views

Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints

TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. This vulnerability is of high severity for affected sites and has a high real-world impact. ---- Introduction Arbitrary method call is a type of arbitrary code execution...

6AI score0.0007EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/26 8:15 p.m.11 views

CVE-2026-9497

A flaw has been found in changmingxie tcc-transaction up to 2.1.0. This issue affects the function Fastjson.parseObject of the component Fastjson AutoType REST API. This manipulation causes deserialization. It is possible to initiate the attack remotely. The vendor was contacted early about this...

6.5CVSS6.3AI score0.00338EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/26 8:14 p.m.10 views

CVE-2026-6895

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'exportsettings' function. This function returns the RES...

8.8CVSS5.8AI score0.00248EPSS
Exploits0References1
Rows per page
Query Builder