CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added yesterday•15 views

CVE-2026-56694 NanoClaw < 2.1.0 - Privilege Escalation via Forged Channel Approval Callback

5.4CVSS

Nuclei•added yesterday•24 views

CasaOS < 0.4.4 - Authentication Bypass via Random JWT Token

CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit 705bf1f...

9.8CVSS7.8AI score0.05871EPSS

Exploits1References2

Nuclei•added yesterday•12 views

Chef Automate < 4.13.295 — SQL Injection

In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token. id: CVE-2025-8868 info...

9.8CVSS5.9AI score0.23138EPSS

EUVD•added 2 days ago•6 views

EUVD-2026-38369

Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header ...

6.4CVSS5.9AI score0.00251EPSS

Cvelist•added 2 days ago•27 views

CVE-2026-8823 User Manager can demote bot accounts to guest without bot-management permission

Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669...

3.8CVSS0.00231EPSS

NVD•added 2 days ago•10 views

CVE-2026-44914

Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not...

7.5CVSS0.00285EPSS

EUVD•added 2 days ago•9 views

EUVD-2026-38219

ATTACKERKB•added 2 days ago•7 views

CVE-2026-44914

Exploits0References2Affected Software1

Cvelist•added 2 days ago•29 views

CVE-2026-44914 Apache NiFi: Missing Authorization of Restricted Permissions when Replacing Flow Contents

7.5CVSS0.00285EPSS

CVE•added 2 days ago•17 views

CVE-2026-44914

Apache NiFi versions 1.12.0–2.9.0 are vulnerable to missing authorization when replacing Process Groups that include extension components with the Restricted annotation. The Restricted annotation signals higher privileges, but framework authorization did not enforce restricted status during repla...

Exploits0References2Affected Software1

Positive Technologies•added 2 days ago•8 views

PT-2026-51284

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 1.12.0 through 2.9.0 Description Authorization is missing when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation...

Cvelist•added 5 days ago•19 views

Exploits0References7

CVE-2026-49288 Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources...

4.3CVSS0.00162EPSS

RedhatCVE•added 5 days ago•8 views

CVE-2026-56211

A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC Scalable Video Coding layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer contex...

7.1CVSS6.7AI score0.00385EPSS

Exploits0References5

AstraLinux•added 5 days ago•4 views

Astra Linux – Vulnerability in Thunderbird, Firefox

A poorly handled security check during the creation of a WebSocket in a WebWorker caused the Content Security Policy’s connect-src header to be ignored. This could lead to connections being made to restricted origins from within WebWorkers. This vulnerability affects Firefox 109, Firefox ESR 102....

6.5CVSS6.7AI score0.00601EPSS

NVD•added last week•8 views

CVE-2026-50201

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, all Steeltoe actuator endpoints default to...

6.5CVSS0.00231EPSS

Cvelist•added last week•19 views

CVE-2026-50201 Steeltoe's sensitive actuators (heapdump/env) only require Restricted permission

6.5CVSS0.00231EPSS

CVE•added last week•18 views

CVE-2026-50201

CVE-2026-50201: Steeltoe's sensitive actuators (heapdump, environment, thread dump) default to EndpointPermissions.Restricted in Steeltoe.Management.Endpoint (pre-4.2.0) and Steeltoe.Management.EndpointCore (pre-3.4.0), mapping to CF read_basic_data. Sensitive endpoints are not upgraded to Endpoi...

6.5CVSS5.2AI score0.00231EPSS

EUVD•added last week•5 views

EUVD-2025-210247

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in EMV JobCareer allows Path Traversal. This issue affects JobCareer: from n/a through 7.3...

8.6CVSS5.2AI score0.0046EPSS