CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

8206 matches found

Positive Technologies•added 2026/03/20 12:0 a.m.•1 views

PT-2026-26766

Summary The Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $ REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSRF token validation. Combined with AVideo's explicit SameSite=None session...

8.8CVSS6.7AI score0.00245EPSS

Exploits1References7

Positive Technologies•added 2026/03/20 12:0 a.m.•1 views

PT-2026-26790

Summary The objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting session.cookie samesite = 'None' for HTTPS connections, an unauthenticated...

8.8CVSS6.2AI score0.00103EPSS

Exploits1References7

NVD•added 2026/03/19 10:16 p.m.•5 views

CVE-2026-32016

OpenClaw versions prior to 2026.2.22 on macOS contain a path validation bypass vulnerability in the exec-approval allowlist mode that allows local attackers to execute unauthorized binaries by exploiting basename-only allowlist entries. Attackers can execute same-name local binaries ./echo withou...

7.8CVSS0.00017EPSS

Exploits0References3

OSV•added 2026/03/19 10:16 p.m.•3 views

CVE-2026-32016

7CVSS6AI score

Exploits0References3

Vulnrichment•added 2026/03/19 10:6 p.m.•2 views

CVE-2026-32016 OpenClaw < 2026.2.22 - Path Traversal via Basename-Only Allowlist Matching on macOS

7.8CVSS5.9AI score0.00017EPSS

Exploits0References3

CVE•added 2026/03/19 10:6 p.m.•2 views

CVE-2026-32016

OpenClaw on macOS versions prior to 2026.2.22 contains a path validation bypass in the exec-approval allowlist mode. This allows local attackers to execute unauthorized binaries by exploiting basename-only allowlist entries, enabling same-name local binaries (e.g., ./echo) to run without approval...

7.8CVSS5.9AI score0.00017EPSS

Exploits0References3Affected Software1

NVD•added 2026/03/19 6:16 p.m.•1 views

CVE-2026-26933

Improper Validation of Array Index CWE-129 in multiple protocol parser components in Packetbeat can lead Denial of Service via Input Data Manipulation CAPEC-153. An attacker with the ability to send specially crafted, malformed network packets to a monitored network interface can trigger...

5.7CVSS0.00008EPSS

Exploits0References1

Veracode•added 2026/03/19 8:13 a.m.•3 views

Improper Authorization

github.com/authzed/spicedb is vulnerable to Improper Authorization. The vulnerability is due to incorrect handling of permission unions referencing the same relation in the LookupResources API, which allows an attacker to bypass expected permission checks by causing incomplete or missing...

6.3CVSS5.8AI score0.00053EPSS

Exploits0References2Affected Software1

NVD•added 2026/03/18 6:16 p.m.•1 views

CVE-2026-32632

Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary Host headers and does not apply TrustedHostMiddleware or an equivalent...

5.9CVSS0.00028EPSS

Exploits1References3

AlpineLinux•added 2026/03/18 5:47 p.m.•0 views

CVE-2026-32632

5.9CVSS5.8AI score0.00028EPSS

Exploits1References3

NVD•added 2026/03/18 12:16 p.m.•2 views

CVE-2025-41258

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API...

8CVSS0.0008EPSS

Exploits1References2

EUVD•added 2026/03/18 12:30 a.m.•0 views

EUVD-2026-12663

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. Processing maliciously crafted web content may bypass Same Origin Policy...

5.4CVSS5.8AI score0.00031EPSS

Exploits2References2

CVE•added 2026/03/17 11:59 p.m.•9 views

CVE-2026-27978

Next.js (React framework) vulnerability CVE-2026-27978: in versions 16.0.1 up to 16.1.7, origin: null was treated as missing during Server Action CSRF validation, allowing requests from opaque contexts (e.g., sandboxed iframes) to bypass origin verification and potentially trigger state-changing ...

5.3CVSS5.8AI score0.00009EPSS

Exploits1References3Affected Software1

OSV•added 2026/03/17 11:16 p.m.•1 views

DEBIAN-CVE-2026-20643

A cross-origin issue in the Navigation API was addressed with improved input validation. This issue is fixed in Background Security Improvements for iOS, iPadOS, and macOS, Safari 26.4, iOS 18.7.7 and iPadOS 18.7.7, iOS 26.4 and iPadOS 26.4, macOS Tahoe 26.4, visionOS 26.4. Processing maliciously...

5.4CVSS5.8AI score0.00031EPSS

Exploits2References1

NVD•added 2026/03/17 11:16 p.m.•0 views

CVE-2026-20643

5.4CVSS0.00031EPSS

Exploits2References7

OSV•added 2026/03/17 11:16 p.m.•4 views

UBUNTU-CVE-2026-20643

5.4CVSS5.8AI score0.00031EPSS

Exploits2References3

ATTACKERKB•added 2026/03/17 10:29 p.m.•8 views

CVE-2026-20643

5.4CVSS6AI score0.00031EPSS

Exploits2References7

Vulnrichment•added 2026/03/17 10:29 p.m.•1 views

CVE-2026-20643

6AI score0.00031EPSS

Exploits2References6

CVE•added 2026/03/17 10:29 p.m.•30 views

CVE-2026-20643

CVE-2026-20643 is a WebKit/Web navigation cross-origin issue in Safari and Apple OS web rendering components. The fixed entry notes that processing maliciously crafted web content could bypass the Same Origin Policy due to an improved input validation in the Navigation API. Affected context inclu...

5.4CVSS6AI score0.00031EPSS

Exploits2References7Affected Software3

Debian CVE•added 2026/03/17 10:29 p.m.•3 views

CVE-2026-20643

5.4CVSS5.8AI score0.00031EPSS

Exploits2

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by