Lucene search
K

3446 matches found

Cvelist
Cvelist
added 2026/06/28 8:30 a.m.37 views

CVE-2026-13484 MLflow Experiment-scoped Label Schema CRUD API authorization

A vulnerability has been found in MLflow up to 4666cffc7912ea606d592fc38d6a75e2935f65e7. The impacted element is an unknown function of the component Experiment-scoped Label Schema CRUD API. Such manipulation leads to missing authorization. It is possible to launch the attack remotely. A high...

5CVSS0.00263EPSS
Exploits1References7
CVE
CVE
added 2026/06/28 8:30 a.m.17 views

CVE-2026-13484

CVE-2026-13484 affects MLflow, specifically the Experiment-scoped Label Schema CRUD API. The vulnerability arises from missing authorization in a function within this API, enabling remote exploitation with high impact to confidentiality, integrity, and availability. Exploitation is described as h...

8.8CVSS5.2AI score0.00263EPSS
Exploits1References7Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/28 12:0 a.m.13 views

PT-2026-53097

Name of the Vulnerable Software and Affected Versions MLflow versions up to 4666cffc7912ea606d592fc38d6a75e2935f65e7 Description An issue exists within the Experiment-scoped Label Schema CRUD API where a function lacks proper authorization. This allows a remote attacker to perform unauthorized...

8.8CVSS6AI score0.00263EPSS
Exploits1References13
RedhatCVE
RedhatCVE
added 2026/06/26 9:31 p.m.9 views

CVE-2026-57234

A flaw was found in Nokogiri, an XML and HTML library for Ruby. The NONET parse option, intended to prevent external resource fetching, was not correctly enforced in the JRuby implementation of Nokogiri::XML::Schema. This oversight could allow a specially crafted XML schema to fetch external...

4.8CVSS5.6AI score0.00166EPSS
Exploits0References4
NVD
NVD
added 2026/06/25 3:16 p.m.10 views

CVE-2026-57234

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema see CVE-2020-26247, was not correctly enforced on the JRuby implementation. As a result, a schema parsed with...

2.6CVSS0.00166EPSS
Exploits0References1
CVE
CVE
added 2026/06/25 2:30 p.m.28 views

CVE-2026-57234

Nokogiri (Ruby) prior to 1.19.4 has a vulnerability in the JRuby implementation of the NONET option for Nokogiri::XML::Schema, where default options could trigger network fetches for external resources, enabling SSRF or XXE. The issue is tied to the NONET behavior set by default for schema parsin...

2.6CVSS5.8AI score0.00166EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/25 2:30 p.m.33 views

CVE-2026-57234 Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema see CVE-2020-26247, was not correctly enforced on the JRuby implementation. As a result, a schema parsed with...

2.6CVSS0.00166EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 7:17 p.m.8 views

CVE-2026-53753

Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the safeevalexpression function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes giframe, fback, fbuiltins do NOT...

10CVSS0.0045EPSS
Exploits2References1
Cvelist
Cvelist
added 2026/06/23 6:17 p.m.55 views

CVE-2026-53753 Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API

Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the safeevalexpression function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes giframe, fback, fbuiltins do NOT...

9.8CVSS0.0045EPSS
Exploits2References1
ATTACKERKB
ATTACKERKB
added 2026/06/23 6:17 p.m.5 views

CVE-2026-53753

Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the safeevalexpression function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes giframe, fback, fbuiltins do NOT...

9.8CVSS6.2AI score0.0045EPSS
Exploits2References2Affected Software1
EUVD
EUVD
added 2026/06/22 10:45 p.m.12 views

EUVD-2026-32587

Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata...

8.5CVSS5.8AI score0.00174EPSS
Exploits0References2
CVE
CVE
added 2026/06/22 4:23 p.m.15 views

CVE-2026-54269

CVE-2026-54269 affects protobufjs. Prior to versions 8.6.0 and 7.6.3 , schema-derived names could collide with runtime helper properties (e.g., fields named hasOwnProperty, names like $type, and rpcCall). When loaded schemas are used, protobufjs could read schema-controlled data where an own-prop...

5.3CVSS5.9AI score0.00238EPSS
Exploits0References1Affected Software2
Cvelist
Cvelist
added 2026/06/22 4:23 p.m.30 views

CVE-2026-54269 protobufjs: Schema-derived names can shadow runtime-significant properties

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names...

5.3CVSS0.00238EPSS
Exploits0References1
NVD
NVD
added 2026/06/19 8:16 p.m.15 views

CVE-2026-49344

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine /admin/queries/execute accepts a JSON DSL from / select / filters / traverse / output, translates it into an Eloquent query, and returns results as JSON...

7.1CVSS0.00281EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/19 7:21 p.m.6 views

CVE-2026-49344

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine /admin/queries/execute accepts a JSON DSL from / select / filters / traverse / output, translates it into an Eloquent query, and returns results as JSON...

7.1CVSS5.8AI score0.00281EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/06/19 6:16 p.m.7 views

CVE-2019-25752

Joomla! Component J-BusinessDirectory 4.9.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the type parameter. Attackers can send GET requests to index.php with the...

8.8CVSS0.00366EPSS
Exploits0References4
OSV
OSV
added 2026/06/19 5:3 p.m.2 views

OPENSUSE-SU-2026:21103-1 Security update for postgresql15

This update for postgresql15 fixes the following issues Security issues: - CVE-2026-6472: ensure the user has CREATE privilege on the schema specified bsc1265172. - CVE-2026-6473: integer overflows in memory-allocation calculations bsc1265173. - CVE-2026-6474: Guard against malicious time zone...

8.8CVSS6.9AI score0.00668EPSS
Exploits0References18
OSV
OSV
added 2026/06/19 4:36 p.m.5 views

GHSA-8678-W3JW-XFC2 Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247

Summary The NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema see CVE-2020-26247, was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potential...

2.6CVSS6AI score0.00166EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 4:36 p.m.6 views

XML External Entity (XXE) Injection

Overview nokogiri is a gem for parsing HTML, XML, SAX, and Reader. Affected versions of this package are vulnerable to XML External Entity XXE Injection in the Nokogiri::XML::Schema when the NONET parse option is not correctly enforced on JRuby. An attacker can access external network resources b...

8.3CVSS5.9AI score0.00166EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/19 4:34 p.m.4 views

EUVD-2017-19002

Joomla! Component PHP-Bridge 1.2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to index.php with option=comphpbridge&view=phpview parameters and...

8.8CVSS6.2AI score0.00232EPSS
Exploits0References2
Rows per page
Query Builder