CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 2026/05/12 8:17 p.m.•5 views

CVE-2026-44010 Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure

7.1CVSS5.8AI score0.00338EPSS

CVE•added 2026/05/12 8:17 p.m.•15 views

CVE-2026-44010

Summary: Craft CMS CVE-2026-44010 describes a missing schema scope filter in the GraphQL Address resolver, enabling a token scoped to a single low-privilege user group to read all addresses in the system, including those outside the token’s authorization. This affects Craft CMS Pro sites (v4.0.0+...

7.1CVSS5.8AI score0.00338EPSS

NVD•added 2026/05/12 8:16 p.m.•8 views

CVE-2026-34685

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier NEEDS REVIEW: impact mismatch — ticket says 'Arbitrary file system write', CIA triad derives 'Security Feature Bypass'. Verify CVSS vector before publishing. are affected by an Improper Input...

3.4CVSS0.00373EPSS

ATTACKERKB•added 2026/05/12 7:50 p.m.•3 views

CVE-2026-34655

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may...

4.8CVSS5.8AI score0.00368EPSS

CVE•added 2026/05/12 6:35 p.m.•11 views

CVE-2026-34660

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation requires user interaction (victim visits a malicious URL or interacts with a compromised p...

9.3CVSS6.3AI score0.00427EPSS

Exploits0References1Affected Software1

Vulnrichment•added 2026/05/12 6:35 p.m.•7 views

CVE-2026-34660 Adobe Connect | Incorrect Authorization (CWE-863)

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially...

9.3CVSS6.3AI score0.00427EPSS

OSV•added 2026/05/12 12:11 a.m.•3 views

OSV-2026-717 Stack-use-after-scope in enter_block_callback

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=511831392 Crash type: Stack-use-after-scope READ 4 Crash state: enterblockcallback mdprocessallblocks mdparse...

5.8AI score

CNNVD•added 2026/05/12 12:0 a.m.•5 views

wger 安全漏洞

WGER is an open-source project developed by the WGER Team, built using Django for hosting self-hosted FLOSS fitness/exercise, nutrition, and weight tracking applications. Versions of WGER prior to 2.6 contained security vulnerabilities. These vulnerabilities stemmed from the use of Python object...

9.9CVSS5.8AI score0.00371EPSS

NVD•added 2026/05/11 10:22 p.m.•9 views

CVE-2026-43886

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope uses Array.some to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the...

8.2CVSS0.00211EPSS

Cvelist•added 2026/05/11 9:6 p.m.•31 views

CVE-2026-43886 Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Access

8.2CVSS0.00211EPSS

CVE•added 2026/05/11 9:6 p.m.•10 views

CVE-2026-43886

Outline (0.84.0–1.6.1) suffers a logic error in OAuthInterface.validateScope() that uses Array.some() to validate requested scopes, causing any valid scope to validate the whole requested scope array and enable a wildcard via scope=read *. This can escalate a read‑only token to full unrestricted ...

EUVD•added 2026/05/11 9:6 p.m.•7 views

EUVD-2026-29330

ATTACKERKB•added 2026/05/11 9:6 p.m.•4 views

CVE-2026-43886

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/11 9:6 p.m.•7 views

CVE-2026-43886 Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Access

EUVD•added 2026/05/11 6:31 p.m.•7 views

EUVD-2026-29102

In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization a...

7.7CVSS5.8AI score0.00274EPSS

Exploits0References3

NVD•added 2026/05/11 6:16 p.m.•8 views

CVE-2026-44997

OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning child sessions that...

4.3CVSS0.00221EPSS

Exploits0References3

NVD•added 2026/05/11 5:16 p.m.•7 views

CVE-2026-33356

7.7CVSS0.00274EPSS

Vulnrichment•added 2026/05/11 4:2 p.m.•5 views

CVE-2026-33356 Meari MQTT broker missing per-device subscribe ACL

7.7CVSS5.8AI score0.00274EPSS

CNNVD•added 2026/05/11 12:0 a.m.•4 views

Outline 安全漏洞

Outline is an open-source knowledge base developed by Outline. Versions 0.84.0 to 1.6.1 of Outline contain security vulnerabilities. These vulnerabilities stem from a logical error in the use of Array.some for verifying the OAuth scopes. As a result, if any single scope is valid, the entire scope...