Lucene search
K

27058 matches found

Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.7 views

PT-2026-51756

Name of the Vulnerable Software and Affected Versions libcurl affected versions not specified Description Applications using libcurl for transfers via SCP:// or SFTP:// that utilize the CURLOPT SSH KEYFUNCTION callback may silently accept an untrusted server. This occurs when a server presents a...

5.8AI score0.00187EPSS
Exploits0References20
OSV
OSV
added 2026/06/24 12:0 a.m.5 views

ALSA-2026:29455 Important: buildah security update

The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a...

9.1CVSS7.2AI score0.00728EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.6 views

PT-2026-52034

Name of the Vulnerable Software and Affected Versions Warp versions 0.2021.04.25.23.05.stable 00 through 0.2026.05.06.15.42.stable 00 Description Warp accepts state-mutating terminal lifecycle hooks from the PTY Pseudo-Terminal stream without verifying if the hooks were emitted by the shell...

4.3CVSS5.8AI score0.00278EPSS
Exploits1References6
NVD
NVD
added 2026/06/23 9:17 p.m.9 views

CVE-2026-53929

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, with NCSECUREATTACHMENTS=true, an authenticated uploader could deliver .html or .svg attachments that the browser rendered inline from the NocoDB origin instead of forcing a download. The signed attachment handler stor...

5.1CVSS0.00288EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 9:16 p.m.8 views

CVE-2026-46550

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it t...

5.4CVSS0.00099EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 8:39 p.m.25 views

CVE-2026-46550 NocoDB: Refresh Token Cookie Set Without `Secure` and `SameSite` Flags

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it t...

5.4CVSS0.00099EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/23 8:39 p.m.6 views

CVE-2026-46550

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it t...

5.4CVSS5.8AI score0.00099EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/23 8:39 p.m.15 views

CVE-2026-46550

NocoDB’s CVE-2026-46550 concerns the refresh-token cookie being set with httpOnly but without Secure and SameSite attributes prior to 2026.04.1. The root cause is in setTokenCookie(), which emitted a cookie with only httpOnly (and possibly domain), leaving it vulnerable to interception over HTTP ...

5.4CVSS5.8AI score0.00099EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 7:44 p.m.14 views

CVE-2026-53929

NocoDB (pre-2026.05.1) is affected by a Stored Cross-Site Scripting vulnerability when NC_SECURE_ATTACHMENTS=true. An authenticated uploader could deliver .html or .svg attachments that the browser renders inline from the NocoDB origin due to a header-key casing mismatch (ResponseContentDispositi...

5.1CVSS5.8AI score0.00288EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/23 7:40 p.m.5 views

CVE-2026-11807

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...

9.6CVSS5.9AI score0.0037EPSS
Exploits0References7
EUVD
EUVD
added 2026/06/23 7:40 p.m.7 views

EUVD-2026-38598

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...

9.6CVSS5.9AI score0.0037EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/23 5:59 p.m.9 views

Glances has arbitrary file write and command execution via `secure_popen` redirection and chaining operators in AMP command configuration

Summary The securepopen function in glances/secure.py interprets file redirection, | pipe, and && command chaining operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained command. When Application Monitoring Process AMP...

7.8CVSS6.3AI score0.00866EPSS
Exploits3References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/23 5:12 p.m.9 views

Gogs has Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion)

The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service DoS attack. The application accepts inbound TCP connections and passes them to golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing any read/write deadlines on the underlyin...

6.9CVSS5.9AI score0.00547EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/06/23 1:16 p.m.10 views

CVE-2026-56275

Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses, access cloud...

7.1CVSS0.00183EPSS
Exploits1References2
OSV
OSV
added 2026/06/23 12:59 p.m.4 views

JLSEC-2026-615 Cookie jar accepts Secure/__Host-/__Secure- cookies from non-secure origins in HTTP.jl

Description setcookies! stored every parsed Set-Cookie after only checking that the response scheme was http or https, with no protection symmetric to the read path shouldsend, which already withholds Secure cookies from non-secure requests. A plaintext http origin could therefore plant a Secure...

5.9AI score
Exploits0References2
Cvelist
Cvelist
added 2026/06/23 12:13 p.m.38 views

CVE-2026-56275 Flowise - Server-Side Request Forgery via Execute Flow Base URL

Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses, access cloud...

6CVSS0.00183EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.11 views

PT-2026-51632

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description The built-in Go SSH server in Gogs is subject to an unauthenticated, asymmetric Denial of Service DoS attack. The application accepts inbound TCP connections and passes them to the ssh.NewServerConn...

6.9CVSS5.9AI score0.00547EPSS
Exploits0References10
Microsoft KB
Microsoft KB
added 2026/06/23 12:0 a.m.51 views

June 23, 2026—KB5095093 (OS Builds 26200.8737 and 26100.8737) Preview

June 23, 2026—KB5095093 OS Builds 26200.8737 and 26100.8737 Preview ​​​​This cumulative update for Windows 11, version 25H2 and 24H2 KB5095093, includes production-quality improvements. Announcements and messages This section provides key notifications related to this release, including...

5.8AI score
Exploits0
Ubuntu
Ubuntu
added 2026/06/22 5:23 p.m.4 views

USN-8447-3: Google Guest Agent vulnerabilities

USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides the corresponding updates for Go Cryptography code embedded in Google Guest Agent. Original advisory details: It was discovered that Go Cryptography did not properly handle SSH global request responses. A remote attacker...

10CVSS6.2AI score0.005EPSS
Exploits0
OSV
OSV
added 2026/06/22 5:23 p.m.2 views

USN-8447-3 google-guest-agent vulnerabilities

USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides the corresponding updates for Go Cryptography code embedded in Google Guest Agent. Original advisory details: It was discovered that Go Cryptography did not properly handle SSH global request responses. A remote attacker...

10CVSS6.1AI score0.005EPSS
Exploits0References5
Rows per page
Query Builder