Lucene search
+L

4300519 matches found

Cvelist
Cvelist
added 2 hours ago7 views

CVE-2025-71394 SurrealDB before 2.2.2 Local File Read via DEFINE ANALYZER

SurrealDB versions before 2.2.2 contain a local file read vulnerability in the DEFINE ANALYZER statement that allows authenticated users to read arbitrary files on the file system. Attackers with root, namespace, or database level privileges can point analyzers to arbitrary file paths and...

2.3CVSS
Exploits0References2
CVE
CVE
added 2 hours ago7 views

CVE-2025-71394

SurrealDB versions before 2.2.2 have a local file read vulnerability in the DEFINE ANALYZER that allows authenticated users with root, namespace, or database privileges to point analyzers to arbitrary file paths and exfiltrate content from two-column tab-separated files; remediation is to upgrade...

2.3CVSS5.5AI score
Exploits0References2
CVE
CVE
added 2 hours ago5 views

CVE-2025-71395

The vulnerability CVE-2025-71395 affects SurrealDB versions before 2.2.2. A memory-exhaustion flaw occurs in the string::replace function when handling regex patterns, allowing unbounded string allocations to be produced. An authenticated attacker can craft a query that drives server memory usage...

7.1CVSS5.4AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2025-210486

SurrealDB versions before 2.2.2 contain a memory exhaustion vulnerability in the string::replace function that fails to restrict resulting string length when using regex patterns. An authenticated attacker can craft a malicious query to exhaust server memory through unbounded string allocations,...

7.1CVSS
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2025-210485

SurrealDB versions before 2.2.2 contain a local file read vulnerability in the DEFINE ANALYZER statement that allows authenticated users to read arbitrary files on the file system. Attackers with root, namespace, or database level privileges can point analyzers to arbitrary file paths and...

2.3CVSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2025-71393

SurrealDB before 2.2.2 with scripting enabled fails to properly enforce recursion limits when native functions contain embedded JavaScript that issues new queries. Authenticated attackers can bypass the recursion limit by chaining native and JavaScript function calls to trigger infinite recursion...

6CVSS
Exploits0References3
Cvelist
Cvelist
added 2 hours ago6 views

CVE-2025-71393 SurrealDB before 2.2.2 Memory Exhaustion via Nested Functions

SurrealDB before 2.2.2 with scripting enabled fails to properly enforce recursion limits when native functions contain embedded JavaScript that issues new queries. Authenticated attackers can bypass the recursion limit by chaining native and JavaScript function calls to trigger infinite recursion...

6CVSS
Exploits0References2
CVE
CVE
added 2 hours ago7 views

CVE-2025-71393

CVE-2025-71393 affects SurrealDB prior to 2.2.2 with scripting enabled. The issue: recursion limits are not properly enforced when native functions embed JavaScript that issues new queries, allowing authenticated attackers to chain native and JS calls to bypass the limit, triggering infinite recu...

6CVSS5.2AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2025-210484

SurrealDB before 2.2.2 with scripting enabled fails to properly enforce recursion limits when native functions contain embedded JavaScript that issues new queries. Authenticated attackers can bypass the recursion limit by chaining native and JavaScript function calls to trigger infinite recursion...

6CVSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2025-71392

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a...

9.4CVSS
Exploits0References3
Cvelist
Cvelist
added 2 hours ago7 views

CVE-2025-71392 SurrealDB before 2.2.2 SurrealQL Injection via export

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a...

9.4CVSS
Exploits0References2
CVE
CVE
added 2 hours ago4 views

CVE-2025-71392

SurrealDB prior to 2.0.5, 2.1.x prior to 2.1.5, and 2.2.x prior to 2.2.2 fails to escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a higher-privilege...

9.4CVSS5.4AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2025-210483

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a...

9.4CVSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2025-71390

SurrealDB before 2.2.6, 2.3.6, and 2.1.8 and 3.0.0-alpha.7 and earlier fails to validate DNS-resolved hostnames against --deny-net network access restrictions in its http:: functions. An authenticated user can invoke http:: with a hostname that resolves to a denied IP address, causing the server ...

5.8CVSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2025-71391

SurrealDB versions before 2.2.2 contain an uncaught exception vulnerability in the net module that allows authenticated users to crash the database. Attackers can send crafted HTTP queries containing null bytes to the /sql endpoint, causing an unhandled exception that crashes the SurrealDB instan...

7.1CVSS
Exploits0References3
Cvelist
Cvelist
added 2 hours ago7 views

CVE-2025-71391 SurrealDB before 2.2.2 Denial of Service via /sql endpoint

SurrealDB versions before 2.2.2 contain an uncaught exception vulnerability in the net module that allows authenticated users to crash the database. Attackers can send crafted HTTP queries containing null bytes to the /sql endpoint, causing an unhandled exception that crashes the SurrealDB instan...

7.1CVSS
Exploits0References2
Cvelist
Cvelist
added 2 hours ago7 views

CVE-2025-71390 SurrealDB before 2.3.6 deny-net Bypass via DNS Resolution

SurrealDB before 2.2.6, 2.3.6, and 2.1.8 and 3.0.0-alpha.7 and earlier fails to validate DNS-resolved hostnames against --deny-net network access restrictions in its http:: functions. An authenticated user can invoke http:: with a hostname that resolves to a denied IP address, causing the server ...

5.8CVSS
Exploits0References2
CVE
CVE
added 2 hours ago5 views

CVE-2025-71391

Technical details for CVE-2025-71391 are not publicly available in the provided documents. Monitor for updates, as affected versions, root cause, and fixes are not disclosed here.

7.1CVSS5.4AI score
Exploits0References2
CVE
CVE
added 2 hours ago4 views

CVE-2025-71390

SurrealDB prior to 2.2.6, 2.3.6, 2.1.8 and 3.0.0-alpha.7 and earlier fails to validate DNS-resolved hostnames against --deny-net network restrictions in http::* functions. An authenticated user can call http::() using a hostname that resolves to a denied IP, causing the server to perform the requ...

5.8CVSS5.4AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2025-210490

SurrealDB before 2.2.6, 2.3.6, and 2.1.8 and 3.0.0-alpha.7 and earlier fails to validate DNS-resolved hostnames against --deny-net network access restrictions in its http:: functions. An authenticated user can invoke http:: with a hostname that resolves to a denied IP address, causing the server ...

5.8CVSS
Exploits0References2
Rows per page
Query Builder