CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/06/12 9:3 p.m.•20 views

CVE-2026-49397

CVE-2026-49397 affects Nezha Monitoring (2.x). Private services (EnableShowInService: false) are leaked via per-server endpoints and service history endpoints due to inconsistent filtering: CopyStats() hides private services in the public listing, but Get/GetSortedList() and endpoints like GET /a...

5.3CVSS5.2AI score0.00253EPSS

EUVD•added 2026/06/12 9:3 p.m.•9 views

EUVD-2026-36597

5.3CVSS5.2AI score0.00253EPSS

Vulnrichment•added 2026/06/12 9:3 p.m.•7 views

CVE-2026-49397 Nezha Monitoring: Private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data

5.3CVSS5.2AI score0.00253EPSS

OSV•added 2026/06/10 1:39 p.m.•6 views

GHSA-VRMH-5MMX-HJWX Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data

Private services EnableShowInService: false are enumerable via per-server endpoints, leaking name and timing data CWE: CWE-285 Improper Authorization via CWE-200 Exposure of Sensitive Information to an Unauthorized Actor and CWE-863 Incorrect Authorization — inconsistent gating across data-reader...

5.3CVSS5.7AI score0.00253EPSS

Exploits0References3

Github Security Blog•added 2026/06/10 1:39 p.m.•12 views

Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data

5.3CVSS5.7AI score0.00253EPSS

Exploits0References3Affected Software1

RedhatCVE•added 2026/06/05 7:27 p.m.•8 views

CVE-2026-40435

When configured, IP-based access restrictions for httpd do not cover all endpoints, which may allow connections from blocked addresses. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

6.9CVSS5.5AI score0.00228EPSS

EUVD•added 2026/06/02 10:40 p.m.•9 views

EUVD-2026-34047

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only VIEW access to an MCP server can retrieve the server's decrypted admin-managed secrets through GET /api/mcp/servers and GET /api/mcp/servers/:serverName. The returned...

6.5CVSS5.7AI score0.00276EPSS

Exploits1References1

Positive Technologies•added 2026/06/02 12:0 a.m.•13 views

PT-2026-45882

Name of the Vulnerable Software and Affected Versions LibreChat versions prior to 0.8.4 Description Users with only VIEW access to an MCP server can retrieve decrypted admin-managed secrets. This occurs through the endpoints "/api/mcp/servers" and "/api/mcp/servers/:serverName", where the returne...

6.5CVSS5.8AI score0.00276EPSS

Exploits1References3

Snyk•added 2026/05/29 10:30 p.m.•7 views

Missing Authorization

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

8.7CVSS5.5AI score0.00075EPSS

Exploits0References3

CVE•added 2026/05/29 2:29 p.m.•22 views

CVE-2026-10042

The CVE-2026-10042 issue affects manga-image-translator, specifically the share.py module of the shared API server. It enables remote code execution through unsafe deserialization of attacker-controlled pickle data in the /execute/{method_name} and /simple_execute/{method_name} endpoints, which c...

9.8CVSS6.7AI score0.00622EPSS

Exploits0References4

Snyk•added 2026/05/20 9:45 p.m.•9 views

Relative Path Traversal

Overview Affected versions of this package are vulnerable to Relative Path Traversal via the resource parameter in the ssx and jsx endpoints when a leading slash is used. An attacker can access sensitive configuration files by crafting a URL that traverses directories. Note: This issue is due to...

9.8CVSS5.8AI score0.19538EPSS

Exploits0References2

EUVD•added 2026/05/11 2:50 p.m.•41 views

EUVD-2026-27867

Facebook React has a Denial of Service Vulnerability in React Server Components...

7.5CVSS5.8AI score0.01533EPSS

Exploits1References4

Github Security Blog•added 2026/05/11 2:50 p.m.•10 views

Facebook React has a Denial of Service Vulnerability in React Server Components

Impact A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to out-of-memory exceptions or excessive CPU usage. We recommend updating immediately. The vulnerability exists in versions 19.0.0 through 19.0.5,...

7.5CVSS5.9AI score0.01533EPSS

Exploits1References5Affected Software3

Snyk•added 2026/05/06 7:32 p.m.•7 views

Allocation of Resources Without Limits or Throttling

Overview react-server-dom-turbopack is a React Server Components bindings for DOM using Turbopack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or...

Snyk•added 2026/05/06 7:32 p.m.•17 views

Allocation of Resources Without Limits or Throttling

Overview next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via server function endpoints. An attacker can cause out-of-memory exceptions or induce excessive CPU usage by sending malicious FormData in an HTTP request...

Snyk•added 2026/05/06 7:32 p.m.•11 views

Allocation of Resources Without Limits or Throttling

Overview react-server-dom-webpack is a React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttli...

Snyk•added 2026/05/06 7:32 p.m.•9 views

Allocation of Resources Without Limits or Throttling

Overview react-server-dom-parcel is a React Server Components bindings for DOM using Parcel. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling...