CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

93 matches found

CVE-2026-46595

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped...

10CVSS5.4AI score0.00052EPSS

Exploits0References1

Vulnrichment•added 2026/05/08 10:5 p.m.•6 views

CVE-2026-42302 FastGPT: Unauthenticated Remote Code Execution (RCE) via code-server Misconfiguration in agent-sandbox

FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution RCE. The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to...

9.8CVSS5.8AI score0.00513EPSS

Exploits0References4

ATTACKERKB•added 2026/05/04 5:42 a.m.•2 views

CVE-2026-29199

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When forceservervars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Hos...

5.8AI score0.00033EPSS

Exploits0References2Affected Software1

Github Security Blog•added 2026/03/30 5:19 p.m.•3 views

HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect

Summary ManagedWebAccessUtils.getServer uses String.startsWith to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs e.g., http://tx.fhir.org lack a trailing slash or host boundary check, an attacker-controlled domain like...

9.1CVSS5.9AI score0.00026EPSS

Exploits1References3Affected Software2

Cvelist•added 2026/03/12 4:57 p.m.•21 views

CVE-2026-29066 Arbitrary File Read via Disabled Vite Filesystem Restriction in TinaCMS CLI

Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the...

6.2CVSS0.06479EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 9:28 a.m.•9 views

CVE-2023-49283

microsoft-graph-core the Microsoft Graph Library for PHP. The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo function from any application that could access and execute the file at...

5.4CVSS6.7AI score0.00291EPSS

Exploits0References1

RedhatCVE•added 2026/01/07 9:12 a.m.•12 views

CVE-2025-1980

The Ready application's Profile section allows users to upload files of any type and extension without restriction. If the server is misconfigured, as it was by default when installed at the turn of 2021 and 2022, it can result in Remote Code Execution. Refer to the Required Configuration for...

9.4CVSS7AI score0.022EPSS

Exploits0References1

OSV•added 2026/01/06 4:15 p.m.•0 views

CVE-2025-60262

An issue in H3C M102G HM1A0V200R010 wireless controller and BA1500L SWBA1A0V100R006 wireless access point, there is a misconfiguration vulnerability about vsftpd. Through this vulnerability, all files uploaded anonymously via the FTP protocol is automatically owned by the root user and remote...

9.8CVSS5.9AI score0.00213EPSS

Exploits1References2

Positive Technologies•added 2025/12/02 12:0 a.m.•6 views

PT-2025-48654

The SureMail – SMTP and Email Logs Plugin for WordPress is vulnerable to Unrestricted Upload of File with Dangerous Type in versions up to and including 1.9.0. This is due to the plugin's save file function in inc/emails/handler/uploads.php which duplicates all email attachments to a web-accessib...

8.1CVSS7.4AI score0.0018EPSS

Exploits0References7

EUVD•added 2025/11/18 12:30 p.m.•1 views

EUVD-2025-197981

Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules...

7.5CVSS6.5AI score0.00045EPSS

Exploits0References2

NVD•added 2025/11/18 11:15 a.m.•2 views

CVE-2025-41737

Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules...

7.5CVSS0.00045EPSS

Exploits0References1

CVE•added 2025/11/18 10:18 a.m.•8 views

CVE-2025-41737

CVE-2025-41737 involves METZ CONNECT devices (EWIO2 family and related controllers) where a webserver misconfiguration allows an unauthenticated remote attacker to read the source of PHP modules. The entry is corroborated by multiple sources (Red Hat, ENISA EUVD, CISA ICS advisory, CVE lists) des...

7.5CVSS6.6AI score0.00045EPSS

Exploits0References1Affected Software1

CNNVD•added 2025/11/18 12:0 a.m.•1 views

METZ CONNECT多款产品访问控制错误漏洞

METZ CONNECT Energy-Controlling EWIO2-M and others are products of METZ CONNECT, Germany.METZ CONNECT Energy-Controlling EWIO2-M is a high performance data logger.METZ CONNECT Energy- Controlling EWIO2-M-BM is a high performance data logger.METZ CONNECT Ethernet-IO EWIO2-BM is a sensor and actuat...

7.5CVSS6.5AI score0.00045EPSS

Exploits0References1

EUVD•added 2025/10/07 12:30 a.m.•1 views

EUVD-2020-20855

Malware in sbrugna...

7.3CVSS7.4AI score0.00174EPSS

Exploits0References3

EUVD•added 2025/10/03 8:7 p.m.•1 views

EUVD-2025-7821