CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added last week•5 views

CVE-2026-45296 OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding

ATTACKERKB•added last week•7 views

CVE-2026-45296

Exploits0References2Affected Software1

Cvelist•added last week•22 views

CVE-2026-45296 OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding

7.7CVSS0.00032EPSS

EUVD•added last week•4 views

EUVD-2026-32971

CNNVD•added 2026/05/28 12:0 a.m.•5 views

OpenReplay 访问控制错误漏洞

OpenReplay is an open-source, developer-friendly, self-hosted session replay software. Versions of OpenReplay prior to 1.26.0 contained an access control vulnerability. This vulnerability stemmed from the lack of verification that the project belonged to the same tenant during API key...

Positive Technologies•added 2026/05/28 12:0 a.m.•5 views

Exploits0References2

PT-2026-44457

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...

NVD•added 2026/05/27 11:16 p.m.•6 views

Exploits0References2

CVE-2026-45322

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.runshell passes a command string...

7.8CVSS0.00067EPSS

OSV•added 2026/05/26 7:33 a.m.•4 views

MAL-2026-4782 Malicious code in @catclaw/message-logger-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf070f85ba454a799d80e6998ee717f0fc9084513041893a164752162e0b0864 On plugin registration, the log-collector is enabled by default and uploads session JSONL files from /.openclaw/agents//sessions to...

5.9AI score

CNNVD•added 2026/05/26 12:0 a.m.•5 views

Snipe-IT 输入验证错误漏洞

Snipe-IT is a set of open-source IT asset/license management systems developed by Grokability. Versions of Snipe-IT prior to 8.4.1 contained a vulnerability related to input validation errors. This vulnerability stemmed from the unauthorized storage of HTTP Referer headers in session variables,...

7.1CVSS5.8AI score0.00013EPSS

OSSF Malicious Packages•added 2026/05/25 2:44 a.m.•7 views

Malicious code in your-unique-package-name1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8a82d9cce1cd5cae0e9bae039dc08eccc18ec4494b182d11ab35c25ac4496d34 On import in a browser context, index.js creates a hidden iframe pointing at https://www.pendo.io/?builder.frameEditing=true and postMessages a...

5.8AI score

Cvelist•added 2026/05/22 6:36 p.m.•7 views

CVE-2026-39967 TypeBot: Cross-Typebot Result Data Access via Missing typebotId Filter

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authenticated user to load result data user answers, variable values from a different typebot by supplying a foreign resultId to the startChat...

3.1CVSS0.00028EPSS

NVD•added 2026/05/21 6:16 p.m.•7 views

CVE-2026-48249

Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobilelogin.inc.php by setting CURLOPTSSLVERIFYPEER to false and not setting CURLOPTSSLVERIFYHOST when issuing outbound HTTPS requests issued during the mobile RouteMate login flow. An attacker positioned on the...

8.2CVSS0.00022EPSS

NVD•added 2026/05/21 6:16 p.m.•8 views

CVE-2026-48247

Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPTSSLVERIFYPEER to false and not setting CURLOPTSSLVERIFYHOST when issuing outbound HTTPS requests for general-purpose outbound HTTPS requests issued by the shared helper functions. An...

8.2CVSS0.00022EPSS

CVE•added 2026/05/21 5:11 p.m.•9 views

CVE-2026-48249

Open ISES Tickets

EUVD•added 2026/05/21 5:11 p.m.•5 views

EUVD-2026-31329

Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobilelogin.inc.php by setting CURLOPTSSLVERIFYPEER to false and not setting CURLOPTSSLVERIFYHOST when issuing outbound HTTPS requests for outbound HTTPS requests issued during the mobile RouteMate login flow. An...

EUVD•added 2026/05/21 5:11 p.m.•6 views

EUVD-2026-31330

Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPTSSLVERIFYPEER to false and not setting CURLOPTSSLVERIFYHOST when issuing outbound HTTPS requests for outbound HTTPS requests issued during the login/authentication flow. An attacker...

8.2CVSS5.9AI score0.00033EPSS

Vulnrichment•added 2026/05/21 5:11 p.m.•6 views

CVE-2026-48247 Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in incs/functions.inc.php

EUVD•added 2026/05/21 5:11 p.m.•6 views

EUVD-2026-31326