CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

ATTACKERKB•added 2026/05/13 9:7 p.m.•3 views

CVE-2026-44423

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records SSH username, device UID, remote IP, terminal type, authenticated fla...

6.5CVSS5.9AI score0.00033EPSS

Exploits1References2Affected Software1

CNNVD•added 2026/05/13 12:0 a.m.•3 views

ShellHub 安全漏洞

ShellHub is an open-source remote device access and management platform developed by ShellHub. Versions of ShellHub prior to 0.24.2 contained security vulnerabilities. These vulnerabilities stemmed from the GET /api/sessions/:uid request, which returned a complete session object for any...

6.5CVSS5.9AI score0.00033EPSS

Exploits1References1

Cvelist•added 2026/05/06 7:57 p.m.•22 views

CVE-2026-40326 Masa CMS CSRF in site bundle creation allows unauthorized site data export

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in csettings.cfc does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in...

7.1CVSS0.00033EPSS

AlpineLinux•added 2026/05/05 2:50 p.m.•4 views

CVE-2026-35192

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSIONSAVEEVERYREQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django serie...

6.5CVSS5.8AI score0.00041EPSS

Exploits0

OSV•added 2026/05/03 9:55 a.m.•1 views

OESA-2026-2135 python-flask security update

Flask is a lightweight WSGI web application framework. It is designed to make getting started quick and easy, with the ability to scale up to complex applications. It began as a simple wrapper around Werkzeug and Jinja and has become one of the most popular Python web application frameworks...

4.3CVSS5.7AI score0.00014EPSS

Snyk•added 2026/03/27 8:22 p.m.•1 views

Exposure of Data Element to Wrong Session

Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the MDM command processing while handling SyncML status code. An attacker can obtain sensitive configuration data belonging to other devices such as WiFi credentials, VPN secrets, and...

Snyk•added 2026/03/27 8:22 p.m.•3 views

Exposure of Data Element to Wrong Session

Snyk•added 2026/03/27 8:22 p.m.•1 views

Exposure of Data Element to Wrong Session

Snyk•added 2026/03/27 8:22 p.m.•1 views

Exposure of Data Element to Wrong Session

EUVD•added 2026/03/06 3:27 a.m.•1 views

EUVD-2025-208337

Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is...

6.4CVSS6.1AI score0.00014EPSS

Snyk•added 2026/03/03 7:17 p.m.•2 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via sandbox-browser-entrypoint.sh. An attacker can gain unauthorized access to VNC observer sessions by connecting to the noVNC service, which is exposed without...

9.1CVSS5.8AI score0.00031EPSS

OSV•added 2026/02/21 6:17 a.m.•1 views

UBUNTU-CVE-2026-27205

Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...

4.3CVSS5.8AI score0.00014EPSS

Exploits0References5

RedhatCVE•added 2026/01/09 11:19 a.m.•0 views

CVE-2021-22979

On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a reflected Cross-Site Scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned...

6.1CVSS6AI score0.00316EPSS

RedhatCVE•added 2026/01/09 10:55 a.m.•6 views

CVE-2022-23176

WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access. This vulnerability impacts Fireware OS before 12.7.2U1, 12.x before 12.1.3U3, and 12.2.x through 12.5.x before...

9CVSS6.9AI score0.10169EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 9:4 a.m.•1 views

CVE-2024-39683

ZITADEL is an open-source identity infrastructure tool. ZITADEL provides users the ability to list all user sessions of the current user agent browser. Starting in version 2.53.0 and prior to versions 2.53.8, 2.54.5, and 2.55.1, due to a missing check, user sessions without that information e.g...

6.5CVSS6.5AI score0.00608EPSS

Snyk•added 2026/01/01 6:46 a.m.•1 views

Exposure of Data Element to Wrong Session

Overview skypilot is a SkyPilot: Run AI on Any Infra — Unified, Faster, Cheaper. Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the form of allowing users to see the pending jobs belonging to other users, under some conditions, and leaking keys in...

5.1CVSS6.7AI score

Exploits0References3

NVD•added 2025/11/19 2:15 p.m.•3 views

CVE-2024-8527

Open Redirect in URL parameter in Automated Logic WebCTRL and Carrier i-Vu versions 6.0, 6.5, 7.0, 8.0, 8.5, 9.0 may allow attackers to exploit user sessions...

8.6CVSS0.0003EPSS