Lucene search
+L

755 matches found

CVE
CVE
added yesterday31 views

CVE-2026-50163

The CVE concerns the oras-go library (OCI artifacts) prior to version 2.6.2, where ensureLinkPath in content/file/utils.go can return an unresolved hardlink target. During tar extraction, a hardlink entry with a relative Linkname could be resolved against the process CWD, allowing a path like pay...

7.1CVSS5.3AI score
Exploits0References4
CVE
CVE
added yesterday13 views

CVE-2026-9602

Mattermost Desktop App vulnerable versions:

6.5CVSS5.4AI score
Exploits0References1
Cvelist
Cvelist
added 3 days ago30 views

CVE-2026-62361 listmonk: SQL Injection in `/api/subscribers/export` bypasses table access control, leaking admin password hashes and SMTP credentials

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to 6.2.0, listmonk’s GET /api/subscribers/export endpoint injects the user-controlled query parameter into QuerySubscribersForExport in internal/core/subscribers.go without calling validateQueryTables, unlike GET...

5.5CVSS0.00239EPSS
Exploits0References3
Microsoft Security Update
Microsoft Security Update
added 4 days ago5 views

2026-07 Security and Quality Rollup for .NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2012 R2 for x64 (KB5102205)

2026-07 Security and Quality Rollup for .NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Server 2012 R2 for x64 KB5102205...

6.1AI score
Exploits0
OSV
OSV
added 4 days ago3 views

ROOT-OS-UBUNTU-2204-CVE-2026-23085 CVE-2026-23085 in rootio-linux - Patched by Root

Root has patched CVE-2026-23085 in the rootio-linux package for Root:Ubuntu:22.04. Multiple fixed versions available...

5.5CVSS5.4AI score0.00123EPSS
Exploits0
CVE
CVE
added 2026/07/10 7:45 p.m.11 views

CVE-2026-55481

Snipe-IT (IT asset/license management) prior to 8.6.2 is affected by a CSS injection vulnerability in default.blade.php: header_color and related branding color settings are rendered inside a CSS style block with insufficient HTML escaping for the CSS context. This allows a superadmin to inject a...

6.2CVSS6.2AI score0.00236EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/07/10 7:45 p.m.39 views

CVE-2026-55481 Snipe-IT: CSS Injection via `header_color` Setting

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, default.blade.php renders headercolor and related branding color settings inside a CSS style block with HTML escaping that is insufficient for the CSS context, allowing a superadmin to inject arbitrary CSS that affects authenticat...

6.2CVSS0.00236EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/10 7:42 p.m.7 views

EUVD-2026-43000

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the...

6.5CVSS6.2AI score0.00378EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/10 7:42 p.m.30 views

CVE-2026-55469 Snipe-IT: Path traversal vulnerability via CSV import `image` field

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the...

6.5CVSS0.00378EPSS
Exploits0References3
OSV
OSV
added 2026/07/10 7:37 p.m.3 views

CVE-2026-55466 Snipe-IT: Stored XSS via inline-served attachment

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UploadFileRequest sanitizes SVG content only when PHP finfo reports image/svg+xml and UploadedFilesController serves attachments inline without using StorageHelper::allowSafeInline, allowing a low-privilege user to upload active...

6.2CVSS6.1AI score0.00316EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/07/10 7:35 p.m.34 views

CVE-2026-55462 Snipe-IT: Authorization bypass on print inventory page

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show and printInventory authorize only user viewing before loading and rendering assigned license, accessory, and consumable relationships, allowing an authenticated user with only users.view to see inventory and...

4.3CVSS0.0026EPSS
Exploits1References3
NVD
NVD
added 2026/07/10 7:17 p.m.8 views

CVE-2026-55464

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, CommonMark escapes raw HTML but does not sanitize javascript: URIs in Markdown hyperlinks, allowing a user with assets.edit permission to place a malicious link in a markdown-textarea custom field that executes arbitrary JavaScrip...

5.4CVSS0.00173EPSS
Exploits0References3
CVE
CVE
added 2026/07/10 6:39 p.m.7 views

CVE-2026-55460

CVE-2026-55460 affects Snipe-IT (IT asset/license management system). Before version 8.6.2, an authenticated non-admin user who had rights users.view and users.edit but not users.delete could directly POST to /users/bulksave with delete_user=1 because BulkUsersController::destroy() authorized onl...

7.1CVSS6.1AI score0.00285EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/07/10 6:34 p.m.8 views

CVE-2026-55478

Snipe-IT (IT asset/license management) has a vulnerability in the Kits API. Before version 8.6.2, POST /api/v1/kits/{kit_id}/licenses validates the caller’s ability to edit kits but does not authorize access to the referenced license object. This allows a low-privilege user with predefined-kit pe...

5.4CVSS6.1AI score0.00175EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/07/10 6:34 p.m.3 views

CVE-2026-55478 Snipe-IT: Missing object-level authorization in Kits API

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, POST /api/v1/kits/kitid/licenses checks whether the caller can edit kits but does not authorize access to the referenced license object, allowing a low-privilege user with predefined-kit permissions to bind a license they should n...

5.3CVSS6.1AI score0.00175EPSS
Exploits0References5
OSV
OSV
added 2026/07/10 6:31 p.m.3 views

CVE-2026-55516 Snipe-IT: Cross-company asset maintenance re-parenting via API update

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, PATCH or PUT /api/v1/maintenances/maintenanceid checks access to the current maintenance record and asset but then fills attacker-controlled fields including assetid without re-authorizing the newly supplied asset, allowing an...

7.7CVSS6.1AI score0.00218EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/07/10 5:41 a.m.9 views

WordPress LoginPress Pro plugin <= 6.2.3 - Unauthenticated Authentication Bypass vulnerability

Unauthenticated Authentication Bypass vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin LoginPress Pro versions = 6.2.3...

8.1CVSS5.9AI score0.00422EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.10 views

PT-2026-57164

Name of the Vulnerable Software and Affected Versions Lucee CFML Server versions 5.3.x Lucee CFML Server versions 6.1.x Lucee CFML Server versions 6.2.x Lucee CFML Server versions 7.0.x Description Reflected cross-site scripting occurs during URL path parsing, allowing unauthenticated remote...

8.2CVSS6.3AI score0.00386EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.8 views

PT-2026-57270

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.2 Description An issue exists in the IT asset and license management system where the endpoints 'PATCH /api/v1/maintenances/maintenance id' and 'PUT /api/v1/maintenances/maintenance id' fail to re-authorize asset...

7.7CVSS6.1AI score0.00218EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.9 views

PT-2026-57266

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.2 Description When Full Multiple Companies Support and scope locations fmcs are enabled, the API location creation endpoint fails to terminate the process after detecting an invalid parent-child company mismatch...

4.3CVSS6.1AI score0.00197EPSS
Exploits0References9
Rows per page
Query Builder