Lucene search
+L

541 matches found

CVE
CVE
added yesterday21 views

CVE-2026-46338

PyMdown Extensions (pymdownx.snippets) contains a regression that reintroduces a sibling-prefix path traversal when restrict_base_path is True. From 10.0.1 through 10.21.2, get_snippet_path uses a string-prefix check (filename.startswith(base)) that can read files from sibling paths sharing the s...

4.3CVSS6.1AI score0.0003EPSS
Exploits0References3
OSV
OSV
added 2026/06/29 6:1 a.m.5 views

BIT-GITLAB-2026-1606 Improper Control of Generation of Code ('Code Injection') in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.8 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to conceal content within a Snippet due to improper input validation...

4.3CVSS5.8AI score0.00223EPSS
Exploits0References4
NVD
NVD
added 2026/06/25 5:16 a.m.11 views

CVE-2026-1606

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.8 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to conceal content within a Snippet due to improper input validation...

4.3CVSS0.00223EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/25 4:34 a.m.6 views

EUVD-2026-39178

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.8 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to conceal content within a Snippet due to improper input validation...

4.3CVSS5.9AI score0.00223EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/25 4:34 a.m.75 views

CVE-2026-1606

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.8 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to conceal content within a Snippet due to improper input validation...

4.3CVSS5.9AI score0.00223EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/06/25 4:34 a.m.41 views

CVE-2026-1606 Improper Control of Generation of Code ('Code Injection') in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.8 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to conceal content within a Snippet due to improper input validation...

4.3CVSS0.00223EPSS
Exploits0References3
CVE
CVE
added 2026/06/25 4:34 a.m.133 views

CVE-2026-1606

CVE-2026-1606 affects GitLab CE/EE (versions 14.8–before 18.11.6, 19.0–before 19.0.3, 19.1–before 19.1.1). The issue stems from improper input validation and could allow an authenticated user to conceal content within a Snippet. The CVSSv3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N ...

4.3CVSS5.9AI score0.00223EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.9 views

PT-2026-52201

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 14.8 through 18.11.5 GitLab CE/EE versions 19.0 through 19.0.2 GitLab CE/EE versions 19.1 through 19.1.0 Description An issue exists where improper input validation could allow an authenticated user to conceal content...

4.3CVSS5.8AI score0.00223EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 2026/06/25 12:0 a.m.10 views

GitLab 14.8 < 18.11.6 / 19.0 < 19.0.3 / 19.1 < 19.1.1 (CVE-2026-1606)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.8 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an...

4.3CVSS5.9AI score0.00223EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/24 9:14 p.m.21 views

CVE-2026-54067 SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, CSS snippet body containing breaks out of its surrounding tag when renderSnippet interpolates it via insertAdjacentHTML. A payload like runs arbitrary JavaScript in the renderer. On Electron desktop builds the renderer...

9.9CVSS0.00307EPSS
Exploits0References1
OSV
OSV
added 2026/06/24 9:14 p.m.4 views

CVE-2026-54067 SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, CSS snippet body containing breaks out of its surrounding tag when renderSnippet interpolates it via insertAdjacentHTML. A payload like runs arbitrary JavaScript in the renderer. On Electron desktop builds the renderer...

9.9CVSS6.1AI score0.00307EPSS
Exploits0References3
CVE
CVE
added 2026/06/24 9:14 p.m.14 views

CVE-2026-54067

SiYuan (prior to v3.7.0) is affected by a stored XSS in renderSnippet() where a CSS snippet containing breaks out of the surrounding tag during insertion, enabling injected JavaScript in the renderer. In Electron builds with nodeIntegration: true, this can reach Node APIs (e.g., child_process) a...

9.9CVSS6AI score0.00307EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/24 3:18 p.m.5 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the Pipeline Snippet Generator process. An attacker can gain unauthorized access to instantiate types related to job or system configuration by submitting crafted input to the generator. Remediation Upgrade...

6.9CVSS5.8AI score0.00275EPSS
Exploits0References2
NVD
NVD
added 2026/06/24 2:17 p.m.14 views

CVE-2026-57283

A cross-site request forgery CSRF vulnerability in Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier allows attackers to instantiate types related to job or system configuration other than Pipeline steps through the Pipeline Snippet Generator...

4.3CVSS0.00158EPSS
Exploits0References1
OSV
OSV
added 2026/06/24 2:17 p.m.4 views

CVE-2026-57284

Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps...

4.3CVSS5.9AI score
Exploits0References1
OSV
OSV
added 2026/06/24 2:17 p.m.2 views

CVE-2026-57283

A cross-site request forgery CSRF vulnerability in Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier allows attackers to instantiate types related to job or system configuration other than Pipeline steps through the Pipeline Snippet Generator...

4.3CVSS5.8AI score
Exploits0References1
NVD
NVD
added 2026/06/24 2:17 p.m.12 views

CVE-2026-57284

Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps...

4.3CVSS0.00275EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/24 1:20 p.m.9 views

EUVD-2026-38764

Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps...

4.3CVSS5.9AI score0.00275EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 1:20 p.m.36 views

CVE-2026-57284

Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps...

0.00275EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 1:20 p.m.33 views

CVE-2026-57284

CVE-2026-57284 affects Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier. The vulnerability arises because the Pipeline Snippet Generator does not restrict the types that can be instantiated, potentially allowing an attacker to instantiate types related to job or system configuration...

4.3CVSS5.9AI score0.00275EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder