Lucene search
K

14925 matches found

CVE
CVE
added yesterday13 views

CVE-2026-34167

Coolify (open-source self-hosted) has a vulnerability in the ActivityMonitor Livewire component prior to version 4.0.0-beta.471: a public $activityId property is not protected with Livewire’s #[Locked] attribute, allowing any authenticated user to enumerate activity records across all teams and r...

5CVSS6AI score
Exploits0References4
RedhatCVE
RedhatCVE
added yesterday3 views

CVE-2026-50014

A flaw was found in pnpm, a package manager. An attacker could exploit this vulnerability by providing a malicious lockfile, which could lead to arbitrary code execution. This occurs because pnpm incorrectly processes git dependency information, allowing a crafted input to execute unauthorized...

7.3CVSS6.2AI score0.0018EPSS
Exploits1References4
RedHat Linux
RedHat Linux
added yesterday4 views

golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: Security bypass due to improper handling of key restrictions

A flaw was found in golang.org/x/crypto/ssh/agent. When a key was added to a remote agent, security restrictions, known as constraint extensions, were not properly processed during the request. This allowed these restrictions to be silently removed when keys were forwarded, leading to the...

9.1CVSS6AI score0.00338EPSS
Exploits0References8
Nuclei
Nuclei
added 2 days ago54 views

Cockpit Web Console < 360 - Remote Code Execution

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH...

9.8CVSS7.2AI score0.142EPSS
Exploits3References3
Nuclei
Nuclei
added 3 days ago242 views

Mlflow <2.9.2 - Path Traversal

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. id: CVE-2023-6909 info: name: Mlflow 2.9.2 - Path Traversal author: Hyunsoo-ds severity: high description: | Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. impact: | Successful...

7.5CVSS7AI score0.89716EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 4 days ago5 views

CVE-2026-54886

A flaw was found in the Erlang OTP ssh Secure Shell component, specifically within its SFTP SSH File Transfer Protocol module. An authenticated SFTP user can exploit this vulnerability by sending specially crafted extended data on an open channel. This action triggers an infinite loop in the...

6.5CVSS5.9AI score0.00345EPSS
Exploits0References8
NVD
NVD
added 4 days ago6 views

CVE-2026-12064

When a user invokes curl using a schemeless URL combined with --proto-default sftp or scp, a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like...

7.5CVSS0.00208EPSS
Exploits0References3
AlpineLinux
AlpineLinux
added 4 days ago4 views

CVE-2026-9547

When a libcurl-based application performs transfers via SCP:// or SFTP:// and utilizes the CURLOPTSSHKEYFUNCTION callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for th...

7.4CVSS6AI score0.00187EPSS
Exploits0
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-41495

When a libcurl-based application performs transfers via SCP:// or SFTP:// and utilizes the CURLOPTSSHKEYFUNCTION callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for th...

6AI score0.00187EPSS
Exploits0References3
CVE
CVE
added 4 days ago20 views

CVE-2026-12064

CVE-2026-12064 describes an issue in curl where using a schemeless URL with --proto-default for SFTP/SCP causes the tool layer to skip SSH security configuration (notably CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS ). The libcurl runtime honors the default protocol and proceeds ...

7.5CVSS6AI score0.00208EPSS
Exploits0References3
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-41410

Observable Response Discrepancy vulnerability in Erlang OTP ssh sshsftpd module allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSHFXPREALPATH handler in sshsftpd calls relatefilename/3 with Canonicalize=false, unlik...

2.3CVSS5.8AI score0.00333EPSS
Exploits0References7
Debian CVE
Debian CVE
added 5 days ago4 views

CVE-2026-53422

Observable Response Discrepancy vulnerability in Erlang OTP ssh sshsftpd module allows an authenticated SFTP user to enumerate the existence of files and directories outside the configured root directory. The SSHFXPREALPATH handler in sshsftpd calls relatefilename/3 with Canonicalize=false, unlik...

2.3CVSS5.8AI score0.00333EPSS
Exploits0
Fedora
Fedora
added 5 days ago7 views

[SECURITY] Fedora 43 Update: opkssh-0.14.0-3.fc43

OpenPubkey SSH is a tool which enables ssh to be used with OpenID Connect allowing SSH access to be managed via identities like aliceaexample.com ins tead of long-lived SSH keys...

9.1CVSS5.8AI score0.005EPSS
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 5 days ago4 views

Malicious code in @marketfront/header (npm)

The @marketfront/header package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' [email protected] within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0 and use...

6.3AI score
Exploits0References2
RedHat Linux
RedHat Linux
added 6 days ago7 views

Important: Red Hat Security Advisory: Satellite 6.16.10 Async Update

An update is now available for Red Hat Satellite 6.16 for RHEL 8 and RHEL 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

8.8CVSS5.7AI score0.00302EPSS
Exploits0References6
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago5 views

Malicious code in date-fns-lite (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51 [email protected] presents as a lightweight date-formatting utility but ships a malicious postinstall.js that runs automatically on npm install. T...

5.9AI score
Exploits0References13
OSV
OSV
added last week3 views

SUSE-SU-2026:2693-1 Security update for podman

This update for podman fixes the following issues - CVE-2026-34986: github.com/go-jose/go-jose/v4,github.com/go-jose/go-jose/v3: crafted JWE input with a missing encrypted key can lead to a denial of service bsc1262856. - CVE-2026-39829,CVE-2026-39830,CVE-2026-42508,CVE-2026-46598:...

9.1CVSS6.7AI score0.00651EPSS
Exploits0References8
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/30 12:0 a.m.5 views

Malicious code in log-taker1 (npm)

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. log-taker1 embeds a full infostealer 2800 lines directly in index.js, executed at install time via postinstall: node test.js. The payload harvests cryptocurrency wallet vaults MetaMask, Phantom, Solflare,...

5.8AI score
Exploits0References2
OSV
OSV
added 2026/06/30 12:0 a.m.3 views

MAL-2026-6691 Malicious code in polymarket-clob-maths (npm)

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-clob-maths uses a dropper technique: a postinstall hook fetches a remote bundle from trabalhos-flax.vercel.app and executes a syncSession function that runs a...

5.9AI score
Exploits0References3
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-302 Cybersecurity AI (CAI) vulnerable to Command Injection in run_ssh_command_with_credentials Agent tool

Summary A command injection vulnerability is present in the function tool runsshcommandwithcredentials available to AI agents. Details This is the source code of the function tool runsshcommandwithcredentials code: python @functiontool def runsshcommandwithcredentials host: str, username: str,...

9.6CVSS6AI score0.01799EPSS
Exploits1References7
Rows per page
Query Builder