Lucene search
+L

26496 matches found

Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.22 views

PT-2026-50797

Name of the Vulnerable Software and Affected Versions Hashgraph Guardian versions prior to 3.5.0 commit ba8c566 Description A stored cross-site scripting issue exists where authenticated users with the STANDARD REGISTRY role can inject malicious scripts. This occurs by submitting a crafted...

4.8CVSS5.9AI score0.00177EPSS
Exploits0References9
RedhatCVE
RedhatCVE
added 2026/06/17 10:20 p.m.11 views

CVE-2026-48817

A flaw was found in Starlette, a lightweight Asynchronous Server Gateway Interface ASGI framework. An attacker can exploit this vulnerability by sending a specially crafted HTTP request that uses a non-standard HTTP method. This can cause the framework to invoke internal methods not intended for...

5.3CVSS5.2AI score0.00213EPSS
Exploits0References5
OSV
OSV
added 2026/06/17 10:1 p.m.4 views

CVE-2026-50268 Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring encrypt:rsa:algorithm=OAEP does not enable OAEP encryption. Due to an incorrect BouncyCastle...

1.9CVSS5.9AI score0.00046EPSS
Exploits0References4
NVD
NVD
added 2026/06/17 9:16 p.m.17 views

CVE-2026-48979

PHP Standard Library PSL is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the...

7.5CVSS0.00267EPSS
Exploits0References3
OSV
OSV
added 2026/06/17 9:16 p.m.10 views

UBUNTU-CVE-2026-48979

PHP Standard Library PSL is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the...

7.5CVSS5.8AI score0.00267EPSS
Exploits0References2
OSV
OSV
added 2026/06/17 8:43 p.m.4 views

CVE-2026-48979 PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling

PHP Standard Library PSL is set of APIs covering async, collections, networking, I/O, cryptography, terminal UI, etc. In versions 6.1.0, 6.1.1 and 6.2.0, the Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the...

7.5CVSS5.9AI score0.00267EPSS
Exploits0References5
NVD
NVD
added 2026/06/17 8:17 p.m.12 views

CVE-2026-48817

Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an...

5.3CVSS0.00213EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.22 views

PT-2026-50544

Name of the Vulnerable Software and Affected Versions PHP Standard Library PSL versions 6.1.0 through 6.1.1 PHP Standard Library PSL version 6.2.0 Description The PslH2ServerConnection function does not validate that the total bytes received in DATA frames match the content-length header declared...

7.5CVSS5.9AI score0.00267EPSS
Exploits0References10
FreeBSD
FreeBSD
added 2026/06/17 12:0 a.m.12 views

mail/mailpit -- Incomplete SSRF protection in Link Check API via uncovered IPv6 forms

Mailpit authorreports: The tools.IsInternalIP deny-list relies on Go's stdlib classification helpers IsLoopback, IsPrivate, IsLinkLocalUnicast, IsLinkLocalMulticast, IsUnspecified, IsMulticast plus an inline CGNAT range, but those helpers do not match two classes of IPv6 address that should be...

5.8CVSS5.3AI score0.00282EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/06/16 11:8 p.m.11 views

crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building

A flaw was found in the Go standard library packages crypto/x509 and crypto/tls. During the process of building a certificate chain, an attacker can provide a large number of intermediate certificates. This excessive input is not properly limited, leading to an uncontrolled amount of work being...

7.5CVSS7.5AI score0.00615EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2026/06/16 10:54 p.m.9 views

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

7.5CVSS8.3AI score0.00728EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.31 views

PT-2026-49727

Name of the Vulnerable Software and Affected Versions Perry versions prior to 0.5.1166 Description An issue in the JWT validation process allows remote attackers to bypass token expiration. This occurs because the verify decode helper within the stdlib JWT verification path unconditionally sets...

9.3CVSS5.3AI score0.00357EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.20 views

PT-2026-50149

Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.8.1 Description The node:crypto.checkPrime and crypto.checkPrimeSync functions failed to perform Miller-Rabin rounds when the options.checks variable was left at its default value of 0. In this state, the software only...

7.4CVSS5.8AI score0.00149EPSS
Exploits0References6
Snyk
Snyk
added 2026/06/15 8:22 p.m.38 views

HTTP Request Smuggling

Overview python-multipart is an A streaming multipart parser for Python Affected versions of this package are vulnerable to HTTP Request Smuggling through the QuerystringParser function. An attacker can bypass upstream validation and inject or override form fields by crafting specially formatted...

6.3CVSS5.4AI score0.00176EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 5:33 p.m.9 views

Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization

Description Symfony\Component\Routing\Generator\UrlGenerator::doGenerate percent-encodes . and .. path segments so that the generated URL still resolves to the originating route after RFC 3986 §5.2.4 dot-segment removal which strict RFC-3986 consumers — routers, reverse proxies, HTTP clients —...

6.1CVSS5.3AI score0.00267EPSS
Exploits0References6Affected Software2
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.17 views

PT-2026-49570

Name of the Vulnerable Software and Affected Versions Python-Multipart versions prior to 0.0.30 Description The QuerystringParser treated the semicolon ; as a field separator in application/x-www-form-urlencoded bodies, in addition to the ampersand &. This deviates from the WHATWG URL standard,...

3.7CVSS6.8AI score0.00176EPSS
Exploits0References28
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.20 views

PT-2026-49607

Name of the Vulnerable Software and Affected Versions LangBot affected versions not specified Description A critical flaw in the MCP STDIO implementation allows for remote code execution within AI pipelines. Recommendations At the moment, there is no information about a newer version that contain...

8.8CVSS6.2AI score
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/06/14 5:38 p.m.12 views

CVE-2026-54413

driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle0x27SecurityAccess function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byt...

8.8CVSS5.6AI score0.00459EPSS
Exploits0References4
Microsoft CVE
Microsoft CVE
added 2026/06/13 8:2 a.m.12 views

AES-OCB IV Ignored on EVP_Cipher() Path

...

7.5CVSS5.8AI score0.0032EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/06/12 3:1 p.m.11 views

CVE-2026-50086 Aqara unauthenticated AES oracle

The Aqara IAM/SSO gateway gw-builder.aqara.com exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has a...

10CVSS5.3AI score0.0029EPSS
Exploits1References2
Rows per page
Query Builder