390265 matches found
EUVD-2026-45278
IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to override component parameters at runtime via the API. A critical security flaw exists in the parameter filtering mechanism within the applytweaks function...
CVE-2026-54497
viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4.0.0 until 4.12.0, ViewComponent::Base instances retain render-scoped objects across calls to renderin; if the same component, collection, or spacer component instance is reused...
CVE-2026-52203
An issue in MCMS v.6.1.1 allows a remote attacker to obtain sensitive information via the source parameter...
CVE-2026-44891
Netty is a network application framework for development of protocol servers and clients. Prior to 4.1.136.Final and 4.2.16.Final, io.netty.handler.codec.stomp.StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, and the maxLineLength parameter only...
CVE-2026-54497 view_component: Reused Component Instances Retain Stale Render Context
viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4.0.0 until 4.12.0, ViewComponent::Base instances retain render-scoped objects across calls to renderin; if the same component, collection, or spacer component instance is reused...
CVE-2026-54497
CVE-2026-54497 (ViewComponent, Ruby on Rails) : Affected through ViewComponent::Base from 4.0.0 to 4.11.x where render_in can retain render-scoped objects across invocations. Reusing the same component instance (or collection/spacer) across requests/threads can cause stale request context, helper...
EUVD-2026-45332
viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4.0.0 until 4.12.0, ViewComponent::Base instances retain render-scoped objects across calls to renderin; if the same component, collection, or spacer component instance is reused...
Exploit for CVE-2026-63030
wp2shell-poc Proof-of-concept for an unauthenticated SQL inje...
CVE-2026-8056
IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to override component parameters at runtime via the API. A critical security flaw exists in the parameter filtering mechanism within the applytweaks function...
CVE-2026-60137
WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the authornotin parameter of WPQuery, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter...
CVE-2026-49284
SimpleSAMLphp versions before 1.18.6 contain an information disclosure vulnerability. Prior to 2.4.7 and 2.5.2, SimpleSAMLphp's SAML SP ACS path does not enforce the IdP selected for an SP-initiated login when unsigned Response/InResponseTo is combined with a signed assertion lacking...
CVE-2026-44974
@hapi/content provided HTTP Content- headers parsing. Prior to 6.0.2, Content.disposition retained the last occurrence of each duplicate parameter while Content.type retained the first occurrence of duplicate charset and boundary parameters, creating a parameter-smuggling primitive when another...
CVE-2026-44891 Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder
Netty is a network application framework for development of protocol servers and clients. Prior to 4.1.136.Final and 4.2.16.Final, io.netty.handler.codec.stomp.StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, and the maxLineLength parameter only...
CVE-2026-44891
CVE-2026-44891 affects Netty’s StompSubframeDecoder. Prior to 4.1.136.Final and 4.2.16.Final, StompSubframeDecoder does not cap total headers or cumulative size per frame; maxLineLength only bounds individual header lines. An attacker can submit many small headers that accumulate in DefaultStompH...
EUVD-2026-45316
Netty is a network application framework for development of protocol servers and clients. Prior to 4.1.136.Final and 4.2.16.Final, io.netty.handler.codec.stomp.StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, and the maxLineLength parameter only...
CVE-2026-44974
@hapi/content provided HTTP Content- headers parsing. Prior to 6.0.2, Content.disposition retained the last occurrence of each duplicate parameter while Content.type retained the first occurrence of duplicate charset and boundary parameters, creating a parameter-smuggling primitive when another...
CVE-2026-44974
CVE-2026-44974 affects the @hapi/content header parser. Before v6.0.2, Content.disposition() kept the last value for duplicate parameters while Content.type() kept the first for duplicate charset/boundary parameters, creating a parameter-smuggling primitive when duplicates are resolved inconsiste...
CVE-2026-44974 Parameter smuggling in @hapi/content header parser allows upload-filter bypass via duplicate parameters
@hapi/content provided HTTP Content- headers parsing. Prior to 6.0.2, Content.disposition retained the last occurrence of each duplicate parameter while Content.type retained the first occurrence of duplicate charset and boundary parameters, creating a parameter-smuggling primitive when another...
EUVD-2026-45313
@hapi/content provided HTTP Content- headers parsing. Prior to 6.0.2, Content.disposition retained the last occurrence of each duplicate parameter while Content.type retained the first occurrence of duplicate charset and boundary parameters, creating a parameter-smuggling primitive when another...
Exploit for Deserialization of Untrusted Data in Snakeyaml_Project Snakeyaml
Sean's Surf & Skate Co. — Seal Security Demo Maven / Java A...