Lucene search
+L

108 matches found

NVD
NVD
added yesterday6 views

CVE-2026-63101

Open Event Server through 1.19.1 contains a missing authentication vulnerability that allows unauthenticated attackers to export the complete member roster of any group, including email addresses, names, join dates, and roles, by submitting requests to the group followers CSV export endpoint whic...

8.7CVSS
Exploits0References2
CVE
CVE
added yesterday7 views

CVE-2026-63101

Open Event Server 1.19.1 is affected by an unauthenticated access vulnerability that lets attackers export the full member roster (emails, names, join dates, roles) by calling the group followers CSV export endpoint. The issue arises because the export endpoint lacks authentication and can be tri...

8.7CVSS5.5AI score
Exploits0References2
EUVD
EUVD
added yesterday7 views

EUVD-2026-45202

Open Event Server through 1.19.1 contains a missing authentication vulnerability that allows unauthenticated attackers to export the complete member roster of any group, including email addresses, names, join dates, and roles, by submitting requests to the group followers CSV export endpoint whic...

8.7CVSS5.4AI score
Exploits0References2
Cvelist
Cvelist
added yesterday16 views

CVE-2026-63098 TheHive 4.1.24 Unauthenticated Information Disclosure via /api/status Endpoint

TheHive through 4.1.24 contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by sending a GET request to the /api/status endpoint, which lacks authentication enforcement in the StatusCtrl.scala handler...

6.9CVSS
Exploits0References2
CVE
CVE
added yesterday9 views

CVE-2026-63098

The Hive 4.1.24 has an unauthenticated information-disclosure flaw exposed via GET /api/status (StatusCtrl.scala), enabling attackers without credentials to read sensitive configuration data. Affected items include the datastore attachment protection password, configured authentication providers,...

6.9CVSS5.4AI score
Exploits0References2
Positive Technologies
Positive Technologies
added yesterday5 views

PT-2026-60791

TheHive through 4.1.24 contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by sending a GET request to the /api/status endpoint, which lacks authentication enforcement in the StatusCtrl.scala handler...

6.9CVSS5.3AI score
Exploits0References3
NVD
NVD
added 4 days ago4 views

CVE-2026-15641

Improper authorization in the access request status endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to approve their own pending access request via a direct call to the request status endpoint, bypassing the required approver review...

7.1CVSS0.00224EPSS
Exploits0References1
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-15641

Improper authorization in the access request status endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to approve their own pending access request via a direct call to the request status endpoint, bypassing the required approver review...

0.00224EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-58676

Name of the Vulnerable Software and Affected Versions Devolutions Server version 2026.2.11 Devolutions Server version 2026.1.22 Description Improper authorization in the access request status endpoint allows an authenticated low-privileged user to approve their own pending access request. This is...

7.1CVSS6.1AI score0.00224EPSS
Exploits0References3
Metasploit
Metasploit
added 2026/06/23 7:6 p.m.200 views

Audiobookshelf Unauthenticated API Authentication Bypass Scanner

This module detects Audiobookshelf servers affected by CVE-2025-25205, an unauthenticated authentication bypass. Affected versions 2.17.0 through 2.19.0 decide whether a GET request may skip authentication by testing an unanchored regular expression against the request's full original URL,...

8.2CVSS5.9AI score0.03999EPSS
Exploits2
ATTACKERKB
ATTACKERKB
added 2026/06/22 1:37 p.m.8 views

CVE-2026-8074

Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/id/active API...

3.8CVSS5.9AI score0.00192EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/22 1:37 p.m.15 views

CVE-2026-8074

Mattermost CVE-2026-8074 affects Mattermost versions 11.7.x (<=11.7.0) and 10.11.x (

3.8CVSS5.9AI score0.00192EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.15 views

PT-2026-51320

Name of the Vulnerable Software and Affected Versions Mattermost version 11.7.0 Mattermost versions prior to 10.11.17 Description Insufficient enforcement of bot-specific permission checks on the user active status endpoint allows a User Manager with user management write access, but lacking...

3.8CVSS5.8AI score0.00192EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/02 12:31 a.m.14 views

EUVD-2018-21956

ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Attackers can deactivate customer accounts via the admin interface by tricking users into visiting attacker-controlled pages...

6.9CVSS5.7AI score0.00156EPSS
Exploits0References4
OSV
OSV
added 2026/05/25 1:11 p.m.9 views

CLSA-2026-1779292803 Fix CVE(s): CVE-2026-6735

SECURITY UPDATE: XSS within status endpoint in PHP-FPM - debian/patches/CVE-2026-6735.patch: XSS within status endpoint in PHP-FPM - CVE-2026-6735...

8.8CVSS5.8AI score0.0021EPSS
Exploits1References1
OSV
OSV
added 2026/05/13 3:50 p.m.8 views

CLSA-2026-1778687453 Fix CVE(s): CVE-2026-6735

SECURITY UPDATE: XSS in PHP-FPM status endpoint - debian/patches/CVE-2026-6735.patch: HTML-encode proc.requesturi and tighten querystring entity flags in sapi/fpm/fpm/fpmstatus.c. - CVE-2026-6735...

8.8CVSS5.8AI score0.0021EPSS
Exploits1References1
Mageia
Mageia
added 2026/05/13 7:0 a.m.16 views

Updated php packages fix security vulnerabilities

FPM: Fixed GHSA-7qg2-v9fj-4mwv XSS within status endpoint. CVE-2026-6735 MBString: Fixed GHSA-wm6j-2649-pv75 Null pointer dereference in phpmbcheckencoding via mberegsearchinit. CVE-2026-7259 OpenSSL: Fix compatibility issues with OpenSSL 4.0. PDOFirebird: Fixed GHSA-w476-322c-wpvm SQL injection...

9.8CVSS5.9AI score0.0078EPSS
Exploits1References2
OSV
OSV
added 2026/05/12 4:25 p.m.6 views

CLSA-2026-1778603120 Fix CVE(s): CVE-2026-6735

SECURITY UPDATE: XSS in PHP-FPM status endpoint - debian/patches/CVE-2026-6735.patch: HTML-encode proc.requesturi and tighten querystring entity flags in sapi/fpm/fpm/fpmstatus.c. - CVE-2026-6735...

8.8CVSS5.8AI score0.0021EPSS
Exploits1References1
CVE
CVE
added 2026/04/09 9:27 p.m.29 views

CVE-2026-35644

OpenClaw before 2026.3.22 has an information disclosure vulnerability that allows attackers with operator.read scope to exfiltrate credentials embedded in channel baseUrl and httpUrl fields..adversaries can retrieve sensitive authentication information from gateway snapshots via config.get and ch...

7.1CVSS5.9AI score0.00193EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/06 7:24 p.m.3 views

CVE-2026-35185 HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...

8.7CVSS5.9AI score0.00355EPSS
Exploits1References1
Rows per page
Query Builder