Lucene search
+L

1342 matches found

EUVD
EUVD
added 7 hours ago4 views

EUVD-2026-45082

grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...

5.4CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added yesterday5 views

EUVD-2026-44920

HCL DFXAnalytics is affected by a Missing HTTP Strict-Transport-Security Header vulnerability. The application fails to implement the HTTP Strict Transport Security HSTS policy within its responses, which could allow a remote attacker to downgrade the communication channel to an unencrypted...

3.1CVSS6.1AI score
Exploits0References1
CVE
CVE
added yesterday9 views

CVE-2026-35145

HCL DFXAnalytics is reported as affected by a Missing HTTP Strict-Transport-Security Header vulnerability. The issue arises because the application’s web responses do not include the Strict-Transport-Security header, potentially allowing an attacker to downgrade to HTTP and perform MITM attacks. ...

3.1CVSS6.1AI score
Exploits0References1
CVE
CVE
added 4 days ago21 views

CVE-2026-58065

The CVE affects the Apache Airflow Git provider when performing git-over-SSH operations with StrictHostKeyChecking=no, which disables SSH host-key verification and enables MITM risk between an Airflow worker and the Git server. Deployments that clone over SSH using a deploy key or involve the Git...

8.1CVSS6.1AI score0.00461EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/07/08 8:16 p.m.5 views

CVE-2026-53624

Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol for https instead of c.Scheme. This issue is fixe...

4.8CVSS0.00212EPSS
Exploits1References4
OSV
OSV
added 2026/07/08 12:11 a.m.4 views

CVE-2026-59998

sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory...

4.8CVSS6.1AI score0.00179EPSS
Exploits0References5
Debian CVE
Debian CVE
added 2026/07/08 12:11 a.m.5 views

CVE-2026-59998

sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory...

6.5CVSS5.9AI score0.00179EPSS
Exploits0
EUVD
EUVD
added 2026/07/08 12:11 a.m.18 views

EUVD-2026-42141

sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory...

4.8CVSS5.9AI score0.00179EPSS
Exploits0References3
AlpineLinux
AlpineLinux
added 2026/07/08 12:11 a.m.12 views

CVE-2026-59998

sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory...

6.5CVSS5.9AI score0.00179EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.8 views

PT-2026-56214

Name of the Vulnerable Software and Affected Versions New API versions prior to 0.12.0-alpha.1 Description The email and WeChat account binding endpoints use GET requests for state-changing account operations. In deployments where session cookies are sent on cross-site navigations, an attacker ca...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/07/06 8:43 p.m.6 views

GoFiber never set HSTS header in helmet middleware due to incorrect protocol check

Summary The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security HSTS response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol — which returns the HTTP protocol version string e.g., "HTTP/1.1", "HTTP/2.0" —...

4.8CVSS5.9AI score0.00212EPSS
Exploits1References2Affected Software1
Snyk
Snyk
added 2026/07/06 8:43 p.m.7 views

Cleartext Transmission of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to the incorrect protocol check in the helmet middleware, which fails to set the Strict-Transport-Security header even when configured. An attacker can intercept and manipulate network...

6.3CVSS6AI score0.00212EPSS
Exploits1References2
OSV
OSV
added 2026/07/06 8:43 p.m.4 views

GHSA-GV83-GQW6-9J2C GoFiber never set HSTS header in helmet middleware due to incorrect protocol check

Summary The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security HSTS response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol — which returns the HTTP protocol version string e.g., "HTTP/1.1", "HTTP/2.0" —...

4.8CVSS5.9AI score0.00212EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/06 8:43 p.m.10 views

Cleartext Transmission of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to the incorrect protocol check in the helmet middleware, which fails to set the Strict-Transport-Security header even when configured. An attacker can intercept and manipulate network...

6.3CVSS6AI score0.00212EPSS
Exploits1References2
NVD
NVD
added 2026/07/06 9:16 a.m.9 views

CVE-2026-40047

Improper Neutralization of Argument Delimiters in a Command 'Argument Injection' vulnerability in Apache Camel Docling component. The camel-docling component invokes the external docling command-line tool by assembling an argument list in DoclingProducer and executing it through...

9.1CVSS0.01569EPSS
Exploits2References2
ATTACKERKB
ATTACKERKB
added 2026/07/06 7:46 a.m.5 views

CVE-2026-40047

Improper Neutralization of Argument Delimiters in a Command 'Argument Injection' vulnerability in Apache Camel Docling component. The camel-docling component invokes the external docling command-line tool by assembling an argument list in DoclingProducer and executing it through...

5.9AI score0.01569EPSS
Exploits2References2Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/07/03 12:0 a.m.9 views

Fedora 44 : cpp-httplib (2026-1b15ac058b)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-1b15ac058b advisory. Update to 0.48.0 rhbz2481109 Security fixes - Complete the IP-host certificate identity fix from v0.47.0 for the Mbed TLS and wolfSSL backends. An...

9.9CVSS6.1AI score0.00327EPSS
Exploits4References6
Cvelist
Cvelist
added 2026/07/01 10:35 p.m.28 views

CVE-2026-14440 Cloudflare Universal SSL automatically managed CAA RRset supersedes customer-configured CAA records

Description: To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design e.g. 'issue "letsencrypt.org"' without parameters. On Universal SSL zones,...

7.6CVSS0.00135EPSS
Exploits0References4
NVD
NVD
added 2026/07/01 2:16 p.m.7 views

CVE-2026-13603

The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to o...

10CVSS0.00253EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/01 1:18 p.m.7 views

EUVD-2026-40958

The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to o...

10CVSS5.8AI score0.00253EPSS
Exploits0References1
Rows per page
Query Builder