Lucene search
K

3407 matches found

OSV
OSV
added 4 days ago3 views

CVE-2026-58493 grav-plugin-database: DSN Parameter Injection via Unsanitized Configuration Values in Connection String Construction

grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, Database::call builds PDO DSN strings by directly concatenating user-configurable YAML values from fields such as host, dbname, charset, server, database, directory, and filename without sanitization or validation, allowing...

5.1CVSS6.1AI score0.00288EPSS
Exploits0References5
NVD
NVD
added 4 days ago6 views

CVE-2026-54000

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the processes table targeting a maliciously crafted process, due to uncheck...

7CVSS0.00108EPSS
Exploits0References4
NVD
NVD
added 4 days ago7 views

CVE-2026-15143

A flaw was found in the filetype content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition XSD string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file...

9.3CVSS0.00255EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-42937

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, Excelize parses shared-string cell values with strconv.Atoi and checks only the upper bound before indexing the shared string slice, allowing an XLSX file containing a shared-string cell with ...

6.9CVSS6.1AI score0.00524EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 4 days ago7 views

CVE-2026-15143

A flaw was found in the filetype content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition XSD string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file...

9.3CVSS6.1AI score0.00255EPSS
Exploits0References3
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42919

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the processes table targeting a maliciously crafted process, due to uncheck...

7CVSS6.2AI score0.00108EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 4 days ago6 views

CVE-2026-55170

A flaw was found in OpenFGA, an authorization/permission engine. When using MySQL as the datastore, and authorization decisions depend on case-sensitive user strings, the system may incorrectly treat case-distinct values e.g., 'user:Alice' and 'user:alice' as equivalent. This can lead to improper...

5.4CVSS6AI score0.00341EPSS
Exploits0References8
OSSF Malicious Packages
OSSF Malicious Packages
added 5 days ago8 views

Malicious code in multer-orm (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fb45c09aa7a237b2b9ff18ccf6426b76a4f46e5ea665c7747f35a345940e161 multer-orm is a typosquat of the widely used multer middleware. Its README is copied from multer, but the package adds a load-time dropper in...

6.7AI score
Exploits0References6
Tenable Nessus
Tenable Nessus
added 5 days ago7 views

TencentOS Server 4: rust (TSSA-2026:0559)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2026:0559 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

7.1CVSS6.1AI score0.00193EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 6 days ago4 views

CVE-2026-54268

A flaw was found in the @angular/common package of the Angular framework. A remote attacker could exploit a Denial of Service DoS vulnerability in the formatDate function, which is also used by the Angular DatePipe, by providing an excessively long and maliciously crafted date format string. This...

8.2CVSS5.9AI score0.00331EPSS
Exploits0References6
CVE
CVE
added last week22 views

CVE-2026-46672

The CVE-2026-46672 entry describes a local CSV formula-injection flaw in the @actual-app/cli before version 26.6.0. The CLI uses a hand-rolled CSV serializer in packages/cli/src/output.ts with an escapeCsv that only neutralizes RFC 4180 delimiters (comma, quote, newline) and does not neutralize c...

4.6CVSS6.1AI score0.00188EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/07/06 2:22 p.m.6 views

CVE-2026-55487

A flaw was found in pnpm, a package manager. This vulnerability allows a remote attacker to bypass security checks by manipulating how package source strings are processed. By crafting a specially designed source string, an attacker could trick the system into approving and using a malicious...

8.8CVSS6.2AI score0.00118EPSS
Exploits1References4
EUVD
EUVD
added 2026/07/02 8:31 p.m.13 views

EUVD-2026-37811

Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords...

7.5CVSS5.8AI score0.00185EPSS
Exploits0References4
OSV
OSV
added 2026/07/02 8:31 p.m.2 views

GHSA-Q62H-354G-5R85 Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords

Summary The Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list password, secret, key, token, .credentials., vcapservices does not cover the standard .NET pattern ConnectionStrings: or Steeltoe...

7.5CVSS5.8AI score0.00185EPSS
Exploits0References5
NVD
NVD
added 2026/07/02 4:17 a.m.8 views

CVE-2026-57278

GeoWebPlayer also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud is an addon that can be installed with various GeoVision software GV-VMS, GV-Cloud, .... It creates a websocket server that expands the capabilities of the various web-interfaces provided by the...

8.3CVSS0.0028EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/07/02 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-54903

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Oj Optimized JSON is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when...

6.3CVSS6AI score0.00253EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/01 4:11 p.m.7 views

Malicious code in npm-show-date-proof-strings (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 884f2797ddf6247c906bb97e72b3c0891551b260980811d50c7211ab2ea0bbcf The package's postinstall.js runs on every npm install and collects the installer's username via whoami and os.userInfo, hostname os.hostname, platfo...

6AI score
Exploits0References2
OSV
OSV
added 2026/07/01 4:11 p.m.3 views

MAL-2026-6791 Malicious code in npm-show-date-proof-strings (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 884f2797ddf6247c906bb97e72b3c0891551b260980811d50c7211ab2ea0bbcf The package's postinstall.js runs on every npm install and collects the installer's username via whoami and os.userInfo, hostname os.hostname, platfo...

6.1AI score
Exploits0References2
CVE
CVE
added 2026/06/30 11:42 p.m.25 views

CVE-2026-54903

Oj is a Ruby gem that contains a heap corruption vulnerability in Oj.load for JSON strings larger than 2 GB, caused by an integer overflow in buf_append_string (buf.h:61) that turns the length into a negative size_t, leading memcpy to copy out-of-bounds data and crash. Affected versions are those...

6.3CVSS5.8AI score0.00253EPSS
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/06/30 12:57 p.m.5 views

CVE-2026-58014

A flaw was found in GLib. An off-by-one error can occur in the gkeyfilegetlocalestringlist function in the gkeyfile.c file when loading a key file with an empty value. This flaw can cause an out-of-bounds access of 1 byte or a denial of service when the out-of-bounds access crosses a page boundar...

8.6CVSS5.7AI score0.00293EPSS
Exploits1References3
Rows per page
Query Builder