Lucene search
K

492 matches found

Nuclei
Nuclei
added yesterday58 views

WordPress Embed Swagger <=1.0.0 - Cross-Site Scripting

WordPress Embed Swagger plugin 1.0.0 and prior contains a reflected cross-site scripting vulnerability due to insufficient escaping/sanitization and validation via the url parameter found in the /swagger-iframe.php file, which allows attackers to inject arbitrary web scripts onto the page. id:...

6.1CVSS6.4AI score0.03865EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday32 views

WordPress API Bearer Auth <20190907 - Cross-Site Scripting

WordPress API Bearer Auth plugin before 20190907 contains a cross-site scripting vulnerability. The server parameter is not correctly filtered in swagger-config.yaml.php. id: CVE-2019-16332 info: name: WordPress API Bearer Auth 20190907 - Cross-Site Scripting author: daffainfo severity: medium...

6.1CVSS6.4AI score0.05698EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday154 views

Fastify Swagger-UI - Information Disclosure

fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of @fastify/swagger-ui without baseDir set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is fixed in v2.1.0. Setting th...

5.3CVSS6.2AI score0.02001EPSS
Exploits0References2
CVE
CVE
added 2026/07/07 9:20 p.m.9 views

CVE-2026-54607

FastGPT exposed an SSRF issue in the HTTP-tool OpenAPI schema importer prior to 4.15.0-beta4. The importer validates only the top-level URL before handing refs to SwaggerParser.bundle, whose resolver can fetch and inline $ref URLs bypassing FastGPT’s internal-address guard, enabling an authentica...

7.7CVSS6AI score0.00238EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/07 9:20 p.m.24 views

CVE-2026-54607 FastGPT: SSRF in HTTP-tool OpenAPI schema importer via SwaggerParser $ref (bypasses the isInternalAddress guard)

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta4, the HTTP-tool OpenAPI schema importer validates only the top-level URL before passing it to SwaggerParser.bundle, whose remote reference resolver fetches $ref URLs without FastGPT's internal-address guard and returns...

7.7CVSS0.00238EPSS
Exploits0References4
OSV
OSV
added 2026/07/07 9:20 p.m.10 views

CVE-2026-54607 FastGPT: SSRF in HTTP-tool OpenAPI schema importer via SwaggerParser $ref (bypasses the isInternalAddress guard)

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta4, the HTTP-tool OpenAPI schema importer validates only the top-level URL before passing it to SwaggerParser.bundle, whose remote reference resolver fetches $ref URLs without FastGPT's internal-address guard and returns...

7.7CVSS6AI score0.00238EPSS
Exploits0References6
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/11 9:44 a.m.15 views

Malicious code in swagger-express-routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 342bf1e361c6684c276c1afc618d78d82268e93898daddaef74873a49c6111b2 On require'swagger-express-routes', the package's main entry transitively loads src/utils/lib.min.js through src/connector/index.js line 1:...

5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/06/11 9:44 a.m.10 views

Malicious Package

Overview swagger-express-routes is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.4AI score
Exploits0References2
OSV
OSV
added 2026/06/11 9:44 a.m.12 views

MAL-2026-5636 Malicious code in swagger-express-routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 342bf1e361c6684c276c1afc618d78d82268e93898daddaef74873a49c6111b2 On require'swagger-express-routes', the package's main entry transitively loads src/utils/lib.min.js through src/connector/index.js line 1:...

5.7AI score
Exploits0References2
OSV
OSV
added 2026/05/05 10:20 p.m.6 views

GHSA-7WW3-XVF5-CXWM ciguard: Web UI is missing HTTP defence-in-depth headers

Summary ciguard's FastAPI Web UI src/ciguard/web/app.py does not set HTTP defence-in-depth headers. OWASP ZAP baseline scan flagged 11 alerts: missing Content-Security-Policy Medium, X-Frame-Options Medium, Sub-Resource-Integrity on /api/docs Medium, COOP / COEP / CORP Low, Permissions-Policy Low...

4.3CVSS5.8AI score
Exploits0References4
Wolfi
Wolfi
added 2026/04/11 2:51 a.m.9 views

GHSA-7MR4-XJXG-34G6 vulnerabilities

Vulnerabilities for packages: dask-gateway, dataplaneapi, fuse-overlayfs-snapshotter, golangci-lint, secrets-store-csi-driver, caddy, kyverno-policy-reporter-ui, cloud-provider-aws, helm-mapkubeapis, cis-operator, flux-helm-controller, argo-events, envoy-gateway, gcsfuse, kube-arangodb, coredns,...

6.1AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/02/12 12:0 a.m.7 views

GitLab 15.11 < 18.4.6 / 18.5 < 18.5.4 / 18.6 < 18.6.2 (CVE-2025-12029)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.4.6, 18.5 before 18.5.4, and 18.6 before 18.6.2 that could have, under certain circumstances, allowed an...

8CVSS5.6AI score0.00506EPSS
Exploits0References5
GithubExploit
GithubExploit
added 2026/02/05 2:20 p.m.145 views

swagger-xss

...

5.3AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/01/31 9:14 p.m.8 views

CVE-2026-25141

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ', double quotes " and so...

9.8CVSS6.2AI score0.0075EPSS
Exploits1References1
NVD
NVD
added 2026/01/30 9:15 p.m.18 views

CVE-2026-25141

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ', double quotes " and so...

9.8CVSS0.00603EPSS
Exploits0References5
EUVD
EUVD
added 2026/01/30 8:19 p.m.6 views

EUVD-2026-5007

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ', double quotes " and so...

9.3CVSS6.2AI score0.0075EPSS
Exploits1References5
NVD
NVD
added 2026/01/23 12:15 a.m.15 views

CVE-2026-24132

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema...

9.8CVSS0.00678EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/01/22 12:0 a.m.13 views

PT-2026-4314

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema...

7.7CVSS5.8AI score0.00678EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/01/21 12:30 a.m.19 views

CVE-2026-1194

A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was...

7.5CVSS5.3AI score0.00685EPSS
Exploits1References1
OSV
OSV
added 2026/01/20 12:30 a.m.7 views

GHSA-7F7M-83R3-P644 MineAdmin May Expose Sensitive Information to an Unauthorized Actor

A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was...

6.9CVSS5AI score0.00685EPSS
Exploits1References6
Rows per page
Query Builder