Lucene search
K

33 matches found

OSV
OSV
added 2026/06/23 6:18 p.m.4 views

DEBIAN-CVE-2026-52846

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as img src=x onerror=alert, can bypass the tag-stripping logic, potentially leaving dangerous...

4.2CVSS5.8AI score0.00153EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/02 10:52 p.m.13 views

CVE-2026-2614

A flaw was found in mlflow. An unauthenticated remote attacker can exploit a vulnerability in the createmodelversion handler by including a specific tag, mlflow.prompt.isprompt, in a CreateModelVersion request. This bypasses source path validation, allowing the attacker to specify an arbitrary...

7.5CVSS7.1AI score0.00696EPSS
Exploits1References5
OSV
OSV
added 2026/05/28 8:50 a.m.8 views

BIT-MLFLOW-2026-2614 Arbitrary File Read via Prompt Tag Source Validation Bypass in mlflow/mlflow

A vulnerability in the createmodelversion handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag...

7.5CVSS7.3AI score0.00696EPSS
Exploits1References3
Metasploit
Metasploit
added 2026/05/14 7:0 p.m.300 views

Dolibarr ERP/CRM Authenticated Code Injection

Dolibarr ERP/CRM before 17.0.1 allows remote code execution by an authenticated user who has access to the Website module. The application filters lowercase use exploit/unix/http/dolibarrcmsrcecve202330253 msf exploitdolibarrcmsrcecve202330253 show targets ...targets... msf...

8.8CVSS7.9AI score0.79335EPSS
Exploits16
Github Security Blog
Github Security Blog
added 2026/05/14 6:26 p.m.38 views

Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`

Summary Under the default configuration, sanitize-html can turn attacker-controlled content inside a disallowed xmp element into live HTML or JavaScript. This is a sanitizer bypass in the default disallowedTagsMode: 'discard' path and can lead to stored XSS in applications that render sanitized...

9.3CVSS6AI score0.0037EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/05/14 3:18 p.m.56 views

CVE-2026-40893 Gotenberg: ExifTool Dangerous Tag Blocklist Bypass via Group-Prefixed Tag Names Allows Arbitrary File Rename and Move

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right through and ExifTool happily renames the file. This allows remote attackers to move, rename, and change permissions for arbitrary files...

8.2CVSS0.00347EPSS
Exploits1References1
CVE
CVE
added 2026/05/14 3:18 p.m.20 views

CVE-2026-40893

CVE-2026-40893 (Gotenberg/ExifTool blocklist bypass) Prior to 8.31.0, Gotenberg’s metadata processing only blocked the bare tag name (FileName), allowing group-prefixed tags like System:FileName to bypass the blocklist, enabling remote attackers to rename, move, or alter file permissions within t...

8.2CVSS6AI score0.00347EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/05/11 7:2 p.m.41 views

CVE-2026-2614 Arbitrary File Read via Prompt Tag Source Validation Bypass in mlflow/mlflow

A vulnerability in the createmodelversion handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag...

7.5CVSS0.00696EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/11 7:2 p.m.8 views

CVE-2026-2614 Arbitrary File Read via Prompt Tag Source Validation Bypass in mlflow/mlflow

A vulnerability in the createmodelversion handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag...

7.5CVSS7.3AI score0.00696EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/24 4:57 p.m.28 views

CVE-2026-41067 Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass

Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace o...

6.1CVSS0.00189EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/22 7:55 p.m.13 views

Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping

Summary When dynamic text is interpolated into a or tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a or block could break out of the tag with , , etc. and inject arbitrary HTML/JavaScript, resulting in...

6.4CVSS5.8AI score0.00195EPSS
Exploits0References3Affected Software2
NVD
NVD
added 2026/04/02 9:16 a.m.6 views

CVE-2026-29135

SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization...

7.5CVSS0.00252EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/02 8:34 a.m.31 views

CVE-2026-29141 Bounded Subject Tag Sanitization

SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to bypass subject sanitization and forge tags such as signed OK...

7.7CVSS0.00212EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/02 8:31 a.m.4 views

CVE-2026-29135 Webmail Password Tag Sanitization Bypass

SEPPmail Secure Email Gateway before version 15.0.3 allows an attacker to craft a password-tag that bypasses subject sanitization...

5.3CVSS5.9AI score0.00252EPSS
Exploits0References1
OSV
OSV
added 2026/03/05 8:16 p.m.3 views

DEBIAN-CVE-2026-28350

lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.4, the tag passes through the default Cleaner configuration. While pagestructure=True removes html, head, and title tags, there is no specific handling for , allowing an attacker to inje...

6.1CVSS8.3AI score0.00254EPSS
Exploits1References1
Huntr
Huntr
added 2026/02/10 7:2 p.m.33 views

Arbitrary File Read via Prompt Tag Source Validation Bypass in CreateModelVersion

The createmodelversion handler in mlflow/server/handlers.py uses a client-controlled tag to decide whether to skip source path validation. When a CreateModelVersion request includes the tag mlflow.prompt.isprompt, the helper ispromptrequest returns True, and the entire source validation block...

7.5CVSS7.3AI score0.00696EPSS
Exploits1
NVD
NVD
added 2026/02/04 10:15 p.m.8 views

CVE-2026-25526

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing...

9.8CVSS0.00889EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/02/04 9:45 p.m.28 views

CVE-2026-25543 HtmlSanitizer has a bypass via template tag

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its...

6.3CVSS0.00241EPSS
Exploits0References4
OSV
OSV
added 2026/02/04 9:45 p.m.7 views

CVE-2026-25543 HtmlSanitizer has a bypass via template tag

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its...

6.3CVSS5.3AI score0.00241EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/02/04 9:26 p.m.5 views

CVE-2026-25526 JinJava Bypass through ForTag leads to Arbitrary Java Execution

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing...

9.8CVSS5.7AI score0.00889EPSS
Exploits1References5
Rows per page
Query Builder