Lucene search
K

323884 matches found

Github Security Blog
Github Security Blog
added 12 minutes ago0 views

Kite has an authenticated cluster RBAC bypass in /api/v1/overview

Summary Authenticated Kite users with any role can request /api/v1/overview for a cluster that their roles do not permit by selecting that cluster with x-cluster-name. The overview route is registered before middleware.RBACMiddleware and GetOverview only checks lenuser.Roles 0, so it returns...

Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 13 minutes ago0 views

ratex-parser has unbounded parser recursion that leads to stack overflow (process abort)

Summary RaTeX’s recursive-descent parser recurses one or more native stack frame per nesting level at , \left, \sqrt, ^, etc, with no maximum depth limit. A short, 10 KB input of nested groups overflows the 8 MB main-thread stack and aborts the process. With panic = "abort" Cargo.toml:48, and...

Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 13 minutes ago0 views

ratex-parser panics on `\verb` with a multibyte delimiter (UTF-8 byte-boundary slice)

Summary The public parser entrypoint ratexparser::parse&str panics on the 9-byte input \verbéxé i.e. \verb followed by the non-ASCII delimiter é. When handling a \verb command, the parser slices the verbatim argument with byte indices arg1..arg.len - 1; if the delimiter character is multibyte...

Exploits0References2Affected Software1
GithubExploit
GithubExploit
added 1 hour ago4 views

Exploit for Path Traversal in Adobe Coldfusion

CVE-2026-48282 — Adobe ColdFusion RDS Validation and Detection...

10CVSS7.9AI score0.01021EPSS
Exploits3
NVD
NVD
added 1 hour ago3 views

CVE-2026-45796

Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...

6.5CVSS0.00071EPSS
Exploits0References9
NVD
NVD
added 1 hour ago3 views

CVE-2026-46354

Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature...

9.1CVSS0.0003EPSS
Exploits0References8
NVD
NVD
added 1 hour ago3 views

CVE-2026-28378

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers...

3.1CVSS
Exploits0References1
EUVD
EUVD
added 2 hours ago4 views

EUVD-2026-42076

NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin...

5.5CVSS6.1AI score
Exploits0References5
EUVD
EUVD
added 2 hours ago4 views

EUVD-2026-42072

HTTP::Tiny versions before 0.095 for Perl forward credential headers to cross-origin redirect targets. When the server returns a 3xx redirect, mayberedirect follows the Location: header and prepareheadersandcb re-merges the caller's headers argument into the new request, without checking whether...

7.1CVSS6AI score
Exploits0References7
CVE
CVE
added 2 hours ago26 views

CVE-2026-46354

Summary: A PKCS#7 signature bypass in Coder (Coder v2 before patches) allows unauthenticated token theft via Azure instance identity. The issue stems from azureidentity.Validate() validating only the signer certificate chain, not the signature itself, enabling forged PKCS#7 envelopes containing a...

9.1CVSS6.1AI score0.0003EPSS
Exploits0References8
Cvelist
Cvelist
added 2 hours ago3 views

CVE-2026-46354 Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft

Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature...

9.1CVSS0.0003EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2 hours ago1 views

CVE-2026-46354

Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature...

9.1CVSS0.0003EPSS
Exploits0References9Affected Software1
CVE
CVE
added 2 hours ago3 views

CVE-2026-28378

The CVE-2026-28378 entry describes a vulnerability in Grafana where the public dashboard deletion endpoint does not enforce organization isolation. An Org Admin in one organization can delete public dashboards belonging to another organization by supplying the target dashboard identifiers. Impact...

3.1CVSS5.9AI score
Exploits0References1
Cvelist
Cvelist
added 2 hours ago3 views

CVE-2026-28378 Cross-Organization Public Dashboard Deletion via Missing Org Isolation

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers...

3.1CVSS
Exploits0References1
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42109

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers...

3.1CVSS5.9AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-28378

The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers...

3.1CVSS
Exploits0References2Affected Software2
CVE
CVE
added 2 hours ago30 views

CVE-2026-45796

Summary of CVE-2026-45796 : Coder versions prior to 2.33.3 (and older releases in the 2.32.2, 2.31.12, 2.30.8, 2.29.13, and 2.24.5 lines) are vulnerable to an unauthenticated semi-blind SSRF via the Azure Instance Identity Endpoint at POST /api/v2/workspaceagents/azure-instance-identity. An attac...

6.5CVSS6.1AI score0.00071EPSS
Exploits0References9
Cvelist
Cvelist
added 2 hours ago2 views

CVE-2026-45796 Coder vulnerable to unauthenticated SSRF via Azure Instance Identity Endpoint

Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...

6.5CVSS0.00071EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2 hours ago1 views

CVE-2026-45796

Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...

6.5CVSS0.00071EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2 hours ago0 views

@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers

Am I affected? Users are affected if all of these hold: - They install and register the @better-auth/scim plugin plugins: scim. - They create SCIM providers without an organizationId, that is, non-organization "personal" providers. Organization-scoped providers are not affected because they enfor...

Exploits0References3Affected Software1
Rows per page
Query Builder