Lucene search
K

1293 matches found

NVD
NVD
added 4 days ago6 views

CVE-2026-57575

Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a Server-Side Request Forgery SSRF vulnerability in URL preview functionality in UrlPreviewService. Due to missing network restrictions before establishing outbound connections, a remote attacker can...

6.9CVSS0.00347EPSS
Exploits0References3
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-42768

decompress before 4.2.2 allows arbitrary hardlink creation during archive extraction, enabling file read disclosure and file corruption. When processing hardlink entries type === 'link', the x.linkname field from the archive is passed directly to fs.link without validation index.js line 113. An...

5.5CVSS6.1AI score0.00196EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 6 days ago6 views

CVE-2026-44918

A flaw was found in OpenStack Ironic. An authenticated project manager can change the node associated with Volume Connectors or Volume Target objects, potentially changing the project permitted to access the object. Volume Connectors contain secrets in environments configuring boot from volume wi...

8.7CVSS5.9AI score0.00426EPSS
Exploits0References5
EUVD
EUVD
added last week6 views

EUVD-2026-42076

NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin...

5.5CVSS6.1AI score0.002EPSS
Exploits0References4
The Hacker News
The Hacker News
added 2026/07/07 9:10 a.m.11 views

Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities

A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign. The activity involves the exploitation of now-patched, critical security flaws in...

9.3CVSS8.2AI score0.83387EPSS
Exploits6
ATTACKERKB
ATTACKERKB
added 2026/07/07 3:21 a.m.6 views

CVE-2026-34037

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an...

9.9CVSS5.9AI score0.00247EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/07/02 5:22 p.m.14 views

GHSA-77Q5-RR5V-X43Q OpenClaw: Trusted retry endpoint checks could match hostname prefixes

Summary Trusted retry endpoint checks could match hostname prefixes. In affected versions, a retry endpoint URL chosen by lower-trust input could pass validation by using a hostname prefix that resembled a trusted host. This advisory is scoped to the named feature and configuration. It does not...

7.1CVSS6AI score0.00265EPSS
Exploits0References2
The Hacker News
The Hacker News
added 2026/07/02 8:0 a.m.9 views

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions. "An operator tied to FortiBleed's infrastructure was found actively working...

9.8CVSS7.6AI score0.88505EPSS
Exploits8
OSV
OSV
added 2026/07/02 12:0 a.m.4 views

MAL-2026-6784 Malicious code in @marketfront/livestreampreviewpopup (npm)

The @marketfront/livestreampreviewpopup package is part of a 25-package malicious campaign batch-published to the @marketfront npm scope by npm user 'marketfront' [email protected] within a roughly 3-minute window on 2026-07-01. All packages in the campaign were published at version 7.0.0...

6.2AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/07/01 1:29 p.m.9 views

CVE-2026-54672

A flaw was found in electron-updater, a component used for automatic updates in Electron applications. This vulnerability arises because AppImage targets, built by app-builder-lib, incorrectly add the current working directory to the dynamic linker search path when setting the LDLIBRARYPATH...

7.8CVSS5.9AI score0.00129EPSS
Exploits0References5
CVE
CVE
added 2026/06/30 10:15 p.m.17 views

CVE-2026-54672

CVE-2026-54672 : The issue affects electron-updater with AppImage targets built by app-builder-lib prior to 26.15.0. At runtime, an empty path component in LD_LIBRARY_PATH can cause the current working directory to be added to the dynamic linker search path, potentially enabling an attacker to pl...

7.8CVSS6.1AI score0.00129EPSS
Exploits0References2
NVD
NVD
added 2026/06/29 6:16 p.m.11 views

CVE-2026-56783

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including...

7.1CVSS0.00264EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/29 5:16 p.m.5 views

CVE-2026-56783

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including...

7.1CVSS5.8AI score0.00264EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/06/29 5:16 p.m.5 views

CVE-2026-56783 Parseable < 2.9.2 - Cleartext Credential Exposure in Notification Target API

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including...

7.1CVSS5.8AI score0.00264EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/29 5:16 p.m.35 views

CVE-2026-56783 Parseable < 2.9.2 - Cleartext Credential Exposure in Notification Target API

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including...

7.1CVSS0.00264EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/29 5:16 p.m.7 views

EUVD-2026-40159

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including...

7.1CVSS5.8AI score0.00264EPSS
Exploits0References5
The Hacker News
The Hacker News
added 2026/06/29 3:3 p.m.20 views

Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks

The China-aligned espionage group Mustang Panda is running two campaigns against the Indian government and hydropower targets, deploying new malware and turning a legitimate cloud service into its command channel. Acronis Threat Research Unit found active compromises inside Indian government...

5.9AI score
Exploits0
RedHat Linux
RedHat Linux
added 2026/06/29 2:36 a.m.7 views

perl-archive-tar: perl-archive-tar: Path traversal via crafted symlinks allows arbitrary file access

A flaw was found in perl-Archive-Tar. Versions before 3.08 for Perl are vulnerable to a path traversal issue. An attacker can craft a malicious tar archive containing symlinks with targets outside the intended extraction directory. This vulnerability allows the attacker to read or write to...

9.1CVSS5.9AI score0.0043EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.22 views

PT-2026-53660

Name of the Vulnerable Software and Affected Versions Parseable versions prior to 2.9.2 Description An information disclosure issue exists in the notification-target API endpoints where webhook tokens and basic-auth credentials are returned in cleartext. This occurs because the secret-masking...

7.1CVSS5.9AI score0.00264EPSS
Exploits0References9
The Hacker News
The Hacker News
added 2026/06/27 5:27 p.m.26 views

Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials

The Security Service of Ukraine SSU said it, together with the U.S. Federal Bureau of Investigation FBI, uncovered a long-running campaign orchestrated by Russian intelligence services to break into the messaging accounts of government officials, military personnel, politicians, and activists in...

5.8AI score
Exploits0
Rows per page
Query Builder