CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 8 hours ago•4 views

CVE-2026-36176

GNCC GP5 v7.1.76 was discovered to store pre-signed Backblaze B2 upload URLs PUT requests in plaintext to the serial console. This allows physically-proximate attackers to extract these active tokens to perform unauthorized operations via monitoring the serial UART interface...

7.1CVSS5.8AI score

NVD•added yesterday•6 views

CVE-2026-36176

7.1CVSS

Exploits0References3

Nuclei•added yesterday•99 views

Langflow AI <= 1.6.9 - CORS Misconfiguration

Langflow AI versions 1.6.9 and earlier are vulnerable to a CORS misconfiguration that allows any origin to make credentialed requests. Combined with SameSite=None cookies, this enables cross-origin token theft and subsequent remote code execution via the /api/v1/validate/code endpoint. id:...

9.4CVSS8AI score0.32746EPSS

Exploits3References3

ATTACKERKB•added yesterday•3 views

CVE-2026-36176

7.1CVSS5.8AI score

Exploits0References4

EUVD•added yesterday•4 views

EUVD-2026-34279

7.1CVSS5.8AI score

Exploits0References3

The Hacker News•added 2 days ago•7 views

One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens

Cybersecurity researchers have disclosed a one-click attack via Microsoft Visual Studio Code VS Code that makes it possible to steal a user's GitHub token. "Just by clicking a link, it's possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones...

5.8AI score

Exploits0

The Hacker News•added 2 days ago•5 views

Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps. Any other app on the same phone could ask for the signed-in user's token and get it, then read email, open files, browse t...

7.7CVSS5.8AI score0.00046EPSS

Exploits0

Positive Technologies•added 2 days ago•6 views

PT-2026-46125

Summary The environment variables KERNEL XXX used during the rendering of the Kubernetes manifest are vulnerable to Server Side Template Injection SSTI. By including Jinja2 template expressions it is possible to execution Python code and OS Commands in the Enterprise Gateway service. The code can...

10CVSS6.4AI score

Exploits0References3

Cvelist•added 4 days ago•23 views

CVE-2026-49139 Nanobot < 0.2.1 SSRF via Microsoft Teams Channel serviceUrl Poisoning

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the...

7CVSS0.00132EPSS

Exploits0References4

Snyk•added 4 days ago•4 views

Cross-site Scripting (XSS)

Overview @vitest/browser is a Browser running for Vitest Affected versions of this package are vulnerable to Cross-site Scripting XSS via the otelCarrier query parameter being directly inserted into an inline script without sanitization. An attacker can execute arbitrary JavaScript in the context...

9.6CVSS5.8AI score

OSSF Malicious Packages•added 4 days ago•7 views

Malicious code in @redhat-cloud-services/hcc-kessel-mcp (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

5.9AI score

Cvelist•added 2026/05/29 8:4 a.m.•30 views

CVE-2026-10056 CORS misconfiguration in Nx Witness VMS allows session token exfiltration via cross-origin request

CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account...

7.5CVSS0.00083EPSS

CVE•added 2026/05/29 8:4 a.m.•10 views

CVE-2026-10056

CVE-2026-10056 – Nx Witness VMS : A CORS misconfiguration in the REST API (pre-6.1.2) running in Standard security mode on Linux/Windows allows an unauthenticated attacker to exfiltrate a user session token and perform Administrator Account Takeover via a malicious cross-origin page. The High sec...

ATTACKERKB•added 2026/05/29 8:4 a.m.•4 views

CVE-2026-10056

EUVD•added 2026/05/29 8:4 a.m.•6 views

EUVD-2026-33262

Vulnrichment•added 2026/05/29 8:4 a.m.•6 views

CVE-2026-10056 CORS misconfiguration in Nx Witness VMS allows session token exfiltration via cross-origin request

SUSE CVE•added 2026/05/29 1:20 a.m.•20 views

SUSE CVE-2026-45321

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...

9.6CVSS6AI score0.17051EPSS

Exploits3References3

Positive Technologies•added 2026/05/29 12:0 a.m.•5 views

PT-2026-44762

CNNVD•added 2026/05/29 12:0 a.m.•5 views

Home Assistant 安全漏洞

Home Assistant is an open-source family automation management system developed by Home Assistant. This system is primarily used to control household automation devices. Versions of Home Assistant prior to 2026.4.1 for iOS and 2026.4.4 for Android have security vulnerabilities. These vulnerabiliti...

8.3CVSS6.1AI score0.0002EPSS