Lucene search
K

98 matches found

NVD
NVD
added yesterday6 views

CVE-2026-59801

9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the Next.js API routes under...

9.8CVSS
Exploits0References2
CVE
CVE
added 4 days ago38 views

CVE-2026-55882

Summary: Tilt (Tilt HUD server) before v0.37.4 exposes Go pprof endpoints under /debug with no access control, allowing unauthenticated network-accessible listeners to read memory and tokens via /debug/pprof/heap and /debug/pprof/goroutine, and potentially degrade performance via /debug/pprof/pro...

8.3CVSS6.2AI score0.00384EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/29 2:19 p.m.5 views

CVE-2026-55844

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2025.5.0, The iOS companion app ignores the SSID allowlist for internal networks. The app uses SSID to detect when to use the internal URL, but whenever the app cannot find any other URL to ...

7.5CVSS5.8AI score0.00161EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/25 6:3 p.m.7 views

EUVD-2026-39517

Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute...

8.8CVSS5.9AI score0.0033EPSS
Exploits0References4
CVE
CVE
added 2026/06/10 1:55 p.m.23 views

CVE-2026-53470

CVE-2026-53470 affects migration-planner. An authenticated attacker can exploit an improper access control on /api/v1/sources/{id}/image-url to bypass ownership checks and obtain presigned S3 URLs for other users’ Open Virtual Appliance (OVA) images, potentially downloading images containing long...

9.6CVSS5.5AI score0.0028EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:19 p.m.15 views

CVE-2026-5262

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input...

8CVSS5.5AI score0.00223EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/20 9:36 p.m.11 views

EUVD-2026-31199

Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F expression without validation unlike the regular AnalyticsEndpoint, which checks against an allowlist, causing ORM Field...

6.5CVSS5.8AI score0.00295EPSS
Exploits1References2
OSV
OSV
added 2026/05/20 3:32 p.m.15 views

GHSA-5WXR-W449-57CM Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions

Impact This affects only workflows that pin an exact affected Composer semver version through setup-php, for example tools: composer:2.9.7. Workflows using the default Composer version, composer:v2, or no pinned Composer version are not affected through setup-php, because those Composer URLs have...

5.9CVSS5.7AI score
Exploits0References4
EUVD
EUVD
added 2026/05/20 3:28 a.m.15 views

EUVD-2026-31059

The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wplocalizescript in post editor contexts without effective masking for...

4.3CVSS5.8AI score0.00285EPSS
Exploits0References2
NVD
NVD
added 2026/05/19 6:16 p.m.28 views

CVE-2026-47107

Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and...

8.6CVSS0.0024EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/19 2:47 p.m.11 views

Insecure Storage of Sensitive Information

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information via the connectionSettings function. An attacker can gain unauthorized access to authentication tokens and impersonate other users by injectin...

8.8CVSS5.6AI score0.00275EPSS
Exploits0References2
OSV
OSV
added 2026/05/19 12:0 a.m.11 views

MAL-2026-4075 Malicious code in @antv/path-util (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
CVE
CVE
added 2026/05/15 6:45 p.m.36 views

CVE-2026-46407

Vvveb CMS contains an IDOR in the backend/admin/auth-token endpoint. An authenticated administrator can load another admin's REST API token list by supplying that user’s admin_id, leading to disclosure of sensitive tokens. The issue is fixed in version 1.0.8.3. No exploitation details are provide...

8.1CVSS5.8AI score0.00218EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/15 6:24 p.m.8 views

CVE-2026-44719

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a databaseid without verifying that the requesting user was a collaborator on that...

5.3CVSS5.8AI score0.00278EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/15 6:24 p.m.11 views

EUVD-2026-30587

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a databaseid without verifying that the requesting user was a collaborator on that...

5.3CVSS5.8AI score0.00278EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 7:48 a.m.8 views

CVE-2026-4663

...

5.8AI score0.00075EPSS
Exploits0
Cvelist
Cvelist
added 2026/05/12 7:48 a.m.39 views

CVE-2026-4663

...

0.00075EPSS
Exploits0
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.14 views

n8n-MCP 日志信息泄露漏洞

n8n-MCP is a model context protocol server developed by Romuald Członkowski, an individual developer. Versions of n8n-MCP prior to 2.47.11 contained a vulnerability related to log information leakage. This vulnerability occurred when POST /mcp requests under HTTP transmission mode wrote metadata...

5.3CVSS5.8AI score0.00255EPSS
Exploits0References2
OSV
OSV
added 2026/04/24 9:11 a.m.6 views

BIT-GITLAB-2026-5262 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input...

8CVSS5.4AI score0.00223EPSS
Exploits0References4
Rows per page
Query Builder