Lucene search
K

3738 matches found

Nuclei
Nuclei
added 9 hours ago17 views

MLflow < 3.10.0 - Authentication Bypass on FastAPI Routes

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

8.6CVSS7.1AI score0.01502EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday116 views

Microweber < 1.2.11 - CRLF Injection

CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11. id: CVE-2022-0666 info: name: Microweber 1.2.11 - CRLF Injection author: ritikchaddha severity: high description: | CRLF Injection leads to Sta...

7.6CVSS6.9AI score0.44259EPSS
Exploits1References3
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday4 views

Malicious code in slds-lsp-client (npm)

The slds-lsp-client package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a Salesforce SLD...

6.1AI score
Exploits0References3
OSV
OSV
added yesterday4 views

MAL-2026-10232 Malicious code in salesforce-vscode-slds (npm)

The salesforce-vscode-slds package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a...

6.1AI score
Exploits0References3
OSV
OSV
added yesterday3 views

MAL-2026-10228 Malicious code in chat-adapter-zoom (npm)

The chat-adapter-zoom package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a Zoom...

6.1AI score
Exploits0References3
RedhatCVE
RedhatCVE
added 4 days ago7 views

CVE-2026-59152

A flaw was found in the LangSmith Client SDK's TracingMiddleware. An attacker can send an HTTP request to a server running the TracingMiddleware, causing it to read an arbitrary file from its local filesystem. The contents of this file are then uploaded to LangSmith as a trace attachment. This...

5CVSS6.1AI score0.00174EPSS
Exploits0References4
Snyk
Snyk
added 6 days ago5 views

Incorrect Authorization

Overview github.com/nats-io/nats-server/server is an A simple, secure and performant communications system for digital systems, services and devices. Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient enforcement of destination permission checks for...

6.5CVSS6.1AI score0.00428EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Incorrect Authorization

Overview github.com/nats-io/nats-server/v2/server is an A simple, secure and performant communications system for digital systems, services and devices. Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient enforcement of destination permission checks for...

6.5CVSS6.1AI score0.00428EPSS
Exploits0References2
NVD
NVD
added 6 days ago6 views

CVE-2026-58254

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode...

6.5CVSS0.00428EPSS
Exploits0References4
Cvelist
Cvelist
added 6 days ago37 views

CVE-2026-58254 NATS Server: Incomplete fix for CVE-2026-33249: Leaf node connections bypass Nats-Trace-Dest permission check

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode...

5.3CVSS0.00428EPSS
Exploits0References4
CVE
CVE
added 6 days ago13 views

CVE-2026-58254

NATS Server (affected components: leafnode message trace destination checks) could allow a leafnode operator to send trace events to subjects that should be disallowed and use trace-only behavior to interfere with delivery/storage. Root cause: checks were applied to ordinary client connections bu...

6.5CVSS5.9AI score0.00428EPSS
Exploits0References4Affected Software1
RedHat Linux
RedHat Linux
added 6 days ago3 views

kernel: net/ipv6: ioam6: prevent schema length wraparound in trace fill

A flaw was found in the Linux kernel's IPv6 In-situ Operations, Administration, and Maintenance IOAM6 trace fill functionality. An integer overflow vulnerability exists in the ioam6filltracedata function, where the schema length calculation can wrap around due to being stored in an 8-bit unsigned...

9.8CVSS6.2AI score0.00409EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 6 days ago3 views

CVE-2026-8147

A flaw was found in MLflow. When authentication is enabled, any authenticated user can bypass experiment-level authorization controls on trace API endpoints. This is due to missing authorization validators, allowing unauthorized reading, deleting, and modifying of traces. This vulnerability can...

8.1CVSS7AI score0.00348EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 6 days ago6 views

PT-2026-56566

Name of the Vulnerable Software and Affected Versions NATS Server versions prior to 2.14.3 NATS Server versions prior to 2.12.8 Description Message trace destination checks are not consistently applied to messages arriving through leafnode connections. This allows a leafnode operator to send trac...

6.5CVSS6.1AI score0.00428EPSS
Exploits0References9
OSV
OSV
added 2026/07/06 11:44 p.m.4 views

BIT-MLFLOW-2026-8147 Authorization Bypass in mlflow/mlflow

In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying trac...

8.1CVSS7.2AI score0.00348EPSS
Exploits1References3
NVD
NVD
added 2026/07/06 4:16 p.m.7 views

CVE-2026-59152

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.8.18, an attacker who can send an HTTP request to a server running the LangSmith SDK's TracingMiddleware can cause that server to read an arbitrary file from its local filesystem and upload the contents to...

5CVSS0.00174EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/06 2:26 p.m.4 views

CVE-2026-59152

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.8.18, an attacker who can send an HTTP request to a server running the LangSmith SDK's TracingMiddleware can cause that server to read an arbitrary file from its local filesystem and upload the contents to...

5CVSS6AI score0.00174EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/07/06 2:26 p.m.16 views

CVE-2026-59152

The LangSmith Client SDKs’ TracingMiddleware had a vulnerability before version 0.8.18 where an HTTP request to a server running TracingMiddleware could trigger reading an arbitrary file from the server’s filesystem and uploading it to LangSmith as a trace attachment. This enables a trust-boundar...

5CVSS6AI score0.00174EPSS
Exploits0References1
OSV
OSV
added 2026/07/06 2:26 p.m.3 views

CVE-2026-59152 Arbitrary server-side file read in LangSmith SDK TracingMiddleware

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.8.18, an attacker who can send an HTTP request to a server running the LangSmith SDK's TracingMiddleware can cause that server to read an arbitrary file from its local filesystem and upload the contents to...

5CVSS6AI score0.00174EPSS
Exploits0References3
NVD
NVD
added 2026/07/06 9:16 a.m.9 views

CVE-2026-49365

Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component. The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to fal...

5.3CVSS0.00363EPSS
Exploits0References2
Rows per page
Query Builder