Lucene search
K

3723 matches found

Nuclei
Nuclei
added 8 hours ago17 views

MLflow < 3.10.0 - Authentication Bypass on FastAPI Routes

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

8.6CVSS7.1AI score0.01502EPSS
Exploits1References2
Nuclei
Nuclei
added 8 hours ago116 views

Microweber < 1.2.11 - CRLF Injection

CRLF Injection leads to Stack Trace Exposure due to lack of filtering at https://demo.microweber.org/ in Packagist microweber/microweber prior to 1.2.11. id: CVE-2022-0666 info: name: Microweber 1.2.11 - CRLF Injection author: ritikchaddha severity: high description: | CRLF Injection leads to Sta...

7.6CVSS6.9AI score0.44259EPSS
Exploits1References3
OSSF Malicious Packages
OSSF Malicious Packages
added 13 hours ago2 views

Malicious code in slds-lsp-client (npm)

The slds-lsp-client package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a Salesforce SLD...

6.1AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 3 days ago7 views

CVE-2026-59152

A flaw was found in the LangSmith Client SDK's TracingMiddleware. An attacker can send an HTTP request to a server running the TracingMiddleware, causing it to read an arbitrary file from its local filesystem. The contents of this file are then uploaded to LangSmith as a trace attachment. This...

5CVSS6.1AI score0.00174EPSS
Exploits0References4
NVD
NVD
added 5 days ago6 views

CVE-2026-58254

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode...

5.3CVSS0.00428EPSS
Exploits0References4
CVE
CVE
added 5 days ago12 views

CVE-2026-58254

NATS Server (affected components: leafnode message trace destination checks) could allow a leafnode operator to send trace events to subjects that should be disallowed and use trace-only behavior to interfere with delivery/storage. Root cause: checks were applied to ordinary client connections bu...

5.3CVSS5.9AI score0.00428EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago36 views

CVE-2026-58254 NATS Server: Incomplete fix for CVE-2026-33249: Leaf node connections bypass Nats-Trace-Dest permission check

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.8, message trace destination checks were applied to ordinary client connections but not consistently to messages arriving through leafnode connections, allowing a leafnode...

5.3CVSS0.00428EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 5 days ago3 views

kernel: net/ipv6: ioam6: prevent schema length wraparound in trace fill

A flaw was found in the Linux kernel's IPv6 In-situ Operations, Administration, and Maintenance IOAM6 trace fill functionality. An integer overflow vulnerability exists in the ioam6filltracedata function, where the schema length calculation can wrap around due to being stored in an 8-bit unsigned...

9.8CVSS6.2AI score0.00409EPSS
Exploits0References5
OSV
OSV
added last week4 views

BIT-MLFLOW-2026-8147 Authorization Bypass in mlflow/mlflow

In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying trac...

8.1CVSS7.2AI score0.00348EPSS
Exploits1References3
NVD
NVD
added last week7 views

CVE-2026-59152

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.8.18, an attacker who can send an HTTP request to a server running the LangSmith SDK's TracingMiddleware can cause that server to read an arbitrary file from its local filesystem and upload the contents to...

5CVSS0.00174EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added last week4 views

CVE-2026-59152

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.8.18, an attacker who can send an HTTP request to a server running the LangSmith SDK's TracingMiddleware can cause that server to read an arbitrary file from its local filesystem and upload the contents to...

5CVSS6AI score0.00174EPSS
Exploits0References2Affected Software1
CVE
CVE
added last week16 views

CVE-2026-59152

The LangSmith Client SDKs’ TracingMiddleware had a vulnerability before version 0.8.18 where an HTTP request to a server running TracingMiddleware could trigger reading an arbitrary file from the server’s filesystem and uploading it to LangSmith as a trace attachment. This enables a trust-boundar...

5CVSS6AI score0.00174EPSS
Exploits0References1
NVD
NVD
added 2026/07/06 9:16 a.m.8 views

CVE-2026-49365

Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component. The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to fal...

5.3CVSS0.00363EPSS
Exploits0References2
CVE
CVE
added 2026/07/06 8:15 a.m.12 views

CVE-2026-56139

CVE-2026-56139 concerns Apache Camel Undertow: the muteException option on the Undertow HTTP server consumer defaulted to false, causing processing errors to return the full Java stack trace in HTTP responses. This exposed sensitive information (credentials in messages, host/IPs, filesystem paths...

5.3CVSS5.8AI score0.00363EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:15 a.m.6 views

CVE-2026-56139

Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component. The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false,...

5.8AI score0.00363EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/07/06 8:15 a.m.7 views

EUVD-2026-41851

Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component. The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false,...

5.3CVSS5.8AI score0.00363EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 8:11 a.m.33 views

CVE-2026-49365 Apache Camel: Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients

Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component. The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to fal...

0.00363EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:11 a.m.7 views

CVE-2026-49365

Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component. The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to fal...

5.8AI score0.00363EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/07/06 8:11 a.m.12 views

CVE-2026-49365

The vulnerability CVE-2026-49365 affects Apache Camel’s camel-netty-http server consumer. The root cause is that the default of muteException is false, so on route processing errors Camel writes the full Java stack trace into the HTTP response body instead of an empty body. This can disclose sens...

5.3CVSS5.8AI score0.00363EPSS
Exploits0References2Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.2 views

Malicious code in box-react-uix (npm)

The box-react-uix package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a 'box' internal...

6.1AI score
Exploits0References2
Rows per page
Query Builder