Lucene search
K

866 matches found

ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-57111

Permissive Cross-Origin Resource Sharing CORS in the REST API helix-rest, org.apache.helix.rest.server.filters.CORSFilter in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin...

7.5CVSS6AI score0.00269EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/07 8:27 p.m.33 views

CVE-2026-55633 DataEase H2 RCE via Zip Protocol & File Dropper Fix bypass

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a bypass of the H2 zip protocol and file dropper fix allows an authenticated attacker to upload a zip archive disguised with a .ttf extension through FontManage.saveFile and then exploit it through the zip protocol...

8.7CVSS0.00501EPSS
Exploits0References4
OSV
OSV
added 2026/07/07 10:17 a.m.4 views

PYSEC-2026-971 Tensorflow vulnerable to Out-of-Bounds Read

Impact When the BaseCandidateSamplerOp function receives a value in trueclasses larger than rangemax, a heap oob vuln occurs. python tf.rawops.ThreadUnsafeUnigramCandidateSampler trueclasses=0x100000,1, numtrue = 2, numsampled = 2, unique = False, rangemax = 2, seed = 2, seed2 = 2 Patches We have...

6.8CVSS5.9AI score0.0038EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.15 views

PT-2026-56064

Name of the Vulnerable Software and Affected Versions Langroid versions prior to 0.65.3 Description An application using this framework that exposes a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads. This occurs even when tools are registered with use=Fals...

8.1CVSS6AI score0.00392EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/05 6:55 a.m.11 views

CVE-2026-14781

A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the emailverified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but...

4.8CVSS6.1AI score0.00196EPSS
Exploits0References3
Jake Archibald's Blog
Jake Archibald's Blog
added 2026/06/29 1:0 a.m.14 views

The Goldilocks customizable select height

I recently gave a talk on customizable as in fully-stylable , and as I was building demos I realised there's a sizing 'pattern' that's almost always the-one-you-want, but it took me a long time to figure out how to do it in CSS. Well, I say I figured it out. I actually failed, and asked a bunch o...

6AI score
Exploits0
NVD
NVD
added 2026/06/23 6:18 p.m.9 views

CVE-2026-49402

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.e...

8.1CVSS0.00283EPSS
Exploits1References1
OSV
OSV
added 2026/06/19 9:42 p.m.10 views

GHSA-8W8F-R2XV-4Q4J OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types

On OpenBao 2.5.4 and 2.5.2and likely earlier versions also, an authenticated caller with write access to transit/keys/ can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric type rsa-, ecdsa-, ed25519 with derived: true. The server returns no HTTP respon...

6.5CVSS6AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.16 views

PT-2026-51111

Name of the Vulnerable Software and Affected Versions OpenBao versions 2.5.2 through 2.5.4 Description An authenticated user with write access to the transit/keys/ endpoint can cause a denial-of-service by crashing the server. This occurs when a key-creation request is sent combining an asymmetri...

6.5CVSS5.9AI score
Exploits0References7
OSV
OSV
added 2026/06/16 11:48 a.m.5 views

BIT-MONGODB-2026-9747 Crafted cross-shard merge aggregation crashes MongoDB Server

Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server...

7.1CVSS5.2AI score0.0027EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.20 views

PT-2026-49737

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.25 Description The CORS Middleware reflects the request Origin and sends Access-Control-Allow-Credentials: true when credentials: true is enabled and no explicit origin is defined defaulting to the wildcard. This...

7.1CVSS5.9AI score0.00248EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.12 views

PT-2026-49555

Name of the Vulnerable Software and Affected Versions markdown-it affected versions not specified Description A quadratic time complexity issue exists in the smartquotes rule when the typographer: true option is enabled. An attacker can provide markdown input containing a large number of...

5.3CVSS5.2AI score0.00306EPSS
Exploits1References9
Cvelist
Cvelist
added 2026/06/12 2:15 p.m.29 views

CVE-2026-47137 vm2: GHSA-8hg8-63c5-gwmx patch bypass: nesting:true without explicit require still allows full RCE

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is...

10CVSS0.00382EPSS
Exploits0References5
CVE
CVE
added 2026/06/12 2:15 p.m.27 views

CVE-2026-47137

Summary (CVE-2026-47137): The vm2 sandbox (NodeVM) had a bypass in versions prior to 3.11.4 where nesting: true with an unspecified require allowed full host RCE. The issue arose because a security check (options.nesting === true && options.require === false) only catches explicit require: false;...

10CVSS5.1AI score0.00382EPSS
Exploits0References5
OSV
OSV
added 2026/06/12 2:15 p.m.3 views

CVE-2026-47137 vm2: GHSA-8hg8-63c5-gwmx patch bypass: nesting:true without explicit require still allows full RCE

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is...

10CVSS5.9AI score0.00382EPSS
Exploits0References7
Packet Storm News
Packet Storm News
added 2026/06/12 12:0 a.m.10 views

FreeType Experimental TrueType Glyph Construction

This Python code outlines an experimental framework for constructing synthetic TrueType font structures intended for studying parser behavior, glyph-processing logic, and edge-case handling within font-rendering pipelines...

5.3AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/11 2:59 a.m.12 views

CVE-2026-9747

Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server...

7.1CVSS5.5AI score0.0027EPSS
Exploits0References1
Packet Storm News
Packet Storm News
added 2026/06/11 12:0 a.m.36 views

Font Generator for Embedded Bitmap and Color Glyph Pipeline Robustness Testing

This Python program constructs a handcrafted TrueType font file that combines multiple font subsystems - including embedded bitmap tables, color glyph definitions, glyph mapping structures, and minimal layout metadata - into a single synthetic test artifact...

5.3AI score
Exploits0
Packet Storm News
Packet Storm News
added 2026/06/10 12:0 a.m.30 views

Runtime Skill Audit: Targeted Runtime Probing for Agent Skill Security

Agent skills let LLM agents reuse instructions, resources, tools, and workflows, but they also create a new place for malicious behavior to hide. A skill may look benign in its documentation or code while becoming harmful only when it is invoked with particular user requests, local assets,...

5.7AI score
Exploits0
Vulnrichment
Vulnrichment
added 2026/06/09 10:5 p.m.9 views

CVE-2026-9747 Crafted cross-shard merge aggregation crashes MongoDB Server

Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server...

7.1CVSS5.4AI score0.0027EPSS
Exploits0References1
Rows per page
Query Builder