Lucene search
K

100849 matches found

IBM Security Bulletins
IBM Security Bulletins
added yesterday2 views

Security Bulletin: Multiple Vulnerabilities in IBM API Connect

Summary Multiple vulnerabilities were addressed in IBM API Connect version v12.1.1.1 Vulnerability Details CVEID:CVE-2026-42342 DESCRIPTION: React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certai...

9.1CVSS7AI score0.0048EPSS
Exploits3Affected Software1
OSV
OSV
added yesterday2 views

JLSEC-2026-737 TLS 1.3 post-handshake authentication (PHA) issue where a server could accept a client's Finished...

TLS 1.3 post-handshake authentication PHA issue where a server could accept a client's Finished message without the client having sent a Certificate and CertificateVerify. The post-handshake-auth exemption that allows an empty/absent peer certificate was only intended for the initial handshake, b...

6CVSS6.1AI score0.00143EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added yesterday5 views

NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode

Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode Summary When netlicensing-mcp is run in HTTP transport mode, the ApiKeyMiddleware fails to enforce authentication: requests that carry no client API key are unconditionally forwarded to the next handler server.py:1427. The...

6.1AI score
Exploits0References4Affected Software1
OSV
OSV
added yesterday2 views

GHSA-X9VC-9FFQ-P3GJ NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode

Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode Summary When netlicensing-mcp is run in HTTP transport mode, the ApiKeyMiddleware fails to enforce authentication: requests that carry no client API key are unconditionally forwarded to the next handler server.py:1427. The...

8.1CVSS6.1AI score
Exploits0References4
The Hacker News
The Hacker News
added yesterday6 views

Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attack

Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release covers 622 of Microsoft's own CVEs by its Security Update Guide count, more than triple June's previous high of around 200. Those two live bugs are the...

9.1CVSS6.5AI score
Exploits0
NVD
NVD
added yesterday3 views

CVE-2026-48038

joi is a schema description language and data validator for JavaScript. Prior to 17.13.4 and 18.2.1, denial of service is possible via an untrapped exception in services validating user-supplied JSON or object input with recursive link schemas. When validate is called without try/catch in a reque...

5.3CVSS0.00039EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added yesterday5 views

Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder

Summary The StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, allowing an attacker to cause an OutOfMemoryError, leading to a Denial of Service. Details io.netty.handler.codec.stomp.StompSubframeDecoder implements the STOMP protocol. The...

6.1AI score
Exploits0References2Affected Software1
OSV
OSV
added yesterday2 views

GHSA-VHCH-2WF3-M8RP Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder

Summary The StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, allowing an attacker to cause an OutOfMemoryError, leading to a Denial of Service. Details io.netty.handler.codec.stomp.StompSubframeDecoder implements the STOMP protocol. The...

7.5CVSS6.1AI score
Exploits0References2
OSV
OSV
added yesterday2 views

GHSA-Q3V2-XJ35-9GRX Umbraco.AI discloses sensitive application configuration values

Impact Under certain configurations, a user with elevated privileges may be able to cause sensitive application configuration values, potentially including secret material such as credentials, to be disclosed. Successful exploitation could expose confidential information and, depending on what th...

4.9CVSS6.1AI score
Exploits0References4
Github Security Blog
Github Security Blog
added yesterday4 views

Umbraco.AI discloses sensitive application configuration values

Impact Under certain configurations, a user with elevated privileges may be able to cause sensitive application configuration values, potentially including secret material such as credentials, to be disclosed. Successful exploitation could expose confidential information and, depending on what th...

6.1AI score
Exploits0References4Affected Software1
EUVD
EUVD
added yesterday4 views

EUVD-2026-44390

joi is a schema description language and data validator for JavaScript. Prior to 17.13.4 and 18.2.1, denial of service is possible via an untrapped exception in services validating user-supplied JSON or object input with recursive link schemas. When validate is called without try/catch in a reque...

5.3CVSS6.1AI score0.00039EPSS
Exploits0References4
Cvelist
Cvelist
added yesterday10 views

CVE-2026-48038 joi: Uncaught RangeError on deeply nested input through recursive `link()` schemas

joi is a schema description language and data validator for JavaScript. Prior to 17.13.4 and 18.2.1, denial of service is possible via an untrapped exception in services validating user-supplied JSON or object input with recursive link schemas. When validate is called without try/catch in a reque...

5.3CVSS0.00039EPSS
Exploits0References4
CVE
CVE
added yesterday35 views

CVE-2026-48038

Joi (JavaScript) vulnerability CVE-2026-48038: In versions prior to 17.13.4 and 18.2.1, validation of deeply nested user input via recursive link() schemas can trigger an unhandled RangeError when validate() runs without try/catch, potentially crashing the process. Fixed in 17.13.4 and 18.2.1. CV...

5.3CVSS6.1AI score0.00039EPSS
Exploits0References4
NVD
NVD
added yesterday4 views

CVE-2026-45753

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlAttributeSanitizer::getSupportedAttributes omits URL-valued attributes including action, formaction, poster, and cite, so configurations that adm...

2.1CVSS0.00082EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-45753

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlAttributeSanitizer::getSupportedAttributes omits URL-valued attributes including action, formaction, poster, and cite, so configurations that adm...

2.1CVSS6.1AI score0.00082EPSS
Exploits0References6Affected Software2
OSV
OSV
added yesterday2 views

CVE-2026-45753 Symfony: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — javascript: URI Survives Sanitization (XSS)

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlAttributeSanitizer::getSupportedAttributes omits URL-valued attributes including action, formaction, poster, and cite, so configurations that adm...

2.1CVSS6.1AI score0.00082EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added yesterday2 views

CVE-2026-45753 Symfony: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — javascript: URI Survives Sanitization (XSS)

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlAttributeSanitizer::getSupportedAttributes omits URL-valued attributes including action, formaction, poster, and cite, so configurations that adm...

2.1CVSS6.1AI score0.00082EPSS
Exploits0References5
EUVD
EUVD
added yesterday3 views

EUVD-2026-44344

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlAttributeSanitizer::getSupportedAttributes omits URL-valued attributes including action, formaction, poster, and cite, so configurations that adm...

2.1CVSS6.1AI score0.00082EPSS
Exploits0References5
Cvelist
Cvelist
added yesterday14 views

CVE-2026-45753 Symfony: HtmlSanitizer UrlAttributeSanitizer Omits action/formaction/poster/cite — javascript: URI Survives Sanitization (XSS)

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlAttributeSanitizer::getSupportedAttributes omits URL-valued attributes including action, formaction, poster, and cite, so configurations that adm...

2.1CVSS0.00082EPSS
Exploits0References5
CVE
CVE
added yesterday22 views

CVE-2026-45753

In Symfony HTML sanitizer, the UrlAttributeSanitizer ignored certain URL-valued attributes (action, formaction, poster, cite) because getSupportedAttributes() omitted them. Configurations with permissive element/attribute allowances could let javascript: URIs bypass sanitization, enabling XSS whe...

2.1CVSS6.1AI score0.00082EPSS
Exploits0References5
Rows per page
Query Builder