Lucene search
+L

45778 matches found

NVD
NVD
added 1 hour ago2 views

CVE-2024-58361

SurrealDB versions before 2.0.4 contain an uncaught exception handling vulnerability in the parser error rendering code when processing empty strings. Authorized clients can execute malformed queries with empty string conversions to record, duration, or datetime types that cause a panic in error...

7.1CVSS
Exploits0References2
Cvelist
Cvelist
added 2 hours ago7 views

CVE-2025-71394 SurrealDB before 2.2.2 Local File Read via DEFINE ANALYZER

SurrealDB versions before 2.2.2 contain a local file read vulnerability in the DEFINE ANALYZER statement that allows authenticated users to read arbitrary files on the file system. Attackers with root, namespace, or database level privileges can point analyzers to arbitrary file paths and...

2.3CVSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2024-58361

SurrealDB versions before 2.0.4 contain an uncaught exception handling vulnerability in the parser error rendering code when processing empty strings. Authorized clients can execute malformed queries with empty string conversions to record, duration, or datetime types that cause a panic in error...

7.1CVSS
Exploits0References3Affected Software1
CVE
CVE
added 2 hours ago8 views

CVE-2026-59173

CVE-2026-59173 affects Apache Traffic Server versions 9.0.0–9.1.13 and 10.0.0–10.1.2. It describes an Uncontrolled Resource Consumption (DoS) scenario associated with HTTP/2 flow-control behavior. Upstream remediation is to upgrade to 9.1.14 or 10.1.3, which fixes the issue. The CVE entry consist...

5.3AI score
Exploits0References2
Nuclei
Nuclei
added 7 hours ago51 views

Aquatronica Controller System <= 5.1.6 - Information Disclosure

Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit...

9.3CVSS5.5AI score0.01443EPSS
Exploits1References4
Nuclei
Nuclei
added 7 hours ago32 views

Arcserve Unified Data Protection - Authentication Bypass

An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin function within wizardLogin. id: CVE-2024-0799 info: name: Arcserve Unified Data Protection -...

9.8CVSS8.6AI score0.04342EPSS
Exploits1References2
Nuclei
Nuclei
added 7 hours ago50 views

WordPress Restrict User Access <= 2.5 - Cross-Site Scripting

WordPress Restrict User Access – Membership Plugin with Force versions before 2.6 is vulnerable to Reflected Cross-Site Scripting via the 'ruasection' parameter in the admin level edit page. id: CVE-2024-29138 info: name: WordPress Restrict User Access = 2.5 - Cross-Site Scripting author: Shivam...

7.1CVSS8.3AI score0.00622EPSS
Exploits0References3
Nuclei
Nuclei
added 7 hours ago15 views

XWiki Platform - Cross-Site Scripting

XWiki Platform versions = 4.2-milestone-3 and = 16.5.0-rc-1 and = 17.0.0-rc-1 and = 4.2-milestone-3 and = 16.5.0-rc-1 and = 17.0.0-rc-1 and 17.3.0-rc-1 are vulnerable to reflected XSS in two templates. The vulnerability allows an attacker to execute malicious JavaScript code in the context of the...

6.5CVSS8AI score0.00634EPSS
Exploits1References3
Nuclei
Nuclei
added 7 hours ago29 views

iboss Secure Web Gateway - Stored Cross-Site Scripting

A cross-site scripting vulnerability has been found in iboss Secure Web Gateway up to version 10.1. The vulnerability affects the /login file of the Login Portal component, where manipulation of the redirectUrl parameter leads to cross-site scripting. The attack can be launched remotely and the...

6.1CVSS3.8AI score0.22002EPSS
Exploits4References5
Nuclei
Nuclei
added 7 hours ago15 views

LiquidFiles < 4.2 - User Enumeration via Password Reset

LiquidFiles filetransfer server before 4.2 contains a user enumeration vulnerability caused by distinguishable responses in password reset functionality, letting unauthenticated attackers enumerate valid user accounts, exploit requires no authentication. id: CVE-2025-56132 info: name: LiquidFiles...

7.3CVSS5.2AI score0.00648EPSS
Exploits1References2
Nuclei
Nuclei
added 7 hours ago12 views

Giga Messenger WordPress - Cross-Site Scripting

Giga Messenger WordPress plugin = 2.3.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...

6.1CVSS8AI score0.00562EPSS
Exploits1References2
Nuclei
Nuclei
added 7 hours ago25 views

MPDV Mikrolab GmbH HYDRA X, MIP 2 & FEDRA 2 - Path Traversal

MPDV Mikrolab GmbH HYDRA X, MIP 2, and FEDRA 2 = Maintenance Pack 36 with Servicepack 8 week 36/2025 contain an unauthenticated local file disclosure vulnerability caused by improper validation of the "Filename" parameter in the public $SCHEMAS$ resource, letting attackers read arbitrary Windows ...

7.5CVSS8.5AI score0.03625EPSS
Exploits0References2
CVE
CVE
added yesterday39 views

CVE-2026-44974

CVE-2026-44974 affects the @hapi/content header parser. Before v6.0.2, Content.disposition() kept the last value for duplicate parameters while Content.type() kept the first for duplicate charset/boundary parameters, creating a parameter-smuggling primitive when duplicates are resolved inconsiste...

7.7CVSS5.2AI score0.00052EPSS
Exploits0References2
CVE
CVE
added yesterday14 views

CVE-2026-15091

CVE-2026-15091 affects IBM Engineering AI Hub versions 1.0.0, 1.1.0, and 1.2.0, where improper neutralization of input during web page generation could allow a remote attacker to execute arbitrary scripts. The connected IBM security bulletin confirms the issue and states a fix in version 1.3.0. I...

9.3CVSS5.3AI score
Exploits0References1
CVE
CVE
added yesterday31 views

CVE-2026-50163

The CVE concerns the oras-go library (OCI artifacts) prior to version 2.6.2, where ensureLinkPath in content/file/utils.go can return an unresolved hardlink target. During tar extraction, a hardlink entry with a relative Linkname could be resolved against the process CWD, allowing a path like pay...

7.1CVSS5.3AI score
Exploits0References4
CVE
CVE
added yesterday10 views

CVE-2026-50197

Summary: CVE-2026-50197 affects zalando/skipper’s OpenPolicyAgent integration. When clients use HTTP/1.1 Transfer-Encoding: chunked or HTTP/2 without Content-Length, the opaAuthorizeRequestWithBody flow exposes an empty raw_body and parsed input.parsed_body to OPA, causing policy checks that rely...

7.8CVSS5.3AI score
Exploits0References4
Cvelist
Cvelist
added yesterday26 views

CVE-2026-50197 Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding: chunked / HTTP/2 requests

Skipper is an HTTP router and reverse proxy for service composition. Prior to 0.26.10, zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header, because the...

7.8CVSS
Exploits0References4
CVE
CVE
added yesterday35 views

CVE-2026-49284

The CVE affects SimpleSAMLphp SP: the ACS path permits a response from an unexpected IdP when an unsigned Response/InResponseTo combines with a signed assertion lacking SubjectConfirmationData/InResponseTo. A response from IdP B can be bound to SP state created for IdP A, allowing bypass of IdP-s...

7.1CVSS5.3AI score
Exploits0References3
NVD
NVD
added yesterday4 views

CVE-2026-49835

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an...

5.9CVSS
Exploits0References3
CVE
CVE
added yesterday50 views

CVE-2026-63030

Summary (CVE-2026-63030 & related CVE-2026-60137): WordPress core pre-6.9.5/7.0.2 is vulnerable to an unauthenticated remote code execution chain via the REST API batch endpoint. The root cause is a route-confusion bug in WP_REST_Server::serve_batch_request_v1() that desynchronizes the per-sub-re...

9.8CVSS6AI score
Exploits15References2
Rows per page
Query Builder