CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

114 matches found

Positive Technologies•added 2026/06/10 12:0 a.m.•7 views

PT-2026-48541

internal/web/session.go and internal/web/oidc.go set HttpOnly and SameSite=Lax on every cookie but never Secure. A single plaintext request to the origin operator on a LAN, mistyped URL, HTTP→HTTPS not strictly enforced, reverse proxy misconfiguration discloses the session. Affected All released...

8.2CVSS5.6AI score0.00031EPSS

Exploits0References4

RedhatCVE•added 2026/06/05 7:43 p.m.•8 views

CVE-2026-8874

Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS...

7.1CVSS5.5AI score0.00138EPSS

Exploits0References1

Positive Technologies•added 2026/06/03 12:0 a.m.•10 views

PT-2026-46048

Name of the Vulnerable Software and Affected Versions Securly Chrome Extension version 3.0.7 Description The extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP using the Fetch API. This represents an inconsistent implementation of Transport...

5.8AI score0.00138EPSS

Exploits0References4

AlpineLinux•added 2026/05/27 10:2 a.m.•11 views

CVE-2026-3012

A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability t...

8CVSS5.8AI score0.00251EPSS

Exploits0References12

OSSF Malicious Packages•added 2026/05/22 6:30 a.m.•12 views

Malicious code in xy-ai-chat (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5f9025a3fddb0d31a5cd9114850b0ca859acf96e54649d4d2a9fe286b7ca015c xy-ai-chat ships a Lit web component whose bundled main entry hardcodes two plain-HTTP endpoints on a bare IPv4 address:...

5.7AI score

Exploits0References2

OSSF Malicious Packages•added 2026/05/21 3:48 a.m.•11 views

Malicious code in @atlisp/mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5f4a9667f0a13220de9b838fde4fc16bd5aaa7f79d91f1122725e4799582515 The package's MCP server auto-injects a LISP bootstrap into every CAD command sent through cadSend/cadSendWithResult, plus connectcad's initAtlisp an...

6.3AI score

Exploits0References1

Vulnrichment•added 2026/02/27 6:8 p.m.•7 views

CVE-2026-27752 SODOLA SL902-SWTGW124AS <= 200.1.20 Cleartext Credential Transmission

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 transmit authentication credentials over unencrypted HTTP, allowing attackers to capture credentials. An attacker positioned to observe network traffic between a user and the device can intercept credentials and reuse them to gain...

8.2CVSS6AI score0.00193EPSS

Exploits0References2

RedhatCVE•added 2026/01/07 9:28 a.m.•7 views

CVE-2019-12820

A vulnerability was found in the app 2.0 of the Shenzhen Jisiwei i3 robot vacuum cleaner. Actions performed on the app such as changing a password, and personal information it communicates with the server, use unencrypted HTTP. As an example, while logging in through the app to a Jisiwei account,...

5.6CVSS6AI score0.00479EPSS

Exploits0References1