Lucene search
K

2230 matches found

NVD
NVD
added 1 hour ago4 views

CVE-2026-50645

There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by...

Exploits0References2
Nuclei
Nuclei
added 9 hours ago4 views

Unlimited Elements for Elementor <= 1.5.93 - Cross Site Scripting

Unlimited Elements For Elementor Free Widgets, Addons, Templates versions up to 1.5.93 contain a reflected cross-site scripting caused by improper neutralization of input during web page generation, letting attackers execute malicious scripts in the victim's browser, exploit requires attacker to...

7.1CVSS8.1AI score0.11631EPSS
Exploits0References3
CVE
CVE
added 3 days ago14 views

CVE-2026-49955

Hermes WebUI vulnerable before version 0.51.270 to resource exhaustion via the passkey/options endpoint. Unauthenticated remote attackers can degrade availability by repeatedly posting to the authentication endpoint, causing unbounded growth of the challenge store and high CPU/disk I/O due to rep...

6.9CVSS5.5AI score0.00148EPSS
Exploits0References5
Patchstack
Patchstack
added 4 days ago5 views

WordPress Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Romain Deperne ang3L in WordPress Plugin Unlimited Elementor Inner Sections By BoomDevs versions = 1.3.3...

6.4CVSS5.4AI score0.00042EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-47612

Impact DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX VALUE, and Http2Settings never inserts SETTINGS MAX CONCURRENT STREAMS by default Http2Settings.java:305-307 only clamps a user-supplied value. Unless the application explicitly calls...

7.5CVSS7.3AI score0.9439EPSS
Exploits19References5
Positive Technologies
Positive Technologies
added 4 days ago8 views

PT-2026-47611

For each non-complete SctpMessage fragment the handler does fragments.putstreamId, Unpooled.wrappedBufferfrag, byteBuf, wrapping the previous accumulator and the new slice into a new CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding...

7.5CVSS5.7AI score
Exploits0References5
RedhatCVE
RedhatCVE
added last week4 views

CVE-2025-46638

Dell BSAFE SSL-J contains an allocation of resources without limits or throttling vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to a Denial of Service DoS...

7.5CVSS5.5AI score0.00109EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added last week6 views

CVE-2026-5486

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'datafiltersearch' parameter in the getcataddons AJAX action in versions up to and including 2.0.7. This is due to insufficient input sanitization and the use of deprecated escaping functions combined...

6.5CVSS5.9AI score0.00048EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added last week6 views

CVE-2026-45023

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/blockid/execute endpoint executes blocks without consuming any credits, regardless of the user's balance. The credit check that exists in th...

5.4CVSS5.7AI score0.00065EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added last week5 views

CVE-2026-2402

CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple endpoints...

6.9CVSS5.6AI score0.00066EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added last week5 views

CVE-2026-40608

Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers /api/state, /api/restore, and /api/history-svg that process incoming requests by accumulating the entire request body into a...

6.2CVSS5.5AI score0.00017EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added last week5 views

CVE-2026-33756

Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an...

7.5CVSS5.4AI score0.00115EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added last week5 views

CVE-2026-40586

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the login form handler performs no throttling of any kind. Failed authentication attempts are processed at full network speed with no IP-based rate limiting, no per-account attempt counter, no temporary lockout, no progressiv...

7.5CVSS5.5AI score0.00052EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added last week5 views

CVE-2026-48837

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Unlimited Elements For Elementor allows Blind SQL Injection. This issue affects Unlimited Elements For Elementor: from n/a through 2.0.8...

8.5CVSS5.6AI score0.00033EPSS
Exploits0References1
OSV
OSV
added last week4 views

GHSA-5549-C5Q7-FJ65 Vantage6: No limit on emails sent for password/MFA reset

Impact Users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam...

2.1CVSS5.5AI score
Exploits0References4
Github Security Blog
Github Security Blog
added last week10 views

Vantage6: No limit on emails sent for password/MFA reset

Impact Users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam...

5.5AI score
Exploits0References4Affected Software1
Redos
Redos
added 2026/06/05 12:0 a.m.3 views

ROS-20260605-73-0044

The vulnerability in Tomcat10 is related to unlimited resource allocation. Exploiting this vulnerability can allow a remote attacker to cause service interruptions...

7.5CVSS7.2AI score0.00069EPSS
Exploits0
Redos
Redos
added 2026/06/05 12:0 a.m.3 views

ROS-20260605-73-0045

The vulnerability in Tomcat11 is related to unlimited resource allocation. Exploiting this vulnerability can allow a remote attacker to cause service interruptions...

7.5CVSS7.2AI score0.00069EPSS
Exploits0
EUVD
EUVD
added 2026/06/04 5:55 p.m.7 views

EUVD-2026-34316

Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses \s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping...

8.6CVSS5.8AI score0.00049EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/06/04 1:27 p.m.3 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

7.5CVSS6.8AI score0.00045EPSS
Exploits0References8
Rows per page
Query Builder