Lucene search
+L

1830 matches found

cve
cve
added yesterday35 views

CVE-2026-46339

Summary: CVE-2026-46339 affects 9Router, where middleware did not protect /api/cli-tools/* and /api/mcp/* until a fix in 0.4.37. Connected sources describe unauthenticated registration of custom MCP plugins via /api/cli-tools/cowork-settings and command execution through the MCP bridge, enabling ...

10CVSS6.2AI score0.00147EPSS
Exploits0References2
attackerkb
attackerkb
added yesterday3 views

CVE-2026-59255

BloodHound through 9.4.0, fixed in commit 8f79035, contains a missing authorization vulnerability in the custom-nodes API endpoints that allows any authenticated user to modify the global graph schema. Attackers with valid session tokens can create, update, or delete custom node types affecting a...

7.1CVSS6.1AI score
Exploits0References5
euvd
euvd
added yesterday4 views

EUVD-2026-44754

BloodHound through 9.4.0, fixed in commit 8f79035, contains a missing authorization vulnerability in the custom-nodes API endpoints that allows any authenticated user to modify the global graph schema. Attackers with valid session tokens can create, update, or delete custom node types affecting a...

7.1CVSS6.1AI score
Exploits0References4
euvd
euvd
added 2 days ago4 views

EUVD-2026-43548

9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation historie...

8.7CVSS6.1AI score0.00371EPSS
Exploits0References3
nvd
nvd
added 3 days ago9 views

CVE-2026-62328

9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation historie...

8.7CVSS0.00371EPSS
Exploits0References2
attackerkb
attackerkb
added 3 days ago5 views

CVE-2026-62328

9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation historie...

8.7CVSS6.1AI score0.00371EPSS
Exploits0References3
attackerkb
attackerkb
added 2026/07/07 4:40 p.m.9 views

CVE-2026-13019

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API...

9.8CVSS6AI score0.0041EPSS
Exploits0References2
cve
cve
added 2026/07/07 4:40 p.m.20 views

CVE-2026-13019

Esri Portal for ArcGIS, versions 12.1 and earlier, on Windows/Linux/Kubernetes, has a missing authentication flaw for a critical function, allowing a remote, unauthenticated attacker to access an unprotected API. The CVSSv3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H with base score 9.8 (CRIT...

9.8CVSS6AI score0.0041EPSS
Exploits0References1Affected Software1
ptsecurity
ptsecurity
added 2026/07/07 12:0 a.m.12 views

PT-2026-56204

Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions prior to 12.2 Description Esri Portal for ArcGIS on Windows, Linux, and Kubernetes contains a flaw where a critical function lacks proper authentication. This allows a remote, unauthenticated attacker to access ...

9.8CVSS6AI score0.0041EPSS
Exploits0References9
patchstack
patchstack
added 2026/07/06 9:37 p.m.6 views

NPM: 9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover

NPM: 9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover vulnerability discovered by ? in WordPress Npm 9router versions = 0.4.71...

9.9CVSS5.9AI score0.00685EPSS
Exploits0References2Affected Software1
cve
cve
added 2026/07/02 7:42 p.m.15 views

CVE-2026-59097

Taiga (software) prior to version 6.10.2 contains a missing authorization vulnerability that lets unauthenticated remote attackers create default due-date records in any project by abusing unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. An arbitrary project id...

6.9CVSS6AI score0.00344EPSS
Exploits0References5
snyk
snyk
added 2026/07/01 7:1 p.m.6 views

Unprotected Alternate Channel

Overview repomix is an A tool to pack repository contents to single file for AI consumption Affected versions of this package are vulnerable to Unprotected Alternate Channel through the attachpackedoutput process. An attacker can access sensitive information from arbitrary local .json, .txt, .md,...

6.9CVSS6AI score0.00028EPSS
Exploits0References2
euvd
euvd
added 2026/07/01 12:34 a.m.7 views

EUVD-2026-40416

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References4
cve
cve
added 2026/06/30 9:6 p.m.20 views

CVE-2026-58448

CVE-2026-58448 affects yudao-cloud (BPM module) prior to 2026.06. A broken access control flaw allows any authenticated user to read arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected GET endpoint that lacks the @PreAuthorize annotati...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References3
cvelist
cvelist
added 2026/06/30 9:6 p.m.38 views

CVE-2026-58448 yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS0.00235EPSS
Exploits0References3
vulnrichment
vulnrichment
added 2026/06/30 9:6 p.m.7 views

CVE-2026-58448 yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References3
vulnrichment
vulnrichment
added 2026/06/30 9:5 p.m.9 views

CVE-2026-58446 Presenton < 0.8.8-beta - Authentication Bypass of Session Auth via Unprotected MCP Endpoint

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication AUTHUSERNAME/AUTHPASSWORD, is reachable unauthenticated at /mcp because the nginx front-end does not apply the authrequest gate to that path and the MCP server auto-mints a...

6.9CVSS5.8AI score0.00437EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/06/30 12:0 a.m.10 views

PT-2026-53997

Name of the Vulnerable Software and Affected Versions yudao-cloud versions prior to 2026.06 Description A broken access control issue exists in the BPM module. An authenticated user can access arbitrary process instance records by providing a caller-controlled process-instance identifier to an...

7.1CVSS6AI score0.00235EPSS
Exploits0References8
cvelist
cvelist
added 2026/06/25 9:41 p.m.23 views

CVE-2025-71327 Flowise - Authentication Bypass via Unprotected Registration Endpoint

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API...

9.3CVSS0.0046EPSS
Exploits1References2
osv
osv
added 2026/06/25 9:41 p.m.5 views

CVE-2025-71327 Flowise - Authentication Bypass via Unprotected Registration Endpoint

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API...

9.3CVSS6.1AI score0.0046EPSS
Exploits1References4
Rows per page
Query Builder