Lucene search
+L

86 matches found

NVD
NVD
added 2026/06/26 9:16 p.m.15 views

CVE-2026-54350

Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write...

10CVSS0.00538EPSS
Exploits2References1
EUVD
EUVD
added 2026/06/24 6:32 p.m.7 views

EUVD-2026-38806

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to unsafe evaluation of user-controlled data in the Number Card component...

4.6CVSS5.9AI score0.00256EPSS
Exploits0References3
OSV
OSV
added 2026/06/18 8:14 p.m.6 views

GHSA-W9HF-3PP7-PVXV OpenClaw: Exported session HTML could keep unsafe markdown links

Summary Exported session HTML could keep unsafe markdown links. In affected versions, content rendered into an exported session could preserve unsafe javascript: or data: links in generated HTML. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's...

6.1CVSS5.6AI score0.00188EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/14 8:15 p.m.11 views

Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark

Impact Persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured gist/WebDAV. The attacker can inject exec fields or global config to cause remote code to run when a bookmark is opened ...

9.4CVSS6.5AI score0.00234EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/14 8:15 p.m.23 views

GHSA-JGG9-RW32-44PJ Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark

Impact Persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured gist/WebDAV. The attacker can inject exec fields or global config to cause remote code to run when a bookmark is opened ...

9.4CVSS6.5AI score0.00234EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/22 5:44 p.m.10 views

Inspektor Gadget: Command Injection via malicious buildOptions manipulation

Impacted Resources inspektor-gadget/cmd/common/image/build.go inspektor-gadget/cmd/common/image/helpers/Makefile.build Description The ig binary provides a subcommand for image building, used to generate custom gadget OCI images. A part of this functionality is implemented in the file...

7.8CVSS6AI score0.01281EPSS
Exploits1References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/20 7:23 p.m.7 views

CVE-2026-4666

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of extract$args, EXTROVERWRITE on user-controlled input in the edit method of classes/Posts.php in all versions up to, and including, 2.4.16. The postedit action handler in Actions.php passes...

6.5CVSS5.7AI score0.00331EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/16 1:22 p.m.7 views

CVE-2025-54550

The example examplexcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly...

8.1CVSS6.1AI score0.00579EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/14 8:0 p.m.8 views

free5gc UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication

Summary An information disclosure vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface SBI to retrieve stored subscriber identifiers SUPI/IMSI with a single HTTP GET request requiring no parameters or credentials. Details The endpoint...

7.5CVSS5.8AI score0.00506EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/04/07 12:57 p.m.2 views

CVE-2026-33865 Stored XSS via unsafe YAML parsing in MLflow

MLflow is vulnerable to Stored Cross-Site Scripting XSS caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actio...

5.1CVSS6AI score0.00218EPSS
Exploits1References7
Snyk
Snyk
added 2026/03/05 9:13 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsafe template rendering that combines user input with permissive sanitizer handling of data URLs in the display of author and committer names. An attacker can execute arbitrary JavaScript in the context of...

6.9CVSS5.8AI score0.00189EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/01/30 9:27 p.m.5 views

CVE-2025-36353

IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic...

6.2CVSS5.9AI score0.00152EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2025/11/27 12:0 a.m.8 views

PT-2025-48291

Name of the Vulnerable Software and Affected Versions Astro versions 5.15.7 and below Description Astro, a web framework, is affected by a double URL encoding bypass. This allows unauthenticated attackers to bypass path-based authentication checks in Astro middleware, potentially granting...

6.5CVSS6.8AI score0.00284EPSS
Exploits0References10
CNVD
CNVD
added 2025/11/05 12:0 a.m.5 views

WordPress Polylang plugin deserialization vulnerability

WordPress Polylang plugin is a multilingual WordPress plugin for creating and managing multilingual websites, supports switching from 1 to 10 or more languages, the core functionality is fully integrated with WordPress built-in features e.g. taxonomies without additional dependency on external...

8.8CVSS7.5AI score0.00332EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/10/31 10:7 p.m.8 views

CVE-2024-14009

Nagios XI versions prior to 2024R1.0.1 contain a privilege escalation vulnerability in the System Profile component. The System Profile feature is an administrative diagnostic/configuration capability. Due to improper access controls and unsafe handling of exported/imported profile data and...

9.4CVSS7.1AI score0.01103EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/10/30 12:0 a.m.13 views

CVE-2025-50739

iib0011 omni-tools v0.4.0 is vulnerable to remote code execution via unsafe JSON deserialization...

0.00598EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/10/22 2:32 p.m.10 views

CVE-2025-62008 WordPress Product Table For WooCommerce plugin <= 1.2.4 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in acowebs Product Table For WooCommerce product-table-for-woocommerce.This issue affects Product Table For WooCommerce: from n/a through = 1.2.4...

8.8CVSS0.00483EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/10/22 12:0 a.m.7 views

WordPress plugin Addison 安全漏洞

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. A deserialization vulnerability exists in the WordPress plugin Addison, which arises from unsaf...

9.8CVSS6.7AI score0.00542EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2021-26601

Malware in sbrugna...

9.8CVSS9.2AI score0.01013EPSS
Exploits1References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2019-0088

Malware in sbrugna...

9.8CVSS9.1AI score0.028EPSS
Exploits0References6
Rows per page
Query Builder