Lucene search
K

785 matches found

OSV
OSV
added 2026/07/07 4:3 p.m.7 views

PYSEC-2026-1524 Langflow Missing Authentication on Critical API Endpoints

Summary Multiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal dat...

9.3CVSS6AI score0.20655EPSS
Exploits1References7
OSV
OSV
added 2026/07/07 11:45 a.m.4 views

PYSEC-2026-1292 dbt allows Binding to an Unrestricted IP Address via socketsocket

Summary Binding to INADDRANY 0.0.0.0 or IN6ADDRANY :: exposes an application on all network interfaces, increasing the risk of unauthorized access. While doing some static analysis and code inspection, I found the following code binding a socket to INADDRANY by passing "" as the address. This...

5.3CVSS5.8AI score0.0071EPSS
Exploits0References15
CVE
CVE
added 2026/06/25 9:12 p.m.15 views

CVE-2026-12975

CVE-2026-12975 affects Apicurio Registry. The flaw is in ContentTypeUtil.isParsableXml(), which creates a SAXParserFactory without enabling secure processing features or disabling external entity resolution. An attacker with artifact-write permission (or unauthenticated when the registry runs wit...

8.5CVSS5.8AI score0.00233EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/06/24 1:16 p.m.10 views

CVE-2026-56302

Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs...

6.9CVSS0.00208EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/24 11:53 a.m.5 views

CVE-2026-56302

Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs...

6.9CVSS5.9AI score0.00208EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/24 11:53 a.m.11 views

EUVD-2026-38749

Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs...

6.9CVSS5.9AI score0.00208EPSS
Exploits0References2
NVD
NVD
added 2026/06/23 1:16 p.m.17 views

CVE-2026-56301

Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server nuxt dev on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit t...

6.8CVSS0.00103EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/10 1:55 p.m.85 views

CVE-2026-53475 Assisted-migration-agent: tls verification disabled on all vcenter connections

A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security TLS connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle MITM attacker to intercept and harvest vCenter administrator credentials. This can lead to...

9.3CVSS0.00253EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.12 views

CVE-2026-45179

Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured for example, by sending UDP packets to a host on another network, then users' IP addresses may be leaked. Since version 0.9.0, the IP address is no...

5.3CVSS5.4AI score0.00219EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/03 4:2 p.m.11 views

CVE-2026-10629

SIP signaling stack in Verizon IMS unspecified version implements SIP signaling without IPsec integrity protection missing Security-Client/Security-Server headers and ESP traffic, which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via...

7.4CVSS5.7AI score0.00174EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/03 12:0 a.m.20 views

EUVD-2026-34142

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN device to create arbitrary...

5.9AI score0.00211EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.17 views

PT-2026-45991

Name of the Vulnerable Software and Affected Versions Mercusys AC12G EU V1 version AC12GEU V1 200909 Description The device exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. Universal Plug and Play UPnP, a protocol that allow...

8.1CVSS5.6AI score0.00211EPSS
Exploits0References3
NVD
NVD
added 2026/06/02 4:16 p.m.16 views

CVE-2026-10629

SIP signaling stack in Verizon IMS unspecified version implements SIP signaling without IPsec integrity protection missing Security-Client/Security-Server headers and ESP traffic, which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via...

7.4CVSS0.00174EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/02 2:35 p.m.11 views

CVE-2026-10629 CVE-2026-10629

SIP signaling stack in Verizon IMS unspecified version implements SIP signaling without IPsec integrity protection missing Security-Client/Security-Server headers and ESP traffic, which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via...

5.7AI score0.00174EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/02 2:35 p.m.10 views

CVE-2026-10629

SIP signaling stack in Verizon IMS unspecified version implements SIP signaling without IPsec integrity protection missing Security-Client/Security-Server headers and ESP traffic, which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via...

5.7AI score0.00174EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.16 views

PT-2026-45817

Name of the Vulnerable Software and Affected Versions Graph Explorer versions prior to 3.0.1 Description The proxy server falls back to HTTP when certificate files are missing. This behavior may allow remote threat actors to intercept requests intended for HTTPS and obtain sensitive information...

8.2CVSS5.5AI score0.00101EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.23 views

PT-2026-45769

Name of the Vulnerable Software and Affected Versions Verizon IMS affected versions not specified Description The SIP signaling stack implements SIP signaling without IPsec integrity protection, specifically lacking Security-Client/Security-Server headers and ESP traffic. This allows an on-path...

7.4CVSS5.4AI score0.00174EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/27 12:0 a.m.14 views

CVE-2026-36539

Netis AC1200 Router NC21 V4.0.1.4296 exposes a CGI endpoint /cgi-bin/skkget.cgi that returns the entire router configuration as a JSON response with no authentication required. Any attacker on the LAN can send a single HTTP GET request and instantly retrieve administrator credentials, WiFi...

5.8AI score0.00358EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/26 6:10 a.m.16 views

Malicious code in 1cat-tunnel-client-zx (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 796f1b18c13a38088b4e48d75575eb92b23af5d91cdfaf6a82717f0fabbc7a79 On npm install, the package's postinstall hook node install.js fetches a platform-specific executable from...

6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.15 views

PT-2026-43320

Name of the Vulnerable Software and Affected Versions Joomla affected versions not specified Description The password and username reset features generate plain http links even when https connections are used, provided the "Force SSL" flag is not explicitly enabled. This leads to a transport...

9.8CVSS5.8AI score0.0019EPSS
Exploits0References6
Rows per page
Query Builder