Lucene search
K

21 matches found

Vulnrichment
Vulnrichment
added 2026/04/23 7:33 p.m.4 views

CVE-2026-41275 Flowise: Password Reset Link Sent Over Unsecured HTTP

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle...

7.5CVSS5.3AI score0.00192EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/17 12:0 a.m.16 views

PT-2026-33491

CVE-2026-33569 Anviz CX2 Lite and CX7 administrative sessions occur over HTTP, enabling on‑path attackers to sniff credentials and session data, which can be used to compromise th… https://t.co/VidnnJfRzA...

6.5CVSS5.8AI score0.00186EPSS
Exploits0References6
OSV
OSV
added 2026/01/26 6:16 p.m.6 views

CVE-2026-24430

Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be expose...

7.5CVSS5.7AI score0.00235EPSS
Exploits0References2
CVE
CVE
added 2026/01/26 5:39 p.m.15 views

CVE-2026-24430

The CVE-2026-24430 entry concerns Shenzhen Tenda W30E V2 devices with firmware up to V16.01.0.19(5037). The issue is that sensitive account credentials are disclosed in plaintext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unen...

8.2CVSS5.9AI score0.00235EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/13 10:52 p.m.4 views

CVE-2026-22081

This vulnerability exists in Tenda wireless routers 300Mbps Wireless Router F3 and N300 Easy Setup Router due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies...

8.8CVSS6.8AI score0.0037EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/12/17 8:7 a.m.5 views

CVE-2025-62330

HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information because the HTTP port remains accessible and does not redirect to HTTPS as intended. As a result, an attacker with network access could intercept or modify user credentials and session-related data via passive...

5.9CVSS6.5AI score0.00133EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/12/01 12:0 a.m.4 views

Kerlink KerOS 安全漏洞

Kerlink KerOS is an operating system from the French company Kerlink. A security vulnerability exists in Kerlink KerOS versions prior to 5.10, which stems from exposing the web interface over HTTP only and does not support HTTPS, which could lead to a man-in-the-middle attack...

7.4CVSS6.5AI score0.0015EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2025-27115

Malicious code in bioql PyPI...

7.4CVSS6.6AI score0.00212EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 3:31 p.m.7 views

CVE-2020-35584

In Solstice Pod before 3.0.3, the web services allow users to connect to them over unencrypted channels via the Browser Look-in feature. An attacker suitably positioned to view a legitimate user's network traffic could record and monitor their interactions with the web services and obtain any...

5.9CVSS6.6AI score0.00752EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2024/06/07 12:0 a.m.8 views

PT-2024-27347 · Skyscrape · Skyscrape

Name of the Vulnerable Software and Affected Versions: SkyScrape version 1.0.0 Description: The issue concerns unsecured HTTP requests in SkyScrape's API, potentially exposing users' temporary credentials and data. Recommendations: For version 1.0.0, consider disabling the use of unsecured HTTP...

7.5CVSS6.8AI score0.00168EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2024/06/04 10:58 a.m.3 views

eap-galleon: custom provisioning creates unsecured http-invoker

An improper initialization vulnerability was found in Galleon. When using Galleon to provision custom EAP or EAP-XP servers, the servers are created unsecured. This issue could allow an attacker to access remote HTTP services available from the server...

7.5CVSS5.8AI score0.0072EPSS
Exploits0References4
OSV
OSV
added 2023/04/13 8:15 p.m.4 views

CVE-2023-27747

BlackVue DR750-2CH LTE v.1.0122022.10.26 does not employ authentication in its web server. This vulnerability allows attackers to access sensitive information such as configurations and recordings...

7.5CVSS5.8AI score0.01128EPSS
Exploits1References4
Qualys Blog
Qualys Blog
added 2023/03/16 2:16 p.m.28 views

A New Approach to Discover, Monitor, and Reduce Your Modern Web Attack Surface

Web applications reign the internet universe, but also bring new risks that let attackers poke holes in an ever-expanding attack surface. Stolen credentials have been the historical culprit. Recent analysis saw a spike in exploits targeting web applications directly through specially-crafted...

0.4AI score
Exploits0
OSV
OSV
added 2022/09/13 9:15 p.m.2 views

CVE-2022-40621

Because the WAVLINK Quantum D4G WN531G3 running firmware version M31G3.V5030.200325 and earlier communicates over HTTP and not HTTPS, and because the hashing mechanism does not rely on a server-supplied key, it is possible for an attacker with sufficient network access to capture the hashed...

7.5CVSS5.8AI score0.00694EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2022/06/29 12:0 a.m.4 views

PT-2022-11284 · Unknown · Textpattern Cms

Name of the Vulnerable Software and Affected Versions: Textpattern CMS versions 4.8.7 and older Description: The issue exists due to a sensitive cookie in HTTPS sessions without the 'Secure' attribute set, specifically affecting the txp login session cookie in the application via...

4.3CVSS4.4AI score0.00485EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2022/01/28 8:15 p.m.5 views

CVE-2022-22994

A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks...

9.8CVSS7.9AI score0.01853EPSS
Exploits0References3
OSV
OSV
added 2022/01/28 8:15 p.m.1 views

CVE-2022-22994

A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks...

9.8CVSS7.8AI score0.01853EPSS
Exploits0References2
OSV
OSV
added 2022/01/13 9:15 p.m.6 views

CVE-2022-22991

A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP...

8.8CVSS7.3AI score0.01333EPSS
Exploits0References2
0day.today
0day.today
added 2013/06/03 12:0 a.m.280 views

Umbraco CMS 4.x Arbitrary aspx File Upload Vulnerability

Umbraco CMS version 4.x is vulnerable to a remote code execution vulnerability. An attacker can upload files via an unsecured web service located at /umbraco/webservices/codeEditorSave.asmx method SaveDLRScript. I created this exploit because in some audits the public exploit that juan vazquez...

7.9AI score
Exploits0
exploitpack
exploitpack
added 2003/02/11 12:0 a.m.10 views

Ericsson HM220dp DSL Modem - World Accessible Web Administration Interface

Ericsson HM220dp DSL Modem - World Accessible Web Administration Interface source: https://www.securityfocus.com/bid/6824/info The Ericsson HM220dp DSL Modem uses a web interface for remote administration and configuration. This interface does not require any authentication in order to access...

0.7AI score
Exploits0
Rows per page
Query Builder