Lucene search
+L

33073 matches found

Cvelist
Cvelist
added yesterday10 views

CVE-2026-54163 secure_headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input

secureheaders manages application of security headers with many safe defaults. Prior to 7.3.0, secureheaders builds the Content-Security-Policy value by stitching directives with ; separators, and buildsandboxlistdirective, buildmediatypelistdirective, and buildreporttodirective interpolate...

4.7CVSS0.00031EPSS
Exploits0References3
CVE
CVE
added yesterday10 views

CVE-2026-54163

Summary: The vulnerability CVE-2026-54163 affects the Ruby gem secure_headers (pre-7.3.0). When applications feed untrusted input into CSP-related directives via override_content_security_policy_directives or related APIs, the three builders—build_sandbox_list_directive, build_media_type_list_dir...

4.7CVSS5.3AI score0.00031EPSS
Exploits0References3
Cvelist
Cvelist
added yesterday9 views

CVE-2026-55254 NCalc: Denial of Service via Unbounded and Non-Terminating Factorial Evaluation

NCalc is a fast, lightweight expression evaluator for .NET. Prior to 6.1.1, the factorial operator implementation in src/NCalc.Core/Helpers/MathHelper.cs permits specially crafted expressions with extremely large factorial operands, causing excessive CPU consumption or a non-terminating loop due ...

4.8CVSS
Exploits0References4
CVE
CVE
added yesterday14 views

CVE-2026-55254

NCalc (.NET) contains a DoS via the factorial operator in the NCalc.Core/Helpers/MathHelper.cs path. Prior to v6.1.1, evaluating expressions with extremely large factorial operands can cause excessive CPU usage or a non-terminating loop due to integer overflow. A fix was implemented in v6.1.1 tha...

4.8CVSS5.4AI score
Exploits0References4
Vulnrichment
Vulnrichment
added yesterday5 views

CVE-2026-60137 WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query

WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the authornotin parameter of WPQuery, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter...

5.9CVSS5.9AI score
Exploits5References2
Cvelist
Cvelist
added yesterday12 views

CVE-2026-60137 WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query

WordPress 6.8.x before 6.8.6, 6.9.x before 6.9.5, and 7.0.x before 7.0.2 does not properly sanitise the authornotin parameter of WPQuery, which could allow SQL Injection when a plugin or theme passes untrusted input to the parameter...

5.9CVSS
Exploits5References2
EUVD
EUVD
added yesterday44 views

EUVD-2026-34900

AWS-JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance...

8.6CVSS5.2AI score0.00305EPSS
Exploits0References5
NVD
NVD
added yesterday6 views

CVE-2026-57860

ForgeCode tailcallhq/forgecode, an AI pair-programming CLI, automatically loads and executes the MCP servers defined in a repository's .mcp.json file on startup without user confirmation. A malicious repository can supply a crafted .mcp.json whose mcpServers entries specify arbitrary command and...

8.4CVSS
Exploits0References5
Cvelist
Cvelist
added yesterday15 views

CVE-2026-21761 CORS Misconfiguration in DevOps Loop

HCL DevOps Loop is affected by a Cross-Origin Resource Sharing CORS misconfiguration. Improper CORS configuration may allow unauthorized cross-origin requests, potentially exposing application resources to untrusted domains...

4.2CVSS
Exploits0References1
RedhatCVE
RedhatCVE
added yesterday4 views

CVE-2026-50649

A flaw was found in .NET. This vulnerability allows an unauthorized attacker to execute code locally by exploiting a deserialization of untrusted data. This means that if an attacker can provide specially crafted data, the .NET application may process it in a way that leads to the execution of...

7.8CVSS7.8AI score0.00939EPSS
Exploits0References4
NVD
NVD
added yesterday7 views

CVE-2026-14741

HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parsedate. parsedate matches the date string against a chain of alternative regexes, and str2time delegates to it. Several of these patterns place unbounded quantifiers next to each other before a...

Exploits0References4
Cvelist
Cvelist
added yesterday15 views

CVE-2026-57860 ForgeCode Arbitrary Code Execution via Unvetted .mcp.json in Untrusted Repository

ForgeCode tailcallhq/forgecode, an AI pair-programming CLI, automatically loads and executes the MCP servers defined in a repository's .mcp.json file on startup without user confirmation. A malicious repository can supply a crafted .mcp.json whose mcpServers entries specify arbitrary command and...

8.4CVSS
Exploits0References5
CVE
CVE
added yesterday7 views

CVE-2026-57860

Technical details about CVE-2026-57860 are not publicly available in the provided documents. Monitor for updates.

8.4CVSS5.9AI score
Exploits0References5
Vulnrichment
Vulnrichment
added yesterday5 views

CVE-2026-57860 ForgeCode Arbitrary Code Execution via Unvetted .mcp.json in Untrusted Repository

ForgeCode tailcallhq/forgecode, an AI pair-programming CLI, automatically loads and executes the MCP servers defined in a repository's .mcp.json file on startup without user confirmation. A malicious repository can supply a crafted .mcp.json whose mcpServers entries specify arbitrary command and...

8.4CVSS5.9AI score
Exploits0References5
EUVD
EUVD
added yesterday7 views

EUVD-2026-45217

ForgeCode tailcallhq/forgecode, an AI pair-programming CLI, automatically loads and executes the MCP servers defined in a repository's .mcp.json file on startup without user confirmation. A malicious repository can supply a crafted .mcp.json whose mcpServers entries specify arbitrary command and...

8.4CVSS5.8AI score
Exploits0References5
EUVD
EUVD
added yesterday5 views

EUVD-2026-45190

HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parsedate. parsedate matches the date string against a chain of alternative regexes, and str2time delegates to it. Several of these patterns place unbounded quantifiers next to each other before a...

5.3AI score
Exploits0References3
CVE
CVE
added yesterday10 views

CVE-2026-14741

CVE-2026-14741 affects the Perl module HTTP::Date (versions before 6.08). The vulnerability arises in parse_date() where a chain of alternative regexes with unbounded quantifiers, combined with a trailing \s*$, can trigger polynomial (≈quadratic) backtracking in the date parser invoked by str2tim...

5.3AI score
Exploits0References4
Cvelist
Cvelist
added yesterday16 views

CVE-2026-14741 HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parse_date

HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parsedate. parsedate matches the date string against a chain of alternative regexes, and str2time delegates to it. Several of these patterns place unbounded quantifiers next to each other before a...

Exploits0References3
Nuclei
Nuclei
added yesterday29 views

Langflow < 1.3.0 - Remote Code Execution via validate_code() exec()

Langflow contains a remote code execution caused by inclusion of functionality from untrusted control sphere in the execglobals parameter at the validate endpoint, letting remote attackers execute arbitrary code as root, exploit requires no authentication. id: CVE-2026-0770 info: name: Langflow...

9.8CVSS9.5AI score0.10371EPSS
Exploits8References3
Nuclei
Nuclei
added yesterday45 views

Veeam Backup & Replication - Unauthenticated

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution RCE. id: CVE-2024-40711 info: name: Veeam Backup & Replication - Unauthenticated author: rootxharsh,iamnoooob,DhiyaneshDK severity: critical description: | A deserializati...

9.8CVSS9.6AI score0.90208EPSS
Exploits3References3
Rows per page
Query Builder