Lucene search
K

42 matches found

Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-55781 NanaZip: Unbounded memory allocation (DoS) in NanaZip UFS parser via unvalidated fs_bsize/fs_fsize superblock fields

NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip's UFS and FFS image handler in NanaZip.Codecs.Archive.Ufs.cpp validates the superblock block size only against the MINBSIZE lower bound and does not validate the fsfsize fragment size, allowin...

2.4CVSS0.00112EPSS
Exploits0References3
CVE
CVE
added 4 days ago9 views

CVE-2026-55781

The CVE affects NanaZip (7-Zip derivative) prior to version 6.5.1749.0, specifically the UFS/FFS image handler in NanaZip.Codecs.Archive.Ufs.cpp. The root cause is that superblock considerations validate the block size only against MINBSIZE and do not validate the fs_fsize fragment size, allowing...

2.4CVSS6.2AI score0.00112EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/22 11:43 a.m.7 views

CVE-2026-56422 MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields

Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys id and ownership/scope foreign keys eventid, orgid, userid, sharinggroupid, galaxyclusteruuid, organisationuuid, and related nested object identifiers without consistently...

9.4CVSS6AI score0.00362EPSS
Exploits0References16
Cvelist
Cvelist
added 2026/06/22 11:43 a.m.34 views

CVE-2026-56422 MISP Core: Mass Assignment and Object Re-ownership via Unvalidated Request Fields

Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys id and ownership/scope foreign keys eventid, orgid, userid, sharinggroupid, galaxyclusteruuid, organisationuuid, and related nested object identifiers without consistently...

9.4CVSS0.00362EPSS
Exploits0References16
CVE
CVE
added 2026/06/22 11:43 a.m.24 views

CVE-2026-56422

CVE-2026-56422 affects MISP core controllers and models where client-controlled fields (ids and ownership/scope keys such as event_id, org_id, user_id, sharing_group_id, galaxy_cluster_uuid, organisation_uuid, etc.) were not consistently stripped or revalidated, enabling an authenticated user to ...

9.4CVSS6AI score0.00362EPSS
Exploits0References16
RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.9 views

CVE-2026-43975

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on t...

6.5CVSS5.5AI score0.00732EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.14 views

CVE-2026-35489

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/id/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create. Invalid amount...

7.3CVSS5.5AI score0.00224EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/11 9:31 p.m.7 views

EUVD-2026-29192

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cowsse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefixlines/2 function...

6.3CVSS6AI score0.00266EPSS
Exploits0References4
OSV
OSV
added 2026/05/11 9:31 p.m.4 views

GHSA-HV23-4QP7-8C8R ninenines cowlib: Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability allows SSE event splitting and injection via unvalidated field values

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cowsse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefixlines/2 function...

6.3CVSS6AI score0.00266EPSS
Exploits0References6
OSV
OSV
added 2026/05/11 9:31 p.m.9 views

GHSA-G2WM-735Q-3F56 cowlib: Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cowcookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs...

3.2CVSS5.9AI score0.00145EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/11 9:31 p.m.11 views

cowlib: Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cowcookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs...

3.2CVSS6AI score0.00145EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/11 9:31 p.m.12 views

ninenines cowlib: Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability allows SSE event splitting and injection via unvalidated field values

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cowsse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefixlines/2 function...

6.3CVSS6AI score0.00266EPSS
Exploits0References6Affected Software1
NVD
NVD
added 2026/05/11 7:16 p.m.13 views

CVE-2026-43968

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cowsse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefixlines/2 function...

6.3CVSS0.00266EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/11 6:6 p.m.35 views

CVE-2026-43968 CR Injection in SSE Encoder Enables Event Splitting via cow_sse:event/1

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cowsse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefixlines/2 function...

6.3CVSS0.00266EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/05/11 6:6 p.m.7 views

CVE-2026-43968

Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values. cowsse:event/1 in cowlib guards the id and event fields against \n but not against bare \r, and the internal prefixlines/2 function...

6.3CVSS6AI score0.00266EPSS
Exploits0
CVE
CVE
added 2026/05/11 6:6 p.m.28 views

CVE-2026-43968

CVE-2026-43968 involves an CRLF injection in ninenines/cowlib, triggered by the SSE encoding path cow_sse:event/1. The root cause is improper neutralization of CRLF sequences: while id and event fields guard against \n, bare \r is not sanitized, and prefix_lines/2 used for data and comment fields...

6.3CVSS6AI score0.00266EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.21 views

PT-2026-39726

Name of the Vulnerable Software and Affected Versions cowlib versions 2.6.0 and later Description Improper Neutralization of CRLF Sequences CRLF Injection allows SSE event splitting and injection through unvalidated field values. The cow sse:event/1 function guards the id and event fields against...

6.3CVSS5.9AI score0.00266EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/05/07 3:47 a.m.100 views

CVE-2026-41674 xmldom: XML injection through unvalidated DocumentType serialization

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any...

8.7CVSS0.00457EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/15 12:0 a.m.11 views

WordPress plugin MetForm Pro 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

5.3CVSS5.8AI score0.00266EPSS
Exploits0References1
Snyk
Snyk
added 2026/03/11 8:39 p.m.4 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the parsing process of Mach-O binaries, specifically when reading size and count fields such as DataSize, DataOffset, Size, Count, and Length without proper validation. An...

6.8CVSS5.8AI score0.001EPSS
Exploits0References2
Rows per page
Query Builder