Lucene search
+L

1713 matches found

Github Security Blog
Github Security Blog
added 2026/05/11 3:55 p.m.15 views

Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades

Impact Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or...

8.6CVSS5.9AI score0.38872EPSS
Exploits9References5Affected Software1
Debian
Debian
added 2026/05/09 11:35 a.m.9 views

[SECURITY] [DSA 6259-1] pyjwt security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6259-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 09, 2026 https://www.debian.org/security/faq -...

7.5CVSS6.7AI score0.00269EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2026/05/09 8:21 a.m.15 views

CVE-2026-41002

The base directory spring.cloud.config.server.git.basedir used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use TOCTOU attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterpris...

8.1CVSS5.8AI score0.0022EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/05/07 6:0 p.m.33 views

Important: Red Hat Security Advisory: Satellite 6.16.8 Async Update

An update is now available for Red Hat Satellite 6.16 for RHEL 8 and RHEL 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

9.8CVSS7.2AI score0.00812EPSS
Exploits3References14
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/07 2:29 p.m.15 views

Security Bulletin: IBM Maximo Scheduler Optimizer uses werkzeug-3.1.5-py3-none-any.whl which is vulnerable to CVE-2026-27199

Summary IBM Maximo Scheduler Optimizer uses werkzeug-3.1.5-py3-none-any.whl which is vulnerable to CVE-2026-27199. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-27199 DESCRIPTION: Werkzeug is a comprehensive WSGI web applicati...

6.3CVSS5.7AI score0.00556EPSS
Exploits1Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 6:31 a.m.17 views

Spring Cloud Config Server Logged Sensitive Information

When trace logging is enabled in Spring Cloud Config Server, sensitive information is placed in plain text in the logs. - Spring Cloud Config 3.0.x: affected from 3.0.0 through 3.0.7 inclusive; no open-source upgrade available. - Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13...

4.4CVSS5.2AI score0.00168EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/07 6:31 a.m.5 views

GHSA-J6HH-H3CF-C2HF Spring Cloud Config Server Logged Sensitive Information

When trace logging is enabled in Spring Cloud Config Server, sensitive information is placed in plain text in the logs. - Spring Cloud Config 3.0.x: affected from 3.0.0 through 3.0.7 inclusive; no open-source upgrade available. - Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13...

4.4CVSS5.2AI score0.00168EPSS
Exploits0References3
NVD
NVD
added 2026/05/07 4:16 a.m.16 views

CVE-2026-41004

When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterprise Support Only. Spring Cloud Config 4.1.x: affected from 4.1.0 throu...

4.4CVSS0.00168EPSS
Exploits0References1
NVD
NVD
added 2026/05/07 4:16 a.m.56 views

CVE-2026-40981

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater...

7.5CVSS0.00435EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/07 3:55 a.m.8 views

CVE-2026-40981

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater...

7.5CVSS5.8AI score0.00435EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/07 3:55 a.m.6 views

CVE-2026-40981

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater...

7.5CVSS5.8AI score0.00435EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/07 3:53 a.m.10 views

CVE-2026-41002

The base directory spring.cloud.config.server.git.basedir used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use TOCTOU attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterpris...

7.2CVSS5.8AI score0.0022EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/07 3:51 a.m.7 views

CVE-2026-41004

When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterprise Support Only. Spring Cloud Config 4.1.x: affected from 4.1.0 throu...

4.4CVSS5.8AI score0.00168EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/07 3:49 a.m.10 views

EUVD-2026-28246

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from...

9.1CVSS5.9AI score0.00727EPSS
Exploits0References1
CVE
CVE
added 2026/05/07 3:49 a.m.35 views

CVE-2026-40982

Spring Cloud Config server (spring-cloud-config-server) is vulnerable to a directory-traversal issue that allows serving arbitrary text and binary files via crafted URLs. Affected versions: Spring Cloud Config 3.1.x (3.1.0–3.1.13); upgrade to 3.1.14+. 4.1.x (4.1.0–4.1.9); upgrade to 4.1.10+. 4.2....

9.1CVSS5.9AI score0.00727EPSS
Exploits0References4Affected Software1
Atlassian
Atlassian
added 2026/05/06 4:29 p.m.52 views

DoS (Denial of Service) in Jira Service Management Data Center

This High severity DoS Denial of Service vulnerability was introduced in versions 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.5.0, 10.6.0, 10.7.1, 11.0.0, 11.1.0, 11.2.0, and 11.3.0 of Jira Service Management Data Center. This DoS Denial of Service vulnerability, with a CVS...

7.5CVSS6.3AI score0.0043EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.24 views

PT-2026-38638

Name of the Vulnerable Software and Affected Versions Next.js versions 13.4.13 through 15.5.15 Next.js versions 16.0.0 through 16.2.4 Description Self-hosted applications using the built-in Node.js server are subject to server-side request forgery SSRF, a condition where an attacker forces a serv...

8.6CVSS6AI score0.38872EPSS
Exploits9References73
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.10 views

PT-2026-36941

Name of the Vulnerable Software and Affected Versions Nix versions 2.24.7 through 2.34.6 Description A directory traversal issue allows writing to arbitrary files when using the "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" commands. Recommendations Update to version 2.34.7...

5.3CVSS5.9AI score0.00573EPSS
Exploits0References6
OSV
OSV
added 2026/05/04 4:43 p.m.2 views

CVE-2026-42027 Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 1.9.5, before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtensionClass, String method loads a class by its fully-qualified name via Class.forName and invokes its...

9.8CVSS6.2AI score0.00692EPSS
Exploits0References8
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/04 4:8 p.m.8 views

Security Bulletin: IBM Sterling Control Center is affected by vulnerabilities in jasperreports (CVE-2025-10492)

Summary IBM Sterling Control Center is affected by a vulnerability CVE-2025-10492 reported for jasperreports-7.0.2.jar. Vulnerability Details CVEID:CVE-2025-10492 DESCRIPTION: A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied...

9.8CVSS7.3AI score0.00876EPSS
Exploits0Affected Software1
Rows per page
Query Builder