Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

8 matches found

GithubExploit
GithubExploitadded 2026/05/25 4:43 p.m.63 views

Exploit for CVE-2026-33712

CVE-2026-33712 - Typebot Unauthenticated SSRF Description...

10CVSS5.8AI score0.00067EPSS
Exploits1
CVE
CVEadded 2026/05/11 4:30 p.m.10 views

CVE-2026-2393

CVE-2026-2393: MLflow prior to 3.9.0 is vulnerable to SSRF via a user-controlled webhook URL. The _create_webhook() handler stores the URL without validation, and _send_webhook_request() POSTs to that URL, enabling an authenticated attacker to cause the MLflow backend to reach internal services, ...

7.1CVSS7.3AI score0.00034EPSS
Exploits1References2Affected Software1
Snyk
Snykadded 2026/04/03 3:30 a.m.1 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the GET /api/website/title endpoint. An attacker can access internal or restricted network resources and potentially exfiltrate sensitive information by supplying a crafted URL to the unauthenticated...

8.7CVSS5.7AI score0.00065EPSS
Exploits3References2
Positive Technologies
Positive Technologiesadded 2026/04/03 12:0 a.m.1 views

PT-2026-30015

Summary The GET /api/website/title endpoint accepts an arbitrary URL via the website url query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network...

7.2CVSS6AI score0.00022EPSS
Exploits2References4
Cvelist
Cvelistadded 2026/03/11 8:41 p.m.22 views

CVE-2026-32111 ha-mcp OAuth 2.1 DCR mode enables network reconnaissance via an error oracle

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form beta feature accepts a user-supplied haurl and makes a server-side HTTP request to haurl/api/config with no URL validation. An unauthenticated attacker can submit arbitrary URLs to perform internal network...

5.3CVSS0.00042EPSS
Exploits0References1
Github Security Blog
Github Security Blogadded 2026/02/12 10:6 p.m.6 views

Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC

Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC This vulnerability exists in the Air Traffic Controller ATC component of Yoke, a Kubernetes deployment tool. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller...

8.8CVSS6.9AI score0.0006EPSS
Exploits1References3Affected Software1
CNNVD
CNNVDadded 2026/02/12 12:0 a.m.3 views

yoke 代码注入漏洞

Yoke is a Kubernetes package management tool developed by YokeCD. Versions of Yoke prior to 0.19.0 contained a code injection vulnerability. This vulnerability stemmed from the lack of proper URL validation in the Air Traffic Controller component, allowing users with the authority to create or...

8.8CVSS6.2AI score0.0006EPSS
Exploits1References1
OSV
OSVadded 2023/10/16 12:15 a.m.3 views

CVE-2022-48612

A Universal Cross Site Scripting UXSS vulnerability in ClassLink OneClick Extension through 10.7 allows remote attackers to inject JavaScript into any webpage, because a regular expression validating whether a URL is controlled by ClassLink is not present in all applicable places...

6.1CVSS5.8AI score0.00153EPSS
Exploits1References1
Rows per page
Query Builder