Lucene search
K

1445 matches found

CVE
CVE
added 2026/06/10 5:16 p.m.28 views

CVE-2026-20255

The CVE-2026-20255 issue affects Splunk Enterprise (versions below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform (below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, 9.3.2411.132). A low-privilege user can craft a malicious classic dashboard to exfiltrate sensitive data to an external ser...

5.7CVSS5.5AI score0.00245EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/10 5:16 p.m.32 views

CVE-2026-20255 Improper Input Validation through Classic Dashboards in Splunk Enterprise

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious classic dashboard that...

5.7CVSS0.00245EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/10 3:56 p.m.11 views

EUVD-2026-36069

Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious...

5.4CVSS5.4AI score0.0018EPSS
Exploits0References3
NVD
NVD
added 2026/06/10 12:16 a.m.19 views

CVE-2026-41706

Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is us...

6.1CVSS0.00211EPSS
Exploits0References1
Jenkins Security Advisories
Jenkins Security Advisories
added 2026/06/10 12:0 a.m.7 views

Open redirect vulnerability

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines whether a URL is safe to redirect to in the default login flow: A URL containing relative path segments ./ or ../ is validated before the servlet container collapses those segments into a protocol-relative URL starting with...

7.4CVSS5.2AI score0.00364EPSS
Exploits0Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.18 views

PT-2026-48495

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious classic dashboard that...

5.7CVSS5.5AI score0.00245EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/10 12:0 a.m.10 views

Linux Distros Unpatched Vulnerability : CVE-2026-8833

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an...

8.5CVSS5.3AI score0.0014EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/09 2:59 p.m.13 views

CVE-2026-8833

Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another...

8.5CVSS5.2AI score0.0014EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/08 12:51 p.m.3 views

EUVD-2026-21581

GeoNode contains a server-side request forgery vulnerability in the service registration endpoint...

6.3CVSS5.4AI score0.00172EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/08 12:6 p.m.12 views

EUVD-2026-35053

Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another...

8.5CVSS5.2AI score0.0014EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/08 12:6 p.m.15 views

CVE-2026-8833 XSS in urls

Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another...

8.5CVSS5.2AI score0.0014EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/08 12:6 p.m.48 views

CVE-2026-8833 XSS in urls

Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another...

8.5CVSS0.0014EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.17 views

PT-2026-47287

Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another...

8.5CVSS5.2AI score0.0014EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:44 p.m.11 views

CVE-2026-44658

Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and...

2.4CVSS5.5AI score0.00157EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:35 p.m.10 views

CVE-2026-49138

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the webfetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the...

5.3CVSS5.6AI score0.00287EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:34 p.m.12 views

CVE-2026-10856

A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths...

6.1CVSS5.3AI score0.00148EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:34 p.m.9 views

CVE-2026-10861

An open redirect vulnerability existed in MISP UsersController::routeafterlogin because the value stored in the preloginrequestedurl session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An unauthenticated remote attacker...

6.1CVSS5.5AI score0.00223EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:33 p.m.11 views

CVE-2026-9557

A Server-Side Request Forgery SSRF vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing requests to arbitrary...

6.4CVSS5.6AI score0.00138EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:23 p.m.10 views

CVE-2026-43884

WWBN AVideo is an open source video platform. In versions up to and including 29.0, two endpoints plugin/AI/receiveAsync.json.php and objects/EpgParser.php in AVideo call isSSRFSafeURL to validate user-supplied URLs, then fetch them using bare filegetcontents without disabling PHP's automatic...

7.7CVSS5.4AI score0.00348EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:15 p.m.10 views

CVE-2026-2393

A flaw was found in MLflow. An authenticated attacker can exploit a Server-Side Request Forgery SSRF vulnerability by providing an unvalidated URL parameter to the createwebhook function. This allows the MLflow backend to be forced into sending HTTP requests to internal services, cloud metadata...

8.5CVSS7AI score0.00288EPSS
Exploits1References5
Rows per page
Query Builder