109236 matches found
CVE-2026-61451 Grav before 1.0.4 Password Reset Token Poisoning via admin_base_url
The Grav API plugin grav-plugin-api before 1.0.4 does not validate the origin of the client-supplied adminbaseurl field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl function only checks that the URL scheme is http/https and never verifies the host against the server's ow...
golang: net/url: Memory exhaustion in query parameter parsing in net/url
A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...
net/url: Incorrect parsing of IPv6 host literals in net/url
The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...
Important: Red Hat Security Advisory: Red Hat OpenStack Services on OpenShift 18.0 (golang-github-openstack-k8s-operators-os-diff) security update
An update for golang-github-openstack-k8s-operators-os-diff is now available for Red Hat OpenStack Services on OpenShift 18.0 Antelope. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a...
CVE-2026-15583
A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud...
CVE-2026-15583
Grafana MCP Server is affected by CVE-2026-15583, a confusion-deputy vulnerability that allows an unauthenticated remote attacker to exfiltrate the server’s Grafana service-account token and perform SSRF via a crafted X-Grafana-URL header. The flaw enables targeting internal services, including c...
CVE-2026-15583 SSRF (confused deputy) in Grafana MCP Server via X-Grafana-URL header
A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud...
CVE-2026-35152
creationtimestamp| type| source ---|---|--- 2026-07-15 06:55:57+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mqo5cffab52h 2026-07-15 13:12:52+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqoseeru4y2c 2026-07-16 10:37:06+00:00| seen|...
CVE-2026-8920
creationtimestamp| type| source ---|---|--- 2026-07-15 04:19:37+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqnukuc5ul22 2026-07-15 16:45:06+00:00| seen| https://www.acn.gov.it/portale/w/risolte-vulnerabilita-in-prodotti-asus-1...
CVE-2026-15029
creationtimestamp| type| source ---|---|--- 2026-07-15 04:09:36+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqntywrdti2u 2026-07-15 16:45:15+00:00| seen| https://www.acn.gov.it/portale/w/risolte-vulnerabilita-in-prodotti-asus-1...
EUVD-2026-44515
A weakness has been identified in mastergo-design mastergo-magic-mcp up to 0.2.0. Impacted is the function z.string of the file src/tools/get-component-link.ts of the component mcpgetComponentLink. Executing a manipulation of the argument url can lead to server-side request forgery. The attack ma...
CVE-2026-15752
creationtimestamp| type| source ---|---|--- 2026-07-15 00:09:57+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqngmfzazt24...
CVE-2026-5270
creationtimestamp| type| source ---|---|--- 2026-07-15 00:04:42+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqngczzwyz2x 2026-07-15 13:38:06+00:00| seen| https://bsky.app/profile/stackflag.bsky.social/post/3mqotriltvq2p...
RHEL 9 : Red Hat OpenStack Services on OpenShift 18.0 (golang-github-openstack-k8s-operators-os-diff) (RHSA-2026:39810)
The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:39810 advisory. Security Fixes: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61726 golang: Denial of Service due to excessive...
CVE-2026-36035
creationtimestamp| type| source ---|---|--- 2026-07-14 23:54:34+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqnfqvwm4q27...
CVE-2026-48337
creationtimestamp| type| source ---|---|--- 2026-07-14 23:01:37+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mqncs7pxyz2c...
CVE-2026-15774
creationtimestamp| type| source ---|---|--- 2026-07-14 22:59:40+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqncoq3d3f2g 2026-07-15 23:42:46+00:00| seen| https://infosec.exchange/users/vuldb/statuses/116926641968349809 2026-07-16 04:45:29+00:00| seen|...
CVE-2026-48287
CAI Content Credentials is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue requires user interaction in that a victim must...
CVE-2026-15750
A weakness has been identified in mastergo-design mastergo-magic-mcp up to 0.2.0. Impacted is the function z.string of the file src/tools/get-component-link.ts of the component mcpgetComponentLink. Executing a manipulation of the argument url can lead to server-side request forgery. The attack ma...
CVE-2026-54052
creationtimestamp| type| source ---|---|--- 2026-07-14 22:08:05+00:00| seen| https://bsky.app/profile/stackflag.bsky.social/post/3mqn7siy2dj2q 2026-07-15 22:00:44+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mqppubmqtj2w 2026-07-16 00:34:33+00:00| seen|...