Lucene search
K

6915 matches found

CVE
CVE
added yesterday11 views

CVE-2025-8412

The CVE-2025-8412 entry concerns the SUSE Virtual Machine Driver Pack. A BUFFER overflow can occur in the RtlQueryRegistryValues function when an attacker able to modify the registry interacts with the driver, affecting integrity. Affected scope is the Virtual Machine Driver Pack up to the build ...

2CVSS6.1AI score0.0009EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday10 views

W3 Total Cache < 2.8.2 - Log File Exposure

The plugin is vulnerable to Information Exposure through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For example, the log file may contain nonce values that can be used in further CSRF...

7.5CVSS7AI score0.02169EPSS
Exploits0References3
CVE
CVE
added 2 days ago5 views

CVE-2026-58411

ChurchCRM (open-source church management system) Vulnerability: Prior to version 7.4.0, a Reflected XSS was identified due to insufficient output encoding of user-controlled request parameter names and values. The application reflects attacker-controlled input into JavaScript string contexts and ...

7CVSS6.1AI score0.00347EPSS
Exploits0References1
NVD
NVD
added 2 days ago4 views

CVE-2026-12081

The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary PHP objects that are instantiated when an administrator...

5CVSS0.00139EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2 days ago7 views

PT-2026-57859

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.4.0 Description A low-privileged user can bypass the /admin/export UI to exfiltrate the entire member directory. The POST /CSVCreateFile.php endpoint generates and streams a CSV file containing the full Personally...

6.5CVSS6.1AI score0.00217EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2 days ago7 views

Linux Distros Unpatched Vulnerability : CVE-2026-49844

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issu...

7.5CVSS6.2AI score0.0078EPSS
Exploits0References3
NVD
NVD
added 4 days ago9 views

CVE-2026-61429

PraisonAI versions before 1.6.78 contain a server-side request forgery vulnerability in the Crawl4AI/Chromium backend that allows attackers to bypass SSRF validation by exploiting DNS rebinding and HTTP redirects. Attackers can craft URLs that resolve to internal services after the initial...

8.5CVSS0.00221EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago9 views

EUVD-2026-43178

PraisonAI versions before 1.6.78 contain a server-side request forgery vulnerability in the Crawl4AI/Chromium backend that allows attackers to bypass SSRF validation by exploiting DNS rebinding and HTTP redirects. Attackers can craft URLs that resolve to internal services after the initial...

8.5CVSS6.1AI score0.00221EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-61429 PraisonAI before 1.6.78 SSRF via Crawl4AI Chromium backend

PraisonAI versions before 1.6.78 contain a server-side request forgery vulnerability in the Crawl4AI/Chromium backend that allows attackers to bypass SSRF validation by exploiting DNS rebinding and HTTP redirects. Attackers can craft URLs that resolve to internal services after the initial...

8.5CVSS0.00221EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-43102

Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0. The fix for CVE-2026-34481 did not cover all code paths: wh...

6.3CVSS6.1AI score0.0078EPSS
Exploits0References5
NVD
NVD
added 5 days ago6 views

CVE-2026-49844

Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0. The fix for CVE-2026-34481 did not cover all code paths: wh...

6.3CVSS0.0078EPSS
Exploits0References4
NVD
NVD
added 5 days ago4 views

CVE-2026-55659

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document's nam...

7.7CVSS0.00275EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago29 views

CVE-2026-49844 Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()

Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0. The fix for CVE-2026-34481 did not cover all code paths: wh...

6.3CVSS0.0078EPSS
Exploits0References4
CVE
CVE
added 5 days ago10 views

CVE-2026-55659

Grist has a cross-site scripting (XSS) vulnerability (CVE-2026-55659) in server-rendered pages caused by embedding user-controlled values into the page and inline scripts without proper escaping. The issue affects pages where a document’s name/description is rendered and where the OAuth2 end-of-f...

7.7CVSS5.8AI score0.00275EPSS
Exploits0References3
NVD
NVD
added 5 days ago7 views

CVE-2026-11321

The DataInjection plugin for GLPI 2.15.6 GLPI 11 builds concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embe...

7.1CVSS0.00314EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago29 views

CVE-2026-55475 Snipe-IT: Import created_by can be overwritten

Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API key to overwrite the createdby value of an import file, allowing unauthorized modification of import ownership metadata. This issue is fixed in...

5.7CVSS0.00195EPSS
Exploits0References4
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-43000

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the...

6.5CVSS6.2AI score0.00378EPSS
Exploits0References3
CVE
CVE
added 5 days ago9 views

CVE-2026-55469

Snipe-IT prior to 8.6.2 is affected. An authenticated user with import and assets.update permissions can inject a path traversal string into an asset image field via CSV import, which can trigger image deletion and lead to deletion of arbitrary files accessible to the server process. The issue is...

6.5CVSS6.2AI score0.00378EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 5 days ago29 views

CVE-2026-55469 Snipe-IT: Path traversal vulnerability via CSV import `image` field

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the...

6.5CVSS0.00378EPSS
Exploits0References3
CVE
CVE
added 5 days ago11 views

CVE-2026-55452

CVE-2026-55452 concerns Snipe-IT (IT asset/license management) where pre-8.5.0 builds store the User-Agent header via Actionlog::logaction() and export it in Activity Report CSV without formula escaping. This allows a low-privileged authenticated user to inject a formula-like payload that can exe...

7.3CVSS6.2AI score0.00269EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder