Lucene search
+L

9777 matches found

CVE
CVE
added 11 hours ago4 views

CVE-2026-62203

OpenClaw vulnerable before version 2026.6.6 due to an environment variable filtering issue in host exec that fails to sanitize rustup startup variables. Affected product: OpenClaw. Root cause: improper sanitization of environment variables during rustup startup. Impact: attackers with lower-trust...

8.8CVSS6.2AI score
Exploits0References2
EUVD
EUVD
added 11 hours ago4 views

EUVD-2026-45092

OpenClaw versions before 2026.6.6 contain an environment variable filtering vulnerability in host exec that fails to properly sanitize rustup startup variables. Attackers with lower-trust caller access or configured input paths can execute or persist actions beyond their intended authorization...

8.8CVSS6.2AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday4 views

Malicious code in @hibachi-xyz/ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 308aa7f8a3746a346bbed305975f68d110bcf6b98815b7bf9f579e37089fd78b The package is published under the name @hibachi-xyz/ui with description 'UI components' but ships no UI code. Its index.js, executed on require,...

6.1AI score
Exploits0References1
CVE
CVE
added 2 days ago9 views

CVE-2026-45320

DataEase (open source data visualization/analysis tool) is affected by an SQL injection in dashboard variables. Prior to version 2.10.23, dashboard SQL variables (e.g., ${deptId}) are processed by SqlparserUtils.transFilter(), whose final branch returns raw user input for non-in and non-between o...

8.7CVSS6.1AI score0.00269EPSS
Exploits0References3
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-45535 DataEase: Stored SQL Injection Vulnerability

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase SQL-type datasets store attacker-controlled SQL variable defaultValue entries such as $var and SqlparserUtils.handleVariableDefaultValue inserts them with String.replace without escaping or parameterizatio...

8.7CVSS0.00248EPSS
Exploits0References3
CVE
CVE
added 2 days ago10 views

CVE-2026-45535

DataEase (open source data visualization/analysis tool) contains a stored SQL injection in SQL-type datasets prior to version 2.10.23. The vulnerability arises because attacker-controlled SQL variable defaultValue entries (e.g., ${var}) are stored and SqlparserUtils.handleVariableDefaultValue() i...

8.7CVSS6.1AI score0.00248EPSS
Exploits0References3
OSV
OSV
added 2 days ago3 views

CVE-2026-15746 Credential disclosure in Strands Agents Tools elasticsearch_memory tool

Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearchmemory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery SSRF issue i...

6.9CVSS6.1AI score0.00244EPSS
Exploits0References5
CVE
CVE
added 2 days ago11 views

CVE-2026-15746

CVE-2026-15746 affects strands-agents-tools’ elasticsearch_memory tool (used with Strands Agents SDK). The tool’s schema exposed connection parameters (es_url, cloud_id, api_key); if api_key is omitted, it falls back to the operator’s ELASTICSEARCH_API_KEY and may be sent to a host chosen by an L...

6.9CVSS6.1AI score0.00244EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2 days ago10 views

CVE-2026-15809 Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 — /etc/passwd injection via home env

A flaw was found in CRI-O. The fix for a previous vulnerability CVE-2022-4318 was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitra...

7.8CVSS6.1AI score0.00126EPSS
Exploits0References4
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-44661

A flaw was found in CRI-O. The fix for a previous vulnerability CVE-2022-4318 was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitra...

7.8CVSS6.1AI score0.00126EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago4 views

PT-2026-60101

Name of the Vulnerable Software and Affected Versions netlicensing-mcp version 0.1.5 Description When running in HTTP transport mode, the software fails to enforce authentication in the ApiKeyMiddleware. Requests that do not provide a client API key are unconditionally forwarded to the next...

8.1CVSS6.1AI score
Exploits0References6
RedHat Linux
RedHat Linux
added 4 days ago3 views

kernel: wifi: mac80211: drop stray 'static' from fast-RX rx_result

A flaw was found in the Linux kernel's Wi-Fi mac80211 subsystem. The ieee80211invokefastrx function uses a static variable for rxresult, which is shared across concurrent calls. This can lead to incorrect processing of Wi-Fi packets, where a packet might be mishandled or its status incorrectly...

8.8CVSS6AI score0.00167EPSS
Exploits0References5
OSV
OSV
added 4 days ago4 views

RLSA-2026:38504 Important: container-tools:rhel8 security update

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME CVE-2026-33811 golang.org/x/crypto/ssh: golang: golang.org/x/crypto/ssh: Denial o...

7.5CVSS6.5AI score0.00813EPSS
Exploits0References4
CVE
CVE
added 6 days ago23 views

CVE-2026-61454

CVE-2026-61454 affects Grav's Admin2 plugin prior to 2.0.4. The vulnerability arises from embedding a global JavaScript variable, window.GRAV_CONFIG , in the Admin2 SPA bootstrap page at /grav/admin and subroutes. This object is returned in every unauthenticated response and exposes server URL, A...

8.7CVSS6.1AI score0.00239EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago36 views

CVE-2026-61454 Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__

The Grav Admin2 plugin getgrav/grav-plugin-admin2 before 2.0.4 embeds a global JavaScript variable window.GRAVCONFIG in the Admin2 SPA bootstrap page at /grav/admin and its subroutes. This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base...

8.7CVSS0.00239EPSS
Exploits0References2
OSV
OSV
added 6 days ago3 views

CVE-2026-61454 Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__

The Grav Admin2 plugin getgrav/grav-plugin-admin2 before 2.0.4 embeds a global JavaScript variable window.GRAVCONFIG in the Admin2 SPA bootstrap page at /grav/admin and its subroutes. This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base...

8.7CVSS6.1AI score0.00239EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 6 days ago7 views

PT-2026-57442

Name of the Vulnerable Software and Affected Versions Grav Admin2 plugin versions prior to 2.0.4 Description The plugin embeds a global JavaScript variable window. GRAV CONFIG in the Admin2 SPA bootstrap page at the '/grav/admin' endpoint and its subroutes. This object is returned in every...

8.7CVSS6.1AI score0.00239EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.6 views

PT-2026-57194

Name of the Vulnerable Software and Affected Versions praisonaiagents versions prior to 1.6.78 Description An unsafe dynamic module loading issue exists in the AgentFlow. resolve pydantic class function. When a workflow step utilizes a string output pydantic reference, the framework imports a...

8.5CVSS6.4AI score0.00129EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/09 6:27 p.m.33 views

CVE-2026-59148 Mockoon: Unauthenticated admin API + wildcard CORS allows mock-state hijack and secret theft

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: with write methods...

8.8CVSS0.00173EPSS
Exploits0References5
OSV
OSV
added 2026/07/08 9:47 p.m.4 views

CVE-2026-15168 Use of Uninitialized Variable in Wireshark

BLF file parser in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows possible information disclosure...

2.5CVSS6.1AI score0.00102EPSS
Exploits1References4
Rows per page
Query Builder