CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 6 days ago•20 views

CVE-2026-47174 Duck Site: Untrusted pull request code can trigger privileged production deployment

In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisf...

9.5CVSS0.00312EPSS

CVE•added 6 days ago•7 views

CVE-2026-47174

Technical details such as affected components, versions, exploit paths, and fixes are not provided in the supplied documents; monitor for updates.

EUVD•added 6 days ago•7 views

EUVD-2026-36290

Vulnrichment•added 6 days ago•5 views

CVE-2026-47174 Duck Site: Untrusted pull request code can trigger privileged production deployment

Cvelist•added 6 days ago•21 views

CVE-2026-47163 Quest Bot: Unprivileged users can create and remove AutoMod rules.

7.2CVSS0.00215EPSS

Vulnrichment•added 6 days ago•5 views

CVE-2026-47163 Quest Bot: Unprivileged users can create and remove AutoMod rules.

7.2CVSS5.4AI score0.00215EPSS

Positive Technologies•added 6 days ago•6 views

PT-2026-48713

RedhatCVE•added 2026/06/05 7:49 p.m.•6 views

CVE-2026-5833

A security vulnerability has been detected in awwaiid mcp-server-taskwarrior up to 1.0.1. This impacts the function server.setRequestHandler of the file index.ts. Such manipulation of the argument Identifier leads to command injection. The attack must be carried out locally. The exploit has been...

5.3CVSS5.4AI score0.00647EPSS

RedhatCVE•added 2026/06/02 10:2 a.m.•8 views

CVE-2026-2237

A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local users on Windows to obtain sensitive information...

6.2CVSS5.8AI score0.00092EPSS

NVD•added 2026/06/01 7:16 p.m.•7 views

CVE-2026-45302

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with...

8.2CVSS0.00315EPSS

Cvelist•added 2026/06/01 5:20 p.m.•27 views

CVE-2026-45302 Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names

8.2CVSS0.00315EPSS

ATTACKERKB•added 2026/06/01 5:20 p.m.•7 views

CVE-2026-45302

8.2CVSS5.7AI score0.00315EPSS

Exploits0References4Affected Software1

CVE•added 2026/06/01 5:20 p.m.•9 views

CVE-2026-45302

The CVE-2026-45302 entry concerns parse-nested-form-data, a Node.js module that parses FormData field names into nested objects. Before version 1.0.1, parseFormData() could traverse into Object.prototype when a field name begins with proto or contains .proto . mid-path, enabling prototype polluti...

8.2CVSS5.8AI score0.00315EPSS

CNNVD•added 2026/06/01 12:0 a.m.•6 views

parse-nested-form-data 安全漏洞

parse-nested-form-data is a form data parsing tool developed by Christian Schurr. Versions of parse-nested-form-data prior to 1.0.1 contained security vulnerabilities. These vulnerabilities stemmed from the use of parseFormData, which did not filter or preserve attribute keys when parsing FormDat...

8.2CVSS5.3AI score0.00315EPSS

NCSC•added 2026/05/29 7:8 p.m.•11 views

The vulnerability was concealed in Starlette

There is a vulnerability in Starlette, a Python library for developing web services. Starlette is used by various products, including FastAPI. An unauthorized malicious actor can exploit this vulnerability to bypass authentication checks. This allows the malicious actor to access protected URL...

6.5CVSS5.8AI score0.00906EPSS

Exploits2References2

EUVD•added 2026/05/29 1:40 p.m.•8 views

EUVD-2026-33321

form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys e.g. namesub into nested objects without filtering proto, constructor, or prototype. A single HTTP form field whose name starts with proto... causes the library to mutate...

8.2CVSS5.8AI score0.00282EPSS

CVE•added 2026/05/29 1:40 p.m.•11 views

CVE-2026-46510

CVE-2026-46510 affects form-data-objectizer

8.2CVSS5.8AI score0.00282EPSS

CNNVD•added 2026/05/29 12:0 a.m.•5 views

form-data-objectizer 安全漏洞

form-data-objectizer is a form data-to-object conversion tool developed by Kasper Stöckel. Versions of form-data-objectizer prior to 1.0.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of filtering for proto, constructor, or prototype when handling bracket notati...

8.2CVSS5.8AI score0.00282EPSS

Positive Technologies•added 2026/05/28 12:0 a.m.•7 views

PT-2026-44387

Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary...

8.2CVSS6AI score0.00181EPSS