Lucene search
K

328 matches found

CVE
CVE
added 4 days ago11 views

CVE-2026-13231

Summary: CVE-2026-13231 affects Drupal Advanced Content Feedback (admin_feedback). The issue is improper neutralization of input during web page generation, causing a Stored XSS vulnerability. The vulnerable component is the admin_feedback module, with affected versions 0.0.0 through 2.8.0. The r...

6.1CVSS6.1AI score0.00161EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/25 9:31 a.m.3 views

EUVD-2026-39335

Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: 2.8.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue...

9.4CVSS5.8AI score0.00293EPSS
Exploits0References2
NVD
NVD
added 2026/06/25 9:16 a.m.9 views

CVE-2026-41566

Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: 2.8.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue...

9.4CVSS0.00293EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/25 8:4 a.m.28 views

CVE-2026-41566 Apache Kvrocks: Improper permission for the APPLYBATCH command

Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: 2.8.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue...

9.4CVSS0.00293EPSS
Exploits0References1
CVE
CVE
added 2026/06/25 8:4 a.m.10 views

CVE-2026-41566

CVE-2026-41566 affects Apache Kvrocks 2.8.0 and is described as an improper handling of insufficient permissions or privileges, specifically related to the APPLYBATCH command. The issue is rated high risk (CVSS 4.0 base 9.4) with impact on confidentiality, integrity, and availability. No exploita...

9.4CVSS5.8AI score0.00293EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/22 4:52 p.m.5 views

CVE-2026-54285

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were...

5.3CVSS5.9AI score0.00238EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.11 views

PT-2026-49598

Name of the Vulnerable Software and Affected Versions @opentelemetry/core versions prior to 2.8.0 Description The W3CBaggagePropagator.extract function in @opentelemetry/core fails to enforce size limits when parsing inbound baggage HTTP headers. While the W3C Baggage specification recommends a...

5.3CVSS5.7AI score0.00238EPSS
Exploits0References7
OSV
OSV
added 2026/06/05 8:34 p.m.13 views

GHSA-FXQW-97CC-7G5C Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables

Impact The admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions enable, disable, edit, delete that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could: - Disable every...

6.5CVSS5.5AI score0.00221EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/05 8:33 p.m.4 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the store method of sub-form Livewire components used in the product editor. An attacker can modify product pricing, stock, SEO metadata, shipping dimensions, and attached media for any product by tampering with...

7.1CVSS5.8AI score0.00221EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:30 p.m.11 views

CVE-2026-42337

MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API chat/api/oss/geturl. The endpoint uses applicationid from the URL path without validating ownership, allowing attackers to perfo...

5.3CVSS5.5AI score0.00207EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/02 4:3 a.m.21 views

CVE-2026-47740

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark...

8.1CVSS5.8AI score0.00258EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/01 10:3 p.m.22 views

CVE-2026-47742

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor Edit, Inventory, Seo, Shipping, Files had no authorization on their store method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO...

6.5CVSS5.9AI score0.00221EPSS
Exploits0References1
NVD
NVD
added 2026/05/29 7:16 p.m.13 views

CVE-2026-47741

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was...

5.9CVSS0.00239EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/29 6:2 p.m.12 views

EUVD-2026-33409

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was...

5.9CVSS5.8AI score0.00239EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/29 5:58 p.m.14 views

CVE-2026-47744 Shopper: Authorization bypass and RBAC privilege escalation in team settings

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount authorization. Any authenticated user could load the page and use its public...

9.9CVSS6AI score0.00321EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.14 views

PT-2026-44942

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's total use counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usage limit wa...

5.9CVSS5.8AI score0.00239EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.19 views

PT-2026-44944

Name of the Vulnerable Software and Affected Versions Shopper versions prior to 2.8.0 Description Two authorization defects in the team settings allow an authenticated user to compromise the Role-Based Access Control RBAC system. The endpoint "Settings/Team/Index" lacks mount authorization,...

9.9CVSS6AI score0.00321EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.18 views

PT-2026-44941

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark...

8.1CVSS5.8AI score0.00258EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/27 8:13 p.m.15 views

CVE-2026-42335

MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch chat/api/oss/geturl endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse...

6.3CVSS5.8AI score0.00232EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/26 8:19 p.m.41 views

CVE-2026-42337 MaxKB: Broken Access Control in MaxKB OSS URL Fetch API

MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API chat/api/oss/geturl. The endpoint uses applicationid from the URL path without validating ownership, allowing attackers to perfo...

5.3CVSS0.00207EPSS
Exploits0References1
Rows per page
Query Builder