Lucene search
K

7 matches found

NVD
NVD
added yesterday6 views

CVE-2026-56250

Capgo before 12.128.2 allows upload-scoped API keys to modify the mutable appversions.r2path field through PostgREST, enabling retargeting to arbitrary R2 bundle objects. Attackers can patch r2path to point to victim objects, soft-delete the attacker-controlled version, and trigger the...

8.7CVSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/26 4:47 p.m.35 views

CVE-2026-54557 mise HTTP backend uses raw version path for install symlink destination

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlin...

5.5CVSS0.00175EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 4:47 p.m.22 views

CVE-2026-54557

CVE-2026-54557 affects the mise HTTP backend. Before 2026.6.1, install symlinks were created using the raw resolved version string for non-latest versions, instead of the sanitized version pathname. This allows a repository-controlled .tool-versions entry to cause mise install to create a symlink...

5.5CVSS5.8AI score0.00175EPSS
Exploits0References1
NVD
NVD
added 2026/06/10 3:16 p.m.15 views

CVE-2026-45564

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions////save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.systemf"dos2unix -q cfg". configver is not run...

8.8CVSS0.00304EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/10 2:4 p.m.11 views

EUVD-2026-36044

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions////save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.systemf"dos2unix -q cfg". configver is not run...

8.8CVSS5.5AI score0.00304EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.10 views

CVE-2026-41211

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

10CVSS5.4AI score0.00311EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/30 2:53 p.m.4 views

CVE-2026-7500

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled gate...

5.4CVSS5.3AI score0.00232EPSS
Exploits0References7
Rows per page
Query Builder