Lucene search
K

537 matches found

CVE
CVE
added 2026/04/16 6:44 a.m.12 views

CVE-2026-3995

CVE-2026-3995 concerns the OPEN-BRAIN WordPress plugin (versions up to 0.5.0). The vulnerability arises in the API Key settings field, where insufficient input sanitization and output escaping allow an authenticated Administrator to inject stored cross-site scripting payloads. Specifically, sanit...

4.4CVSS5.9AI score0.00345EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/04/16 6:44 a.m.4 views

CVE-2026-3995

The OPEN-BRAIN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' settings field in all versions up to, and including, 0.5.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitizetextfield which strips HTML tags but does not...

4.4CVSS5.9AI score0.00345EPSS
Exploits0References10
Github Security Blog
Github Security Blog
added 2026/04/15 3:31 p.m.11 views

NietThijmen ShoppingCart: Command injection in the connect function

Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field...

8.4CVSS6.6AI score0.00558EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/04/15 9:16 a.m.3 views

CVE-2026-4011

The Power Charts Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the pc shortcode in all versions up to, and including, 0.1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute. Specifically, in the...

6.4CVSS0.00265EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/14 1:39 a.m.7 views

EUVD-2026-22188

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.7.2 and below contain a Blind Server Side Request Forgery in the functionality that allows editing an image via a prompt. The affected function performs a GET request to a user-provided U...

4.3CVSS5.7AI score0.00227EPSS
Exploits1References1
NVD
NVD
added 2026/04/13 1:16 p.m.3 views

CVE-2026-34476

Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP. This issue affects Apache SkyWalking MCP: 0.1.0. Users are recommended to upgrade to version 0.2.0, which fixes this issue...

7.1CVSS0.00346EPSS
Exploits0References2
OSV
OSV
added 2026/04/12 3:30 a.m.11 views

GHSA-R5V8-C28H-F8R8 MetaGPT affected by server-side request forgery in metagpt/utils/common.py

A security flaw has been discovered in FoundationAgents MetaGPT up to 0.8.2. This impacts the function decodeimage of the file metagpt/utils/common.py. The manipulation of the argument imgurlorb64 results in server-side request forgery. It is possible to launch the attack remotely. The exploit ha...

6.3CVSS6.2AI score0.00263EPSS
Exploits1References7
OSV
OSV
added 2026/04/07 12:41 a.m.5 views

CLEANSTART-2026-GG94489 go-retryablehttp prior to 0

Multiple security vulnerabilities affect the prometheus package. go-retryablehttp prior to 0. See references for individual vulnerability details...

9.8CVSS7.1AI score0.99999EPSS
Exploits19References13
NVD
NVD
added 2026/04/06 5:17 p.m.4 views

CVE-2026-34975

Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into raw MIME...

8.5CVSS0.00194EPSS
Exploits2References1
Cvelist
Cvelist
added 2026/04/06 4:19 p.m.19 views

CVE-2026-34981 whisperX REST API: SSRF in download_from_url() — URL validation happens after HTTP request, extension bypass via .mp3

The whisperX API is a tool for enhancing and analyzing audio content. From 0.3.1 to 0.5.0, FileService.downloadfromurl in app/services/fileservice.py calls requests.geturl with zero URL validation. The file extension check occurs AFTER the HTTP request is already made, and can be bypassed by...

5.8CVSS0.00252EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/06 4:10 p.m.18 views

CVE-2026-34975 Plunk has a CRLF Email Header Injection in raw MIME message construction allows authenticated API user to inject arbitrary email headers

Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into raw MIME...

8.5CVSS0.00194EPSS
Exploits2References1
EUVD
EUVD
added 2026/04/06 3:40 p.m.8 views

EUVD-2026-19351

vLLM is an inference and serving engine for large language models LLMs. From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionReques...

6.5CVSS5.9AI score0.0033EPSS
Exploits0References3
NVD
NVD
added 2026/04/06 5:16 a.m.6 views

CVE-2026-5619

A flaw has been found in Braffolk mcp-summarization-functions up to 0.1.5. This impacts an unknown function of the file src/server/mcp-server.ts of the component summarizecommand. Executing a manipulation of the argument command can lead to os command injection. The attack requires local access...

5.3CVSS0.00694EPSS
Exploits0References4
OSV
OSV
added 2026/04/06 2:52 a.m.2 views

CLEANSTART-2026-NB78893 Security fixes for CVE-2025-47911, CVE-2025-58190, CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-64715, CVE-2025-68119, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, CVE-2026-33726 applied in versions: 0.13.3-r0, 0.13.3-r1

Multiple security vulnerabilities affect the hubble-ui-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

9.1CVSS6.8AI score0.01945EPSS
Exploits3References25
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.12 views

PT-2026-30387

Name of the Vulnerable Software and Affected Versions MoussaabBadla code-screenshot-mcp versions up to 0.1.0 Description A security issue exists in the HTTP Interface component of MoussaabBadla code-screenshot-mcp. This allows for os command injection, potentially enabling remote attacks. The...

6.5CVSS6.4AI score0.01455EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/04/03 12:0 a.m.4 views

PT-2026-29970

Name of the Vulnerable Software and Affected Versions Shynet versions prior to 0.14.0 Description Shynet versions before 0.14.0 are susceptible to Host header injection within the password reset process. Recommendations Update Shynet to version 0.14.0 or later...

6.5CVSS5.2AI score0.00103EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/04/02 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-34441

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.40.0, cpp-httplib is vulnerable to HTTP Request Smuggling...

6.5CVSS5.6AI score0.00196EPSS
Exploits1References3
NVD
NVD
added 2026/04/01 10:16 p.m.4 views

CVE-2026-34567

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when creating or editing blog posts within the Categories...

9.1CVSS0.00269EPSS
Exploits1References2
CVE
CVE
added 2026/04/01 9:29 p.m.16 views

CVE-2026-34569

CI4MS is a CodeIgniter 4–based CMS skeleton. Prior to version 0.31.0.0, it fails to sanitize input when creating/editing blog categories, allowing stored XSS via the category title that is rendered unsafely across public blog/category pages and admin views. The issue is fixed in 0.31.0.0. The CVS...

9.9CVSS5.7AI score0.00324EPSS
Exploits1References2Affected Software1
vulnersOsv
vulnersOsv
added 2026/04/01 8:25 p.m.7 views

openwebui-token-tracking (=0.1.7) potentially affected by CVE-2026-34222 via open-webui (=0.6.0)

open-webui PYPI version =0.6.0 is affected by a known vulnerability. The following packages have a transitive dependency on open-webui and may be impacted: - openwebui-token-tracking =0.1.7 Source cves: CVE-2026-34222 Source advisory: OSV:GHSA-7429-HXCV-268M...

7.7CVSS5.8AI score0.05271EPSS
Exploits1
Rows per page
Query Builder