Lucene search
K

3332 matches found

Nuclei
Nuclei
added yesterday253 views

Vite - Arbitrary File Read

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it...

7.5CVSS6.7AI score0.74998EPSS
Exploits28References2
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-55804 Drupal core - Moderately critical - Gadget chain - SA-CORE-2026-006

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.,...

0.00161EPSS
Exploits0References1
Cvelist
Cvelist
added 4 days ago35 views

CVE-2026-15080 Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071

Cross-Site Request Forgery CSRF vulnerability in Drupal Ray Enterprise Translation allows Cross Site Request Forgery. This issue affects Ray Enterprise Translation versions: from 0.0.0 to 4.0.4, from 4.1.0 to 4.1.4, from 11.0.0 to 11.0.4...

0.00119EPSS
Exploits0References1
OSV
OSV
added 4 days ago2 views

CVE-2026-58588 Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting XSS. This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1...

6.1CVSS6.1AI score0.00204EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-42876

Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes. The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value a...

2.1CVSS6.1AI score0.00146EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago38 views

CVE-2026-45780 Discourse: Private event sample invitees are serialized to non-invited event viewers

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This...

5.3CVSS0.00399EPSS
Exploits0References9
CVE
CVE
added 5 days ago14 views

CVE-2026-57054

CVE-2026-57054 describes a Use of Incorrectly-Resolved Name or Reference vulnerability in the URL filtering plugin of Juniper Networks Junos OS on MX Series. The issue allows an unauthenticated, network-based attacker to bypass web filtering and access downstream resources that should be unreacha...

6.9CVSS6AI score0.00347EPSS
Exploits0References1Affected Software1
Debian CVE
Debian CVE
added 6 days ago6 views

CVE-2026-59869

js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in...

7.5CVSS6AI score0.0035EPSS
Exploits1
Positive Technologies
Positive Technologies
added 6 days ago6 views

PT-2026-56589

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 15.7 through 18.11.6 GitLab CE/EE versions 19.0 through 19.0.3 GitLab CE/EE versions 19.1 through 19.1.1 Description An issue exists where improper sanitization of user-supplied input could allow an authenticated user to...

7.3CVSS6.3AI score0.00243EPSS
Exploits0References7
Cvelist
Cvelist
added last week30 views

CVE-2026-55078 Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.17.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, POST /api/v2/files converts zip uploads to tar in memory via CreateTarFromZip, which enforced a per-entry size limit but no...

6.5CVSS0.00602EPSS
Exploits0References6
CVE
CVE
added last week14 views

CVE-2026-53935

Summary: CVE-2026-53935 affects Cilium versions prior to 1.17.16, 1.18.2–1.18.9, and 1.19.0–1.19.3. An attacker who can create a CiliumLocalRedirectPolicy may specify arbitrary ClusterIPs via addressMatcher, enabling cross-namespace traffic hijacking to Services and bypassing serviceMatcher names...

6.9CVSS6AI score0.00341EPSS
Exploits0References7
NVD
NVD
added last week8 views

CVE-2026-53878

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. DomainNameValidator does not prohibit newlines in domain names unless used via a form field, since CharField strips newlines. If an application uses values with newlines in an HTTP response, header injection can occur. Djan...

6.1CVSS0.00217EPSS
Exploits0References3
CVE
CVE
added last week14 views

CVE-2026-53878

CVE-2026-53878 affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16. The issue lies in DomainNameValidator not prohibiting newlines in domain names, which can enable header injection if an application places such values in an HTTP response. Django itself remains unaffected because HttpResponse b...

6.1CVSS5.8AI score0.00217EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added last week7 views

EUVD-2026-42043

An issue was discovered in Django 6.0 before 6.0.7 and 5.2 before 5.2.16. UpdateCacheMiddleware and the cachepage decorator cache responses that vary on cookies when the incoming request carries unrelated cookies, which allows remote attackers to read private data from the shared cache. Earlier,...

3.1CVSS6AI score0.00375EPSS
Exploits0References3
CVE
CVE
added 2026/07/07 3:49 a.m.16 views

CVE-2026-27790

CVE-2026-27790 affects the T20 Readers integration within Command Centre. An uncaught exception (CWE-248) in the system allows an authenticated and authorized operator to trigger a restart by sending specific requests, causing a temporary denial of service. Affected versions include: 9.50 prior t...

2.7CVSS6AI score0.00227EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/07/07 2:31 a.m.7 views

SUSE CVE-2026-14355

In PHP versions 8.2. before 8.2.32, 8.3. before 8.3.32, 8.4. before 8.4.23, 8.5. before 8.5.8, the AES-WRAP-PAD algorithm implementation in OpenSSL extension contains a buffer allocation flaw. The output buffer for the AES key-wrap-with-padding operation is sized from the plaintext length without...

5.6CVSS6.1AI score0.00306EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/06 8:20 p.m.48 views

CVE-2026-54764 ForwardAuth middleware leaks X-Forwarded-Port spoofing via untrusted X-Forwarded-Proto when trustForwardHeader=false

Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's ForwardAuth middleware, even when configured with trustForwardHeader: false, derives the X-Forwarded-Port header sent to the authentication service from the original incoming request instead of t...

6.9CVSS0.0029EPSS
Exploits0References3
NVD
NVD
added 2026/07/06 11:16 a.m.9 views

CVE-2026-46587

Improper Input Validation vulnerability in Apache Camel. This issue affects Apache Camel: through 4.14.7, from 4.15.0 through 4.18.2, from 4.19.0 through 4.20.0. Users are recommended to upgrade to version 4.14.8, 4.18.3, 4.21.0, which fixes the issue...

7.3CVSS0.00399EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/06 9:34 a.m.9 views

CVE-2026-49042

Improper Input Validation vulnerability in Apache Camel. This issue affects Apache Camel: from 4.8.0 through 4.18.2, from 4.19.0 through 4.20.0. Users are recommended to upgrade to version 4.18.3, 4.21.0, which fixes the issue...

7.3CVSS5.9AI score0.00399EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/07/06 9:16 a.m.9 views

CVE-2026-46590

Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadat...

8.8CVSS0.00485EPSS
Exploits0References1
Rows per page
Query Builder