Lucene search
K

115 matches found

attackerkb
attackerkb
added 5 days ago6 views

CVE-2026-60124

An authorization bypass in MISP’s EventsController::importModule allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the mispstandard format, the write path did not verify eve...

5.3CVSS6AI score0.0022EPSS
Exploits0References2
attackerkb
attackerkb
added 5 days ago10 views

CVE-2026-13128

Embedding JavaScript within a PDF file will cause the page to be deleted. Subsequent scripts will continue to access the relevant properties of the document view, eventually leading to the crash of the application...

7.8CVSS5.9AI score0.00116EPSS
Exploits0References2Affected Software2
cvelist
cvelist
added 2026/06/30 11:48 a.m.37 views

CVE-2026-14209 Keycloak-admin-ui: keycloak-admin-ui:admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions

A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions FGAPv2 are enabled, an administrator who should only be able to search for users but not view their full details can use a...

4.3CVSS0.00173EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/26 7:32 p.m.6 views

CVE-2026-44735

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the viewsharedworkpackages permission. The authorization check operates at the project level onl...

6.5CVSS5.8AI score0.0027EPSS
Exploits0References2Affected Software1
nvd
nvd
added 2026/06/24 11:16 p.m.9 views

CVE-2026-39948

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv rather than gfrv with FILTERVALIDATEISREGEX validation and concatenated directly into RLIKE SQL clauses in lib/htmlgraph.php and...

9.8CVSS0.00456EPSS
Exploits0References2
redhatcve
redhatcve
added 2026/06/05 7:24 p.m.9 views

CVE-2026-44653

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only VIEW access to an MCP server can retrieve the server's decrypted admin-managed secrets through GET /api/mcp/servers and GET /api/mcp/servers/:serverName. The returned...

6.5CVSS5.4AI score0.00276EPSS
Exploits1References1
redhatcve
redhatcve
added 2026/06/05 7:20 p.m.12 views

CVE-2026-41189

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through ThreadPolicy::edit, which checks mailbox access but does not apply the assigned-only restriction from ConversationPolicy. A user who cannot view a conversation can...

7.1CVSS5.4AI score0.00223EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:14 p.m.8 views

CVE-2026-4857

IdentityIQ 8.5, all IdentityIQ 8.5 patch levels prior to 8.5p2, IdentityIQ 8.4, and all IdentityIQ 8.4 patch levels prior to 8.4p4 allow authenticated users assigned the Debug Pages Read Only capability or any custom capability with the ViewAccessDebugPage SPRight to incorrectly create new...

8.4CVSS5.4AI score0.00269EPSS
Exploits0References1
github
github
added 2026/06/05 3:52 p.m.15 views

NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints

Summary The public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. Details...

6.9CVSS5.5AI score0.00239EPSS
Exploits0References3Affected Software1
nvd
nvd
added 2026/06/02 11:16 p.m.16 views

CVE-2026-44653

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only VIEW access to an MCP server can retrieve the server's decrypted admin-managed secrets through GET /api/mcp/servers and GET /api/mcp/servers/:serverName. The returned...

6.5CVSS0.00276EPSS
Exploits1References1
euvd
euvd
added 2026/06/02 10:40 p.m.10 views

EUVD-2026-34047

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only VIEW access to an MCP server can retrieve the server's decrypted admin-managed secrets through GET /api/mcp/servers and GET /api/mcp/servers/:serverName. The returned...

6.5CVSS5.7AI score0.00276EPSS
Exploits1References1
vulnrichment
vulnrichment
added 2026/06/02 10:40 p.m.12 views

CVE-2026-44653 LibreChat Shared MCP Server View Leaks Decrypted Admin Secrets

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only VIEW access to an MCP server can retrieve the server's decrypted admin-managed secrets through GET /api/mcp/servers and GET /api/mcp/servers/:serverName. The returned...

6.5CVSS5.7AI score0.00276EPSS
Exploits1References1
redhatcve
redhatcve
added 2026/05/27 8:13 p.m.12 views

CVE-2026-44831

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting XSS. This vulnerability is fixed in 8.4.1...

5.4CVSS5.6AI score0.00218EPSS
Exploits0References1
cvelist
cvelist
added 2026/05/26 7:27 p.m.36 views

CVE-2026-44831 Snipe-IT: XSS vulnerability in component notes

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting XSS. This vulnerability is fixed in 8.4.1...

4.8CVSS0.00218EPSS
Exploits0References2
euvd
euvd
added 2026/05/26 7:27 p.m.18 views

EUVD-2026-31960

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting XSS. This vulnerability is fixed in 8.4.1...

5.4CVSS5.6AI score0.00218EPSS
Exploits0References2
vulnrichment
vulnrichment
added 2026/05/26 7:27 p.m.10 views

CVE-2026-44831 Snipe-IT: XSS vulnerability in component notes

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting XSS. This vulnerability is fixed in 8.4.1...

4.8CVSS5.6AI score0.00218EPSS
Exploits0References2
cve
cve
added 2026/05/26 7:27 p.m.23 views

CVE-2026-44831

CVE-2026-44831 affects Snipe-IT, an IT asset/license management system. Prior to v8.4.1, users with component view access could trigger stored XSS via an unescaped notes field in the component checkout process. The issue is fixed in v8.4.1 or later. If you are using versions before 8.4.1, upgrade...

5.4CVSS5.6AI score0.00218EPSS
Exploits0References2Affected Software1
github
github
added 2026/05/08 10:23 p.m.12 views

Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)

Impact Users with component view access could be impacted by an unescaped notes column. Patches This was patched in https://github.com/grokability/snipe-it/commit/28f493d84d057895fbb93b6570e7393a2c2fa438, and is fixed in v8.4.1 or greater. Workarounds None...

5.4CVSS5.8AI score0.00218EPSS
Exploits0References4Affected Software1
github
github
added 2026/05/08 8:19 p.m.18 views

Wagtail has improper permission handling when viewing page history

Impact A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. Patches Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References4Affected Software1
ptsecurity
ptsecurity
added 2026/05/08 12:0 a.m.11 views

PT-2026-39232

Name of the Vulnerable Software and Affected Versions Wagtail versions prior to 7.0.7 Wagtail versions prior to 7.3.2 Wagtail versions prior to 7.4 Description A CMS user lacking page editing permissions can access page revisions via the revision compare view by knowing the primary keys of two...

6.5CVSS5.8AI score0.00204EPSS
Exploits0References4
Rows per page
Query Builder