Lucene search
K

240926 matches found

BDU FSTEC
BDU FSTEC
added yesterday18 views

The vulnerability of the Directum Web Agent component of the Directum RX system, which arises due to insufficient validation of input data, allows a perpetrator to execute arbitrary code.

The vulnerability of the Directum Web Agent component of the Directum RX system exists due to insufficient validation of input data. Exploiting this vulnerability could allow a malicious actor to execute arbitrary code using a specially crafted file...

8.5CVSS6.1AI score
Exploits0Affected Software1
CVE
CVE
added yesterday41 views

CVE-2026-49352

CVE-2026-49352 affects 9router, a Node.js/Next.js AI router. The vulnerability stems from a hardcoded fallback JWT secret, implemented as the public string 9router-default-secret-change-me, used when JWT_SECRET is unset in multiple files. An attacker can forge a valid auth_token cookie and gain a...

9.8CVSS6.1AI score0.0019EPSS
Exploits1References3
SUSE CVE
SUSE CVE
added yesterday8 views

SUSE CVE-2024-10005

A vulnerability was identified in Consul and Consul Enterprise “Consul” such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules...

5.8CVSS7.1AI score0.00731EPSS
Exploits0References5
EUVD
EUVD
added yesterday5 views

EUVD-2026-44748

OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, odhcpd writes a DHCPv6 client FQDN option 39 hostname into /tmp/odhcpd.leases through src/statefiles.c statefileswritestate6 and statefileswritestate4 without escaping, allowing newline injection of forged lease lin...

9.6CVSS6.1AI score
Exploits0References5
CVE
CVE
added yesterday6 views

CVE-2026-61643

CVE-2026-61643 affects FastGPT (versions 4.14.17 through 4.15.0-beta5). An authenticated user can save a workflow node that points to another user's private HTTP toolset by crafting a saved tool id (e.g., http-/). While normal toolset routes deny access, the workflow save and runtime path did not...

5.9CVSS6.2AI score
Exploits0References2
Github Security Blog
Github Security Blog
added yesterday4 views

MantisBT: SOAP API Authentication Bypass with Privilege Escalation to Administrator

MantisBT 2.28.3 and earlier contains a critical authentication bypass in the SOAP API's mcichecklogin function. Any user knowing any valid cookiestring can authenticate as any other user knowing their username, including the administrator, without knowing the target's password. The vulnerability ...

6.1AI score
Exploits0References4Affected Software1
Cvelist
Cvelist
added yesterday7 views

CVE-2026-52842 Lightpanda:URL parser misidentifies page origin for URLs containing @ in the path - Same-Origin Policy bypass

Lightpanda is a headless browser designed for AI and automation. Prior to 0.3.1, Lightpanda searched for @ across the entire URL string instead of only the authority component when computing a page origin, so a URL such as http://attacker.com/@victim.com/ was fetched from attacker.com but treated...

9.3CVSS0.00033EPSS
Exploits0References4
Cvelist
Cvelist
added yesterday7 views

CVE-2026-20146 Cisco Identity Services Engine Path Traversal Vulnerability

A vulnerability in Cisco Identity Services Engine ISE and Cisco ISE Passive Identity Connector ISE-PIC could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system to either read or delete arbitrary files. To exploit this vulnerability, the...

5.5CVSS
Exploits0References1
EUVD
EUVD
added yesterday4 views

EUVD-2026-44716

A vulnerability in Cisco Identity Services Engine ISE and Cisco ISE Passive Identity Connector ISE-PIC could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system to either read or delete arbitrary files. To exploit this vulnerability, the...

5.5CVSS6.2AI score
Exploits0References1
OSV
OSV
added yesterday7 views

BIT-PROMETHEUS-2026-40179 Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

6.1CVSS5.9AI score0.0024EPSS
Exploits0References4
Cvelist
Cvelist
added yesterday4 views

CVE-2026-9007 Reflected XSS in HCL Notes

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in HCL Notes from HCL Software allows reflected Cross-Site Scripting XSS. Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of another user. This issue affects...

5.5CVSS
Exploits0References1
EUVD
EUVD
added yesterday4 views

EUVD-2026-44678

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0-beta5, FastGPT's shared SSRF guard validates only the initial request URL before handing the request to axios, and axios follows redirects by default. An authenticated workflow user can configure an HTTP request node to call an...

6.3CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added yesterday3 views

EUVD-2026-44676

FastGPT is a knowledge-based AI application platform. In 4.15.0-beta4, FastGPT plugin invoke reverse-call endpoints under /api/invoke/ authenticate only by verifying a JWT signed with INVOKETOKENSECRET, which defaults to the constant string token and was not set in official deployment templates. ...

8.8CVSS6.1AI score
Exploits0References4
NVD
NVD
added yesterday6 views

CVE-2026-59838

A improper neutralization of script-related html tags in a web page basic xss vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.2.0 through 7.2.6, FortiSIEM 7.1 all versions, FortiSIEM 7.0 all versions, FortiSIEM 6.7 all versions, FortiSIEM 6.6 all versions,...

5.9CVSS
Exploits0References1
F5 Networks
F5 Networks
added yesterday6 views

K000161837: Out-of-band Security Notification (July 15, 2026)

Security Advisory Description On July 15, 2026, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. Article CVE|...

9.2CVSS6.1AI score
Exploits0
CVE
CVE
added yesterday4 views

CVE-2026-59838

CVE-2026-59838 is an XSS-type vulnerability described as improper neutralization of script-related HTML tags in Fortinet FortiSIEM. Affected versions span FortiSIEM 7.4.0; 7.3.0–7.3.4; 7.2.0–7.2.6; 7.1.x; 7.0.x; and all 6.x versions (6.4–6.7). The issue could allow an attacker to execute unauthor...

5.9CVSS6.2AI score
Exploits0References1Affected Software1
CVE
CVE
added yesterday7 views

CVE-2026-46458

CVE-2026-46458 affects ICU Scandinavia Boomerang. An information-disclosure flaw allows an unauthenticated attacker to retrieve plaintext credentials by requesting specific XML files from the webroot over static HTTP. The root cause is exposure of sensitive credential files via static HTTP paths....

7.1CVSS6.1AI score
Exploits0References2
NVD
NVD
added yesterday6 views

CVE-2026-61452

The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...

6.9CVSS
Exploits0References2
NVD
NVD
added yesterday7 views

CVE-2026-61430

PraisonAI before 1.6.78 contains a server-side request forgery vulnerability in the webcrawl tool that validates hostnames at check time but re-resolves them at connection time without IP pinning. Attackers can use DNS rebinding to bypass SSRF protection and retrieve internal HTTP response bodies...

8.5CVSS
Exploits0References2
EUVD
EUVD
added yesterday4 views

EUVD-2026-44621

Grav before 9.1.8 contains an arbitrary file write vulnerability in the Form plugin's process.save.filename parameter, which is validated against path traversal before Twig processing but never re-validated after rendering. Attackers can submit form data containing path traversal sequences that a...

8.1CVSS6.2AI score
Exploits0References2
Rows per page
Query Builder