Lucene search
K

148458 matches found

EUVD
EUVD
added 2026/05/22 2:57 a.m.11 views

EUVD-2026-31401

Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default file path, and then conceal this form element...

8.2CVSS5.8AI score0.00276EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in Chromium

Before version 92.0.4515.159, using free after functions in WebRTC in Google Chrome allowed an attacker who convinced a user to visit a malicious website to potentially exploit heap corruption through a crafted HTML page...

8.8CVSS6.7AI score0.02118EPSS
Exploits1References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability in WebKit2GTK

The issue was addressed through improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, tvOS 16.6, macOS Ventura 13.5, Safari 16.6, and watchOS 9.6. A website may be able to bypass the Same Origin Policy...

7.5CVSS6.8AI score0.00967EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.10 views

Astra Linux – Vulnerability in WebKit2GTK

A inconsistent user interface issue has been resolved through improved state management. This issue is fixed in iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1, Safari 17.1, and macOS Sonoma 14.1. Visiting a malicious website may result in address bar spoofing...

7.5CVSS6.7AI score0.0086EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.9 views

Astra Linux – Vulnerability in WebKit2GTK

The issue was resolved by adding additional restrictions on CSS compositing. This issue has been fixed in tvOS 15, watchOS 8, iOS 15, and iPadOS 15. Visiting a maliciously crafted website may reveal a user’s browsing history...

4.7CVSS5.8AI score0.01114EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in WebKit2GTK

There was an issue with URL handling that caused spoofing. This issue has been addressed through improved input validation. This issue is fixed in iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, and Safari 16.2. Visiting a malicious website may result in address bar spoofing...

4.3CVSS6.4AI score0.00965EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/05/20 5:30 a.m.14 views

Important: Red Hat Security Advisory: webkit2gtk3 security update

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

8.8CVSS6.7AI score0.00961EPSS
Exploits2References19
RedHat Linux
RedHat Linux
added 2026/05/20 5:30 a.m.13 views

webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack

A flaw was found in WebKitGTK. A maliciously crafted web page can cause a logic issue due to improper checks and result in a cross-site scripting attack...

4.3CVSS5.6AI score0.00276EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/19 6:33 p.m.13 views

EUVD-2026-30971

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

6.5CVSS5.7AI score0.00404EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/05/19 6:13 p.m.18 views

webkitgtk: A website may be able to track users through Safari web extensions

A flaw was found in WebKitGTK. A malicious website can track users through web extensions due to improper state management...

5.3CVSS7.2AI score0.00222EPSS
Exploits0References5
vulnersOsv
vulnersOsv
added 2026/05/16 3:26 p.m.6 views

an-website (>=24.12.0 <=25.2.0), graphtomation (>=0.0.6 <=0.2.0) +5 more potentially affected by CVE-2021-47952 via jsonpickle (>=4.0.0 <=4.0.1)

jsonpickle PYPI version =4.0.0, =24.12.0, =0.0.6, =4.0.0, =0.1.0, =0.1.1, =0.5.8, =0.5.9 Source cves: CVE-2021-47952 Source advisory: SNYK:PYTHON-JSONPICKLE-16755449...

9.8CVSS5.4AI score0.00696EPSS
Exploits0
GithubExploit
GithubExploit
added 2026/05/15 8:19 p.m.88 views

Vulnerability-Scanner-using-Ollama-3-

Vulnerability Scanning & Exploitation Toolkit A Python-based...

9.8CVSS7.3AI score0.99992EPSS
Exploits148
ATTACKERKB
ATTACKERKB
added 2026/05/15 7:46 a.m.11 views

CVE-2026-8425

The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to ...

4.3CVSS5.7AI score0.00135EPSS
Exploits0References9
CVE
CVE
added 2026/05/15 7:30 a.m.104 views

CVE-2026-8398

The CVE-2026-8398 entry concerns a supply-chain compromise of DAEMON Tools Lite Windows installers (versions 12.5.0.2421–12.5.0.2434) distributed via daemon-tools.cc. Attackers allegedly gained access to AVB Disc Soft’s build/distribution infrastructure and trojanized three binaries—DTHelper.exe,...

9.8CVSS5.8AI score0.01456EPSS
In wildExploits1References3Affected Software1
Snyk
Snyk
added 2026/05/14 11:28 p.m.10 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the websiteUrl field, which is interpolated into an HTML attribute without proper encoding of quote characters. An attacker can execute arbitrary JavaScript in the context of users visiting the catalogue UI b...

5.4CVSS5.8AI score0.00167EPSS
Exploits1References2
NVD
NVD
added 2026/05/14 9:16 p.m.17 views

CVE-2026-44429

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the public catalogue UI served at GET / file internal/api/handlers/v0/uiindex.html is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published...

5.4CVSS0.00167EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/14 9:5 p.m.33 views

CVE-2026-44429 MCP Registry: Stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl`

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the public catalogue UI served at GET / file internal/api/handlers/v0/uiindex.html is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published...

5.1CVSS0.00167EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/14 9:5 p.m.7 views

EUVD-2026-30487

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the public catalogue UI served at GET / file internal/api/handlers/v0/uiindex.html is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published...

5.1CVSS5.8AI score0.00167EPSS
Exploits1References1
CVE
CVE
added 2026/05/14 9:5 p.m.27 views

CVE-2026-44429

CVE-2026-44429 pertains to the MCP Registry. Before 1.7.7, the public catalogue UI at GET / is vulnerable to stored XSS via the server.websiteUrl field in published server.json. Server-side validation (validateWebsiteURL) only checks parsing, absoluteness, and https scheme; it does not reject quo...

5.4CVSS5.7AI score0.00167EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/05/14 8:17 p.m.5 views

GHSA-G39V-CVJH-8FPF Home Assistant MCP Server: YAML config backups written under www/ are served unauthenticated at /local/

Summary When ENABLEYAMLCONFIGEDITING=true, every haconfigsetyaml call backs up the pre-edit file to /www/yamlbackups/, which Home Assistant serves at /local/ with no authentication. Anyone who can reach the HA web interface can download the most recent pre-edit configuration.yaml or other YAML fi...

6.5CVSS5.8AI score
Exploits0References6
Rows per page
Query Builder