Lucene search
K

148467 matches found

CVE
CVE
added 2026/05/15 7:30 a.m.114 views

CVE-2026-8398

The CVE-2026-8398 entry concerns a supply-chain compromise of DAEMON Tools Lite Windows installers (versions 12.5.0.2421–12.5.0.2434) distributed via daemon-tools.cc. Attackers allegedly gained access to AVB Disc Soft’s build/distribution infrastructure and trojanized three binaries—DTHelper.exe,...

9.8CVSS5.8AI score0.01456EPSS
In wildExploits1References3Affected Software1
Snyk
Snyk
added 2026/05/14 11:28 p.m.10 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the websiteUrl field, which is interpolated into an HTML attribute without proper encoding of quote characters. An attacker can execute arbitrary JavaScript in the context of users visiting the catalogue UI b...

5.4CVSS5.8AI score0.00167EPSS
Exploits1References2
NVD
NVD
added 2026/05/14 9:16 p.m.17 views

CVE-2026-44429

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the public catalogue UI served at GET / file internal/api/handlers/v0/uiindex.html is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published...

5.4CVSS0.00167EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/14 9:5 p.m.35 views

CVE-2026-44429 MCP Registry: Stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl`

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the public catalogue UI served at GET / file internal/api/handlers/v0/uiindex.html is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published...

5.1CVSS0.00167EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/14 9:5 p.m.8 views

EUVD-2026-30487

The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the public catalogue UI served at GET / file internal/api/handlers/v0/uiindex.html is vulnerable to stored cross-site scripting via the server.websiteUrl field of any published...

5.1CVSS5.8AI score0.00167EPSS
Exploits1References1
CVE
CVE
added 2026/05/14 9:5 p.m.29 views

CVE-2026-44429

CVE-2026-44429 pertains to the MCP Registry. Before 1.7.7, the public catalogue UI at GET / is vulnerable to stored XSS via the server.websiteUrl field in published server.json. Server-side validation (validateWebsiteURL) only checks parsing, absoluteness, and https scheme; it does not reject quo...

5.4CVSS5.7AI score0.00167EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/05/14 8:17 p.m.6 views

GHSA-G39V-CVJH-8FPF Home Assistant MCP Server: YAML config backups written under www/ are served unauthenticated at /local/

Summary When ENABLEYAMLCONFIGEDITING=true, every haconfigsetyaml call backs up the pre-edit file to /www/yamlbackups/, which Home Assistant serves at /local/ with no authentication. Anyone who can reach the HA web interface can download the most recent pre-edit configuration.yaml or other YAML fi...

6.5CVSS5.8AI score
Exploits0References6
Metasploit
Metasploit
added 2026/05/14 7:0 p.m.341 views

Dolibarr ERP/CRM Authenticated Code Injection

Dolibarr ERP/CRM before 17.0.1 allows remote code execution by an authenticated user who has access to the Website module. The application filters lowercase use exploit/unix/http/dolibarrcmsrcecve202330253 msf exploitdolibarrcmsrcecve202330253 show targets ...targets... msf...

8.8CVSS7.9AI score0.79335EPSS
Exploits16
NVD
NVD
added 2026/05/14 4:16 p.m.45 views

CVE-2026-42283

DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the...

7.8CVSS0.00152EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 9:25 a.m.16 views

CVE-2026-2347

Summary : CVE-2026-2347 describes an authorization bypass in the Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website, caused by a user-controlled key. This leads to session hijacking on the affected site. Affected scope : E-Commerce Website before version 4.5.001. Impact as stated :...

9.8CVSS5.8AI score0.00426EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/14 9:25 a.m.17 views

EUVD-2026-30264

Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. This issue affects E-Commerce Website: before 4.5.001...

9.8CVSS5.8AI score0.00426EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/14 9:21 a.m.47 views

CVE-2025-11024 SQLi in Akıllı Ticaret's E-Commerce Pack

Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Blind SQL Injection. This issue affects E-Commerce Website: before 4.5.001...

9.8CVSS0.00358EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 9:21 a.m.19 views

CVE-2025-11024

The CVE-2025-11024 entry describes an SQL injection vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website prior to version 4.5.001. The issue is due to improper neutralization of special elements used in SQL commands, enabling a blind SQL injection. CVSS 3.1 base metr...

9.8CVSS5.8AI score0.00358EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/14 9:21 a.m.16 views

EUVD-2025-209838

Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Blind SQL Injection. This issue affects E-Commerce Website: before 4.5.001...

9.8CVSS5.8AI score0.00358EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.9 views

PT-2026-40900

Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Blind SQL Injection. This issue affects E-Commerce Website: before 4.5.001...

9.8CVSS5.8AI score0.00358EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.22 views

Akıllı E-Commerce Website SQL注入漏洞

Akıllı E-Commerce Website is an e-commerce website system developed by the Turkish company Akıllı, aimed at online retail and digital sales scenarios. Versions of Akıllı E-Commerce Website prior to 4.5.001 contained a SQL injection vulnerability. This vulnerability stemmed from improper...

9.8CVSS5.9AI score0.00358EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.10 views

PT-2026-40901

Name of the Vulnerable Software and Affected Versions E-Commerce Website versions prior to 4.5.001 Description An authorization bypass exists due to a user-controlled key, which allows for session hijacking. This is an Insecure Direct Object Reference IDOR, a condition where an application provid...

9.8CVSS5.8AI score0.00426EPSS
Exploits0References5
Packet Storm News
Packet Storm News
added 2026/05/14 12:0 a.m.19 views

Dolibarr ERP/CRM Authenticated Code Injection

Dolibarr ERP/CRM versions prior to 17.0.1 allow remote code execution by an authenticated user who has access to the Website module...

8.8CVSS7.8AI score0.79335EPSS
Exploits16
Packet Storm
Packet Storm
added 2026/05/14 12:0 a.m.93 views

📄 Dolibarr ERP/CRM Authenticated Code Injection

Dolibarr ERP/CRM versions prior to 17.0.1 allow remote code execution by an authenticated user who has access to the Website module. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Dolibarr...

8.8CVSS6.4AI score0.79335EPSS
Exploits16
Cvelist
Cvelist
added 2026/05/13 7:15 p.m.55 views

CVE-2026-44364 misp-modules website - Missing CSRF protection in the website home blueprint

MISP modules are autonomous modules that can be used to extend MISP for new services. In 3.0.7 and earlier, a Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerabili...

9.3CVSS0.00185EPSS
Exploits0References1
Rows per page
Query Builder