Lucene search
+L

1841 matches found

EUVD
EUVD
added 5 hours ago3 views

EUVD-2024-55670

HCL Aftermarket EPC is vulnerable to attack as the application implements an HTML5 cross-origin resource sharing CORS policy for this request that allows access from any domain -Wildcard...

4.2CVSS5.3AI score
Exploits0References1
NVD
NVD
added 16 hours ago5 views

CVE-2026-62387

The Grav API plugin getgrav/grav-plugin-api before 1.0.0-rc.16 shipped Access-Control-Allow-Origin: as its default CORS configuration on all responses, including authenticated endpoints and preflight OPTIONS responses. Because the plugin accepts credentials via the Authorization and X-API-Token...

7.1CVSS
Exploits0References2
NVD
NVD
added 16 hours ago4 views

CVE-2026-40106

Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.6.0 and above prior to 4.14.5 contain a heap-based buffer overflow vulnerability in the syscheck component of the Wazuh agent for Windows. When expanding registry paths containing wildcards or...

4.7CVSS
Exploits0References1
Cvelist
Cvelist
added yesterday8 views

CVE-2026-40106 Wazuh: Heap-based Buffer Overflow in syscheck Registry Wildcard Expansion (LPE / DoS)

Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.6.0 and above prior to 4.14.5 contain a heap-based buffer overflow vulnerability in the syscheck component of the Wazuh agent for Windows. When expanding registry paths containing wildcards or...

4.7CVSS
Exploits0References1
CVE
CVE
added yesterday6 views

CVE-2026-40106

Summary: CVE-2026-40106 affects the Windows agent of Wazuh (versions 4.6.0–pre-4.14.5). A heap-based buffer overflow occurs in the syscheck component during registry wildcard expansion. The code allocates a fixed 256-byte heap buffer (OS_SIZE_256); creating a registry subkey of maximum length (25...

4.7CVSS6.1AI score
Exploits0References1
NVD
NVD
added 2 days ago6 views

CVE-2026-56743

Cilium is a networking, observability, and security solution. From 1.19.0 to 1.19.4, standard Kubernetes NetworkPolicy specifications using CIDR-based ipBlock rules without pod or namespace selectors erroneously generate a wildcard namespace allow rule when Cilium is configured with a custom...

5.4CVSS0.00158EPSS
Exploits0References6
Cvelist
Cvelist
added 2 days ago31 views

CVE-2026-61736 LightRAG: CORS Wildcard + Credentials Enables Any-Origin Credentialed Requests

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORSORIGINS= combined with allowcredentials=True in lightrag/api/lightragserver.py, causing Starlette CORSMiddleware to effectively whitelist every origin for credentialed cross-origin request...

9.3CVSS0.00305EPSS
Exploits0References6
CVE
CVE
added 2 days ago10 views

CVE-2026-61736

LightRAG vulnerability CVE-2026-61736 stems from a CORS misconfiguration prior to version 1.5.4: CORS_ORIGINS is set to '*' and allow_credentials=True in lightrag/api/lightrag_server.py, causing Starlette CORSMiddleware to effectively whitelist all origins for credentialed cross-origin requests. ...

9.3CVSS6.1AI score0.00305EPSS
Exploits0References6
OSV
OSV
added 2 days ago3 views

CVE-2026-61736 LightRAG: CORS Wildcard + Credentials Enables Any-Origin Credentialed Requests

LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, the server defaults to CORSORIGINS= combined with allowcredentials=True in lightrag/api/lightragserver.py, causing Starlette CORSMiddleware to effectively whitelist every origin for credentialed cross-origin request...

9.3CVSS6.1AI score0.00305EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2 days ago6 views

nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch

A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS Transport Layer Security hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security...

7.7CVSS6.9AI score0.02486EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2 days ago4 views

crypto/x509: golang: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application

A flaw was found in the crypto/x509 package within Go golang. When verifying a certificate chain, excluded DNS Domain Name System constraints are not correctly applied to wildcard DNS Subject Alternative Names SANs if the case of the SAN differs from the constraint. This oversight could allow an...

8.8CVSS6.1AI score0.0034EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 3 days ago9 views

nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch

A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS Transport Layer Security hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security...

7.7CVSS6.9AI score0.02486EPSS
Exploits0References5
OSV
OSV
added 4 days ago5 views

MAL-2026-10463 Malicious code in node-path-addon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5dbc52a88818bccd5602eb556ea4bf089dac66c44a2bb1ecbd6fddd6723e9d1d node-path-addon presents itself as an extension of the Node.js built-in 'path' module. Its main entry path.js delegates by executing...

6.5AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago6 views

Malicious code in node-path-addon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5dbc52a88818bccd5602eb556ea4bf089dac66c44a2bb1ecbd6fddd6723e9d1d node-path-addon presents itself as an extension of the Node.js built-in 'path' module. Its main entry path.js delegates by executing...

6.5AI score
Exploits0References3
RedhatCVE
RedhatCVE
added 4 days ago5 views

CVE-2026-58252

A flaw was found in NATS Server. An authenticated user could bypass configured access restrictions and receive messages on subjects that were explicitly denied. This occurs when a wildcard subscription overlaps with a wildcard deny rule but is not a direct subset, or when queue subscriptions...

6.5CVSS6AI score0.00465EPSS
Exploits0References10
EUVD
EUVD
added 6 days ago8 views

EUVD-2026-43176

PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication...

8.8CVSS6.1AI score0.00322EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago37 views

CVE-2026-61426 PraisonAI before 1.7.3 Unauthenticated Agent Access via Insecure Defaults

PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication...

8.8CVSS0.00322EPSS
Exploits0References2
CVE
CVE
added 6 days ago21 views

CVE-2026-61426

PrasionAI prior to 1.7.3 uses insecure defaults: it binds to all interfaces with no API key and permissive CORS, allowing unauthenticated access. Attacks can read agent instructions/system prompts via GET /api/agents or invoke /api/chat via POST without auth. No explicit remediation details are p...

8.8CVSS6.1AI score0.00322EPSS
Exploits0References2
Microsoft CVE
Microsoft CVE
added 6 days ago4 views

NATS Server: Subscribe Authz Bypass via Wildcard-Overlap

...

6.5CVSS6.1AI score0.00465EPSS
Exploits0
Cvelist
Cvelist
added 2026/07/09 6:27 p.m.33 views

CVE-2026-59148 Mockoon: Unauthenticated admin API + wildcard CORS allows mock-state hijack and secret theft

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: with write methods...

8.8CVSS0.00173EPSS
Exploits0References5
Rows per page
Query Builder