Lucene search
K

341087 matches found

GithubExploit
GithubExploit
added 7 hours ago17 views

Exploit for Unrestricted Upload of File with Dangerous Type in Ollyo Sp_Page_Builder

CVE-2026-48908 — SP Page Builder Joomla Unauthenticated RCE...

10CVSS6.8AI score0.00803EPSS
Exploits5
EUVD
EUVD
added 8 hours ago6 views

EUVD-2026-41954

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdo...

6.1CVSS5.9AI score
Exploits0References5
NVD
NVD
added yesterday5 views

CVE-2026-59710

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdo...

6.1CVSS
Exploits0References4
NVD
NVD
added yesterday4 views

CVE-2026-34599

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs Livewire component which allows users with team membership lowest privilege member role to execute...

8.8CVSS
Exploits0References4
NVD
NVD
added yesterday5 views

CVE-2026-34167

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's Locked attribute. It loads activities via Activity::find$this-activityId wit...

5CVSS
Exploits0References4
Github Security Blog
Github Security Blog
added yesterday4 views

OpenRemote has Authenticated SQL Injection via Datapoint Crosstab Export

Summary The datapoint export API builds a PostgreSQL crosstab export query by concatenating asset display names into raw SQL. An authenticated user who can create or rename an asset and then request a crosstab datapoint export can inject SQL through the asset name. The injected query output is...

6.3AI score
Exploits0References3Affected Software1
OSV
OSV
added yesterday3 views

GHSA-CGFV-JRFP-2R7V OpenRemote has Authenticated SQL Injection via Datapoint Crosstab Export

Summary The datapoint export API builds a PostgreSQL crosstab export query by concatenating asset display names into raw SQL. An authenticated user who can create or rename an asset and then request a crosstab datapoint export can inject SQL through the asset name. The injected query output is...

7.2CVSS6.3AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-XRQC-P465-2XVG Craft CMS: Stored XSS via Structure entry title in table view

Stored XSS via Structure entry title in table view Summary An Author-level control panel user can store a JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the...

5.9CVSS6AI score0.00412EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added yesterday2 views

Craft CMS: Stored XSS via Structure entry title in table view

Stored XSS via Structure entry title in table view Summary An Author-level control panel user can store a JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the...

5.9CVSS6AI score0.00412EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added yesterday5 views

EUVD-2026-41959

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's Locked attribute. It loads activities via Activity::find$this-activityId wit...

5CVSS6AI score
Exploits0References4
CVE
CVE
added yesterday14 views

CVE-2026-34167

Coolify (open-source self-hosted) has a vulnerability in the ActivityMonitor Livewire component prior to version 4.0.0-beta.471: a public $activityId property is not protected with Livewire’s #[Locked] attribute, allowing any authenticated user to enumerate activity records across all teams and r...

5CVSS6AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-34167

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's Locked attribute. It loads activities via Activity::find$this-activityId wit...

5CVSS6AI score
Exploits0References5Affected Software1
Cvelist
Cvelist
added yesterday19 views

CVE-2026-34167 Coolify: Cross-tenant activity log disclosure via unlocked Livewire property in ActivityMonitor

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's Locked attribute. It loads activities via Activity::find$this-activityId wit...

5CVSS
Exploits0References4
EUVD
EUVD
added yesterday5 views

EUVD-2026-41957

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs Livewire component which allows users with team membership lowest privilege member role to execute...

8.8CVSS6.2AI score
Exploits0References4
CVE
CVE
added yesterday6 views

CVE-2026-34599

CVE-2026-34599 affects Coolify prior to 4.0.0-beta.471. An authenticated user with team membership can trigger command injection in the GetLogs Livewire component because the public property $container is interpolated directly into shell commands (docker logs, docker service logs) without sanitiz...

8.8CVSS6.2AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-34599

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs Livewire component which allows users with team membership lowest privilege member role to execute...

8.8CVSS6.2AI score
Exploits0References5Affected Software1
Cvelist
Cvelist
added yesterday16 views

CVE-2026-34599 Coolify: Authenticated Remote Code Execution in GetLogs Livewire Component

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, there is an authenticated command injection vulnerability in the GetLogs Livewire component which allows users with team membership lowest privilege member role to execute...

8.8CVSS
Exploits0References4
CVE
CVE
added yesterday4 views

CVE-2026-59710

Showdown (the Showdown library) contains a stored XSS flaw in parseHeaders (src/subParsers/makehtml/tables.js) where table header ID attributes are not properly escaped. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in Markdown table headers...

6.1CVSS5.9AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-59710

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdo...

6.1CVSS5.9AI score
Exploits0References5
Cvelist
Cvelist
added yesterday17 views

CVE-2026-59710 showdown - Stored XSS via Unescaped Table Header ID Attribute Injection

showdown contains a stored cross-site scripting vulnerability in the parseHeaders function of src/subParsers/makehtml/tables.js that fails to properly escape table header ID attributes. Attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdo...

6.1CVSS
Exploits0References4
Rows per page
Query Builder