Lucene search
K
AttackerkbMost viewed

75017 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/18 6:6 p.m.13 views

CVE-2026-45230

DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit th...

9.1CVSS5.9AI score0.00626EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/18 5:3 p.m.13 views

CVE-2026-45494

Microsoft Edge Chromium-based Spoofing Vulnerability...

5.4CVSS5.8AI score0.00302EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/18 8:45 a.m.13 views

CVE-2026-3471

Mattermost Desktop App versions =6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling window.open'javascript:alert';. Mattermost Advisory ID: MMSA-2026-00...

6.5CVSS5.8AI score0.00184EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/18 6:53 a.m.13 views

CVE-2026-3637

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/17 12:11 p.m.13 views

CVE-2018-25325

Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the deleteexportfile AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename paramet...

8.7CVSS5.9AI score0.00613EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/17 12:11 p.m.13 views

CVE-2018-25322

Allok Fast AVI MPEG Splitter 1.2 contains a stack based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious license name string. Attackers can craft a payload with 780 bytes of junk data followed by structured shellcode and place it in the...

8.6CVSS6.4AI score0.00148EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/17 6:45 a.m.13 views

CVE-2026-8737

A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affects the function execute of the file publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListDirective.java of the component Trade Address Query Handler. Executing a manipulation of the argume...

6.9CVSS5.8AI score0.00403EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/16 3:25 p.m.13 views

CVE-2020-37237

Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Attackers with admin credentials can inject XSS payloads in the Description field of the Add banner...

6.4CVSS5.7AI score0.00239EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/15 9:45 p.m.13 views

CVE-2026-44549

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheettohtml to embed an XSS payload into the generated...

7.3CVSS5.8AI score0.00318EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/15 9:41 p.m.13 views

CVE-2026-45667

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, GET /api/v1/memories/ef is accessible without authentication and executes request.app.state.EMBEDDINGFUNCTION.... This allows any unauthenticated caller to trigger embedding generati...

6.5CVSS5.8AI score0.00341EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/15 7:26 p.m.13 views

CVE-2026-44564

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the ydoc:document:update Socket.IO event handler checks whether the sender is a member of the document's Socket.IO room line 678 but does not verify that the sender has write...

5.4CVSS5.8AI score0.0022EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/15 6:36 p.m.13 views

CVE-2021-47962

Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers can inject script payloads into user profile fields at the edituser endpoint, which execute in th...

6.4CVSS5.7AI score0.00243EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/15 2:6 a.m.13 views

CVE-2026-7373

Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gain SYSTEM level control of a Windows host. When started the metasploitPostgreSQL service would start the postgres.exe child process which would in turn load an OpenSSL configuration file from a stat...

9.3CVSS6AI score0.0017EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 7:52 p.m.13 views

CVE-2026-8587

Use after free in Extensions in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. Chromium security severity: Medium...

8.8CVSS6.2AI score0.00175EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 7:52 p.m.13 views

CVE-2026-8566

Insufficient policy enforcement in Payments in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. Chromium security severity: Medium...

5.8AI score0.00182EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 7:52 p.m.13 views

CVE-2026-8556

Inappropriate implementation in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

5.8AI score0.002EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 7:52 p.m.13 views

CVE-2026-8553

Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. Chromium security severity: High...

3.1CVSS5.8AI score0.00158EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 7:52 p.m.13 views

CVE-2026-8546

Out of bounds read in GPU in Google Chrome on Mac and Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. Chromium security severity: High...

5.3CVSS5.8AI score0.00205EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 7:52 p.m.13 views

CVE-2026-8529

Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. Chromium security severity: High...

8.8CVSS6.4AI score0.00301EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 7:52 p.m.13 views

CVE-2026-8527

Insufficient validation of untrusted input in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. Chromium security severity: High...

8.8CVSS6.2AI score0.00291EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 7:52 p.m.13 views

CVE-2026-8558

Out of bounds write in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

8.8CVSS6.2AI score0.0028EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 7:52 p.m.13 views

CVE-2026-8523

Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. Chromium security severity: High...

8.3CVSS5.8AI score0.00207EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 4:8 p.m.13 views

CVE-2025-62316

HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based security controls and could expose the application to limited security risks under specific conditions...

2.3CVSS5.8AI score0.00106EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 4:8 p.m.13 views

CVE-2026-20224

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to read arbitrary files that are stored in an affected system. The attacker does not need to have valid user credentials. This vulnerability is due to improper...

8.6CVSS6AI score0.00696EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 2:32 p.m.13 views

CVE-2025-62619

Missing authentication in the KVM key download endpoint could allow an unauthenticated attacker with knowledge of the exposed URL to retrieve sensitive keys, potentially leading to loss of confidentiality...

6.3CVSS5.8AI score0.00321EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/14 5:33 a.m.13 views

CVE-2026-7481

GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to execute arbitrary JavaScript in other users' browsers due to improper input...

8.7CVSS6.1AI score0.00256EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/13 9:32 p.m.13 views

CVE-2026-44369

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation...

8.5CVSS6AI score0.00266EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/13 6:26 p.m.13 views

CVE-2026-8466

Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboyreq:readpart/3 in src/cowboyreq.erl accumulates incoming request bytes into a Buffer binary with no upper-bound chec...

8.2CVSS5.9AI score0.00382EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/13 4:57 p.m.13 views

CVE-2026-44576

Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker...

5.4CVSS5.8AI score0.0025EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/13 4:56 p.m.13 views

CVE-2026-44574

Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the...

8.1CVSS5.8AI score0.00485EPSS
Exploits2References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/13 3:17 p.m.13 views

CVE-2026-44432

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion 1 during the second HTTPResponse.readamt=N call when the response was decompressed using the official Brotli library or 2 when...

8.9CVSS5.8AI score0.0068EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/13 2:22 p.m.13 views

CVE-2020-37168

Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint,...

9.8CVSS5.8AI score0.00246EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/13 2:12 p.m.13 views

CVE-2026-42408

When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell tmsh command that may allow a highly privileged authenticated attacker to view sensitive information. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

6.7CVSS5.8AI score0.00083EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/13 2:12 p.m.13 views

CVE-2026-28758

When BIG-IP DNS is provisioned, a vulnerability exists in the gtmadd and bigipadd iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to...

6.7CVSS5.8AI score0.00083EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/13 8:28 a.m.13 views

CVE-2026-6253

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. whil...

5.8AI score0.00639EPSS
Exploits1References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/13 5:44 a.m.13 views

CVE-2026-44612

Bytello Share Windows Edition installer executable provided by Bytello insecurely loads Dynamic Link Libraries. If there is a crafted DLL at the same directory when invoking the affected installer, arbitrary code may be executed with the privilege of the user invoking the installer...

8.4CVSS7.3AI score0.00123EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/12 8:43 p.m.13 views

CVE-2026-44403

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session...

8.6CVSS6.5AI score0.02643EPSS
Exploits5References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/12 4:59 p.m.13 views

CVE-2026-40370

External control of file name or path in SQL Server allows an authorized attacker to execute code over a network...

8.8CVSS6AI score0.00555EPSS
Exploits0References2Affected Software10
ATTACKERKB
ATTACKERKB
added 2026/05/12 4:59 p.m.13 views

CVE-2026-42896

Integer overflow or wraparound in Windows DWM Core Library allows an authorized attacker to elevate privileges locally...

7.8CVSS5.8AI score0.00284EPSS
Exploits0References2Affected Software5
ATTACKERKB
ATTACKERKB
added 2026/05/12 4:58 p.m.13 views

CVE-2026-40379

Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network...

9.3CVSS5.8AI score0.0091EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/12 11:2 a.m.13 views

CVE-2026-45210

Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through = 1.52.2...

5.4CVSS5.8AI score0.0017EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/12 8:21 a.m.13 views

CVE-2026-41551

A vulnerability has been identified in ROS All versions V2.2.2. Affected versions contain a path traversal vulnerability because user input is not properly sanitized. This could allow a remote attacker to access arbitrary files on the device...

9.3CVSS5.9AI score0.00487EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/12 8:21 a.m.13 views

CVE-2026-41125

A vulnerability has been identified in blueplanet 100 NX3 M8 All versions, blueplanet 100 TL3 GEN2 All versions, blueplanet 105 TL3 All versions, blueplanet 105 TL3 GEN2 All versions, blueplanet 110 TL3 All versions, blueplanet 125 NX3 M10 All versions, blueplanet 125 TL3 All versions, blueplanet...

6CVSS7.2AI score0.00155EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/12 2:21 a.m.13 views

CVE-2026-40133

Due to missing authorization check in SAP S/4HANA Condition Maintenance, an authenticated attacker could gain unauthorized access to view and modify condition table records, resulting in low impact on the confidentiality and integrity of the data. Additionally, this vulnerability may prevent the...

6.3CVSS5.8AI score0.00216EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/11 4:48 p.m.13 views

CVE-2026-34093

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Specials/SpecialUserRights.Php. This issue affects MediaWiki: from before 1.43.7, 1.44.4, 1.45.2...

4.8CVSS5.8AI score0.00227EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/11 4:30 p.m.13 views

CVE-2026-2393

A Server-Side Request Forgery SSRF vulnerability exists in MLflow versions prior to 3.9.0. The createwebhook function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation, and the sendwebhookrequest function in mlflow/webhooks/delivery.py sends HTTP POST request...

7.1CVSS7.3AI score0.00288EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/05/10 8:15 p.m.13 views

CVE-2026-45190

Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the inp...

5.8AI score0.00311EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/10 12:52 p.m.13 views

CVE-2021-47950

Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the semotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in...

6.4CVSS5.7AI score0.00187EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/10 12:43 p.m.13 views

CVE-2021-47935

Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint wi...

8.8CVSS6.7AI score0.00927EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/10 12:12 p.m.13 views

CVE-2022-50945

WordPress 3dady Real-Time Web Stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dadyinputtext or dady2inputtext fields via...

6.4CVSS6AI score0.00217EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities5000