Lucene search
K
AttackerkbMost viewed

74784 matches found

ATTACKERKB
ATTACKERKB
•added 2026/05/23 6:30 p.m.•12 views

CVE-2018-25353

Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Attackers with editor accounts can upload executable files by using obfuscated extensions like php71 or php53 to evade the...

8.8CVSS6AI score0.00452EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
•added 2026/05/23 11:44 a.m.•12 views

CVE-2026-43503

In the Linux kernel, the following vulnerability has been resolved: net: skbuff: propagate shared-frag marker through frag-transfer helpers Two frag-transfer helpers pskbcopyfclone and skbshift fail to propagate the SKBFLSHAREDFRAG bit in skbshinfo-flags when moving frags from source to...

5.7AI score0.00135EPSS
Exploits7References16Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/22 10:3 p.m.•12 views

CVE-2026-41090

Improper neutralization of special elements used in a command 'command injection' in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network...

9.3CVSS5.8AI score0.0042EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
•added 2026/05/22 7:47 p.m.•12 views

CVE-2026-40610

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento...

5.5CVSS5.8AI score0.00284EPSS
Exploits1References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/22 8:29 a.m.•12 views

CVE-2026-8381

A broken access control vulnerability exists in the TeamViewer DEX Platform On‑Premises prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, allowing an authenticated user with low privileges to perform actions and access resources intended only for...

5.4CVSS5.8AI score0.00141EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
•added 2026/05/22 2:31 a.m.•12 views

CVE-2026-46598

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used...

5.8AI score0.00313EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
•added 2026/05/21 9:23 p.m.•12 views

CVE-2026-8434

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file rescanMultiple. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

2.3CVSS5.8AI score0.0013EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/21 8:30 p.m.•12 views

CVE-2026-8352

REJECT DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage...

5.8AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
•added 2026/05/21 5:9 p.m.•12 views

CVE-2026-48220

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frmaddstr POST parameter directly into an HTML form hidden input value attribute...

5.4CVSS5.8AI score0.00212EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
•added 2026/05/21 2:8 p.m.•12 views

CVE-2026-1816

Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation TEİAŞ Mobile Application allows Brute Force. This issue affects Mobile Application: from 1.6.2 before 1.13...

6.3CVSS5.8AI score0.00184EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/21 1:3 p.m.•12 views

CVE-2026-34927

An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability...

7.8CVSS6AI score0.00246EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
•added 2026/05/21 12:17 p.m.•12 views

CVE-2026-43502

In the Linux kernel, the following vulnerability has been resolved: net/rds: handle zerocopy send cleanup before the message is queued A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket. The purge path currently infers zerocopy stat...

5.7AI score0.00123EPSS
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/21 12:17 p.m.•12 views

CVE-2026-43501

In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve maclen headroom when recompressed SRH grows ipv6rplsrhrcv decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6hdr-daddr, recompresses, then pulls the old header and pushes the new on...

5.7AI score0.00475EPSS
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/21 8:14 a.m.•12 views

CVE-2026-44075

A missing break statement in DSI OpenSession processing in Netatalk 1.5.0 through 4.4.2 causes a DSIOPTATTNQUANT switch case to fall through into DSIOPTSERVQUANT, resulting in unintended session option handling that may allow a remote attacker to cause a minor service disruption via crafted DSI...

3.7CVSS5.8AI score0.00329EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/21 8:14 a.m.•12 views

CVE-2026-44074

Netatalk 2.1.0 through 4.4.2 combines multiple errno values using bitwise OR, resulting in incorrect error codes when multiple error conditions occur simultaneously, which may allow a remote attacker to cause a minor service disruption via conditions that trigger incorrect error-handling paths...

3.7CVSS5.8AI score0.00329EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/21 7:35 a.m.•12 views

CVE-2026-7835

A format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted input that triggers incorrect format string processing...

3.1CVSS5.8AI score0.00294EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/20 1:35 p.m.•12 views

CVE-2026-8467

Code Injection vulnerability in phenixdigital phoenixstorybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handleevent/3...

9.5CVSS6.6AI score0.00907EPSS
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/20 1:10 p.m.•12 views

CVE-2026-5946

Multiple flaws have been identified in named related to the handling of DNS messages whose CLASS is not Internet IN — for example, CHAOS or HESIOD, or DNS messages that specify meta-classes ANY or NONE in the question section. Specially crafted requests reaching the affected code paths — recursio...

7.5CVSS5.9AI score0.0181EPSS
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/20 1:9 p.m.•12 views

CVE-2026-41091

Improper link resolution before file access 'link following' in Microsoft Defender allows an authorized attacker to elevate privileges locally...

7.8CVSS5.8AI score0.08371EPSS
Exploits2References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/20 3:3 a.m.•12 views

CVE-2026-24163

NVIDIA TRT-LLM for any platform contains a vulnerability in RPC testing, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure...

7.5CVSS5.8AI score0.00594EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
•added 2026/05/20 1:25 a.m.•12 views

CVE-2026-7472

The Read More & Accordion plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.5.7. This is due to the use of escsql without surrounding the value in quotes in an ORDER BY clause inside the getAllDataByLimit and...

4.9CVSS6AI score0.00448EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
•added 2026/05/20 1:25 a.m.•12 views

CVE-2026-3985

The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkoutuuid' parameter in all versions up to, and including, 1.6.9. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparati...

7.5CVSS5.9AI score0.00391EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
•added 2026/05/19 10:29 p.m.•12 views

CVE-2026-8492

Modification of Assumed-Immutable Data MAID vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5...

5.8AI score0.00236EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
•added 2026/05/19 8:38 p.m.•12 views

CVE-2026-34233

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators onl...

6.5CVSS5.7AI score0.0028EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/19 6:33 p.m.•12 views

CVE-2026-8096

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

6.5CVSS5.7AI score0.00404EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
•added 2026/05/19 12:30 p.m.•12 views

CVE-2026-8975

Memory safety bugs present in Firefox ESR 115.35, Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox...

8.8CVSS6AI score0.00429EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
•added 2026/05/19 12:30 p.m.•12 views

CVE-2026-8968

Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11...

7.5CVSS5.8AI score0.00413EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
•added 2026/05/19 12:29 p.m.•12 views

CVE-2026-8946

Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11...

7.5CVSS5.8AI score0.0056EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
•added 2026/05/19 9:27 a.m.•12 views

CVE-2026-31387

Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

5.8AI score0.00515EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
•added 2026/05/19 6:4 a.m.•12 views

CVE-2026-8830

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction fails to validate that the newly created credential's parameters, such as public key...

4.3CVSS5.8AI score0.00392EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
•added 2026/05/19 5:0 a.m.•12 views

CVE-2026-8814

Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data Data Amplification due to decompressing PNG zTXt metadata without enforcing a built-in maximum decompressed output size. When asynchronous parsing is enabled, a crafted PNG file containi...

6.9CVSS5.8AI score0.00464EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
•added 2026/05/19 3:8 a.m.•12 views

CVE-2026-25850

in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak...

5.5CVSS5.8AI score0.00118EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/19 12:46 a.m.•12 views

CVE-2026-33233

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path serializes values with...

7.6CVSS6AI score0.0023EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/18 9:51 p.m.•12 views

CVE-2026-27892

FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metadat...

6.5CVSS5.7AI score0.00227EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/18 7:31 p.m.•12 views

CVE-2026-47090

Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can...

4.6CVSS6AI score0.00104EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
•added 2026/05/18 6:6 p.m.•12 views

CVE-2026-45230

DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit th...

9.1CVSS5.9AI score0.00626EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
•added 2026/05/18 6:0 a.m.•12 views

CVE-2026-6381

The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks...

7.5CVSS5.8AI score0.00383EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
•added 2026/05/18 12:0 a.m.•12 views

CVE-2026-29965

HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting XSS in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax...

6.1CVSS5.8AI score0.00195EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
•added 2026/05/17 11:45 p.m.•12 views

CVE-2026-8772

A weakness has been identified in linlinjava litemall up to 1.8.0. Affected is an unknown function of the component Admin Endpoint. Executing a manipulation can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for...

5.8CVSS5.6AI score0.00206EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/17 10:30 p.m.•12 views

CVE-2026-8767

A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an...

5CVSS5.2AI score0.04261EPSS
Exploits1References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/17 12:11 p.m.•12 views

CVE-2018-25328

VX Search 10.6.18 contains a local buffer overflow vulnerability that allows attackers to overwrite the instruction pointer by supplying an oversized string in the directory field. Attackers can craft a malicious input file containing 271 bytes of junk data followed by a return address to execute...

8.6CVSS6.4AI score0.00148EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/17 3:30 a.m.•12 views

CVE-2026-8729

A vulnerability was detected in Open5GS up to 2.7.7. This affects an unknown function in the library /lib/sbi/message.c of the component NRF. Performing a manipulation of the argument service-names/snssais results in denial of service. The attack is possible to be carried out remotely. The exploi...

5.3CVSS5.5AI score0.0039EPSS
Exploits1References6
ATTACKERKB
ATTACKERKB
•added 2026/05/16 10:30 p.m.•12 views

CVE-2026-6050

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

5.7AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
•added 2026/05/16 3:26 p.m.•12 views

CVE-2021-47979

WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted filename and foldername parameters to delete...

8.8CVSS5.9AI score0.00397EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/16 3:26 p.m.•12 views

CVE-2021-47969

Color Notes 1.4 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350,000 repeated characters and paste it twice into a new note to cause the...

8.7CVSS5.8AI score0.00284EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/16 3:25 p.m.•12 views

CVE-2020-37243

Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action. The plugin also contains stored cross-site scripting vulnerabilities in the 'Edit name' and...

8.8CVSS6AI score0.00276EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/16 3:25 p.m.•12 views

CVE-2020-37237

Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Attackers with admin credentials can inject XSS payloads in the Description field of the Add banner...

6.4CVSS5.7AI score0.00239EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/15 10:18 p.m.•12 views

CVE-2026-8704

Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified...

5.8AI score0.00318EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
•added 2026/05/15 7:18 p.m.•12 views

CVE-2026-45399

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks and POST...

7.1CVSS5.8AI score0.0027EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/05/15 6:36 p.m.•12 views

CVE-2026-46359

phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attackers with Azure AD accounts containing SQL metacharacters in display names or JWT claims can break...

7.5CVSS6.1AI score0.00212EPSS
Exploits0References3
Total number of security vulnerabilities5000