Lucene search
+L
AttackerkbRecent

76252 matches found

ATTACKERKB
ATTACKERKB
added 1 hour ago4 views

CVE-2026-21764

HCL DevOps Loop is affected by insufficient input validation that allows special characters where they should be restricted. This may result in unintended application behavior under certain conditions...

3.1CVSS5.2AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 1 hour ago3 views

CVE-2026-21762

HCL DevOps Loop is affected by missing HTTP security headers. Missing security headers may reduce browser protections against common web-based attacks such as clickjacking, MIME-type sniffing, and cross-site scripting...

3.7CVSS4.7AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 1 hour ago3 views

CVE-2026-21761

HCL DevOps Loop is affected by a Cross-Origin Resource Sharing CORS misconfiguration. Improper CORS configuration may allow unauthorized cross-origin requests, potentially exposing application resources to untrusted domains...

4.2CVSS5.3AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 1 hour ago3 views

CVE-2026-21760

HCL DevOps Loop is affected by an Unauthorized Access to Admin Functionality Forced Browsing vulnerability. Improper authorization checks may allow unauthorized users to access restricted administrative functionality by directly accessing protected application endpoints...

4.6CVSS5.3AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 1 hour ago3 views

CVE-2026-12694

Missing Authorization vulnerability in Vimesoft Inc. Enterprise Video Platform allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0...

9.1CVSS5.3AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 1 hour ago2 views

CVE-2026-54496

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad 5.0.0, halo2gadgets 0.5.0, orchard 0.14.0, zcashprimitives 0.28.0, and zcashd 6.20.0, the variable-base scalar multiplication gadget in halo2gadgets/src/ecc/chip/mul/incomplete.rs used assignadvice for the base point without a copy...

9.3CVSS5.4AI score
Exploits0References8Affected Software5
ATTACKERKB
ATTACKERKB
added 1 hour ago2 views

CVE-2026-12693

Authorization bypass through User-Controlled key vulnerability in Vimesoft Inc. Enterprise Video Platform allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0...

9.4CVSS5.3AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-16104

A flaw was found in the authentication configuration endpoint of the keycloak-services component, which is the core engine for Red Hat Build of Keycloak identity and access management. The issue occurs because the system fails to mask sensitive configuration values, such as reCAPTCHA secret keys,...

4.3CVSS5.4AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2026-16103

A flaw was found in the keycloak-services component of Keycloak. This issue is an incomplete fix for CVE-2026-9798, where brute-force protection checks were added to the Client-Initiated Backchannel Authentication CIBA initiation handler but were omitted from the token redemption handler. This...

4.3CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-16106

A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can...

4.9CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-16108

A flaw was found in the default-groups REST endpoint and realm representation of Keycloak. This component is responsible for managing groups that are automatically assigned to new users within a realm. The issue allows a delegated administrator with realm-viewing permissions to see the names and...

4.3CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-16093

Keycloak provides a mechanism called Client Policies to enforce security requirements on clients, such as requiring them to use signed JWTs for authentication. A flaw was discovered where this enforcement can be bypassed. An attacker with valid client credentials can provide a fake, unsigned...

5.4CVSS5.5AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2026-44722

pyzipper is a replacement for Python's zipfile that can read and write AES encrypted zip files. Prior to 0.4.0, a Python operator precedence bug in pyzipper/zipfileaes.py caused the AE-2 format to never be automatically selected during encryption, causing encrypted entries to be written in AE-1...

6.2CVSS5.3AI score0.00009EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-12692

Unverified password change vulnerability in Vimesoft Inc. Enterprise Video Platform allows Authentication Bypass. This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0...

9.8CVSS5.3AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2026-12691

Missing authentication for critical function vulnerability in Vimesoft Inc. Enterprise Video Platform allows Authentication Bypass. This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0...

7.5CVSS5.4AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2026-49215

Symfony UX is a JavaScript ecosystem for Symfony. From 2.22.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest gates LiveAction invocations on Accept: application/vnd.live-component+html, but the Accept header is CORS-safelisted and...

2.1CVSS5.3AI score
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-57860

ForgeCode tailcallhq/forgecode, an AI pair-programming CLI, automatically loads and executes the MCP servers defined in a repository's .mcp.json file on startup without user confirmation. A malicious repository can supply a crafted .mcp.json whose mcpServers entries specify arbitrary command and...

8.4CVSS5.9AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2026-49216

Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, the Stimulus controller in symfony/ux-autocomplete renders AJAX response items in createAutocompleteWithRemoteData by interpolating the text field into HTML template literals $itemlabelField rather than text,...

5.1CVSS5.5AI score
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2026-63309

SurrealDB before 3.1.5 fail to apply field-level SELECT permissions to ORDER BY clauses, allowing authenticated users to leak the relative ordering of restricted field values. Attackers can issue ORDER BY queries on indexed restricted fields to recover the hidden values' sort order across records...

5.3CVSS5.3AI score
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-49211

Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %...% without escaping SQL LIKE wildcards %...

6.9CVSS5.7AI score
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-63308

Helm through 4.2.3, fixed in commit ba6c9a2, contains a denial of service vulnerability in the Files.Lines template helper in pkg/engine/files.go that allows attackers to trigger an index out of range panic by including zero-length byte slices in chart files. Attackers can include empty files in...

5.3CVSS5.4AI score
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-63307

Chat2DB before 5.3.0 contains an insecure direct object reference vulnerability in the GET /api/connection/datasource/id endpoint. The handler calls dataSourceService.queryExistentid, ... without an ownership check and returns the decrypted password field, allowing any authenticated non-admin use...

7.1CVSS5.4AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2026-49208

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, when a LiveProp is typed as DateTimeInterface and no explicit format is configured, Symfony\UX\LiveComponent\LiveComponentHydrator::hydrateObjectValue falls back to new $className$value, allowing client-supplied...

6.9CVSS5.3AI score
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-49210

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Util\ChildComponentPartialRenderer::createHtml interpolates the client-controlled childrenid.tag value from LiveComponentSubscriber and InterceptChildComponentRenderSubscriber directly in...

2.3CVSS5.5AI score
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-49212

Symfony UX is a JavaScript ecosystem for Symfony. From 2.8.0 until 2.36.0 and 3.1.0, the HMAC computed by Symfony\UX\LiveComponent\LiveComponentHydrator covered only sorted prop key/value pairs and did not include the component name, the slot identifier props vs propsFromParent, or request contex...

6.9CVSS5.2AI score
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-49209

Symfony UX is a JavaScript ecosystem for Symfony. From 2.5.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\Controller\BatchActionController::invoke iterates over the client-supplied actions array and issues a full HttpKernel sub-request for each entry; because the array size is never bounded, ...

5.3CVSS5.3AI score
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-9588

A stored cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997 within the voicemail notification template functionality. The submitmodifyvoicemailtemplate endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious...

7CVSS4.9AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-9587

An authenticated local file inclusion vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997. The playfile functionality accepts user-controlled input through the soundpath parameter and fails to properly validate file paths before accessing the underlying filesystem. By supplying...

7.1CVSS5.4AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-9586

An unauthenticated SQL injection vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997. The /pa endpoint processes XML content beginning with and directly concatenates the user-controlled PhoneIP value into PostgreSQL queries without sanitization or parameterization. An unauthenticated...

9.3CVSS6.7AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2026-11763

Authorization bypass through User-Controlled key vulnerability in Gis Informatics Engineering Consulting Laboratory R&D and Software Services Inc. GisLab Laboratory Management System allows Exploitation of Trusted Identifiers. This issue affects GisLab Laboratory Management System: from 1.4.03...

6.5CVSS5.3AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2026-9585

An unauthenticated reflected cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition version 8.3 104997. The application fails to properly sanitize the portal parameter supplied to the invalidbrowser and invalidbrowserlogin handlers. User-supplied data is reflected into...

8.6CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-63101

Open Event Server through 1.19.1 contains a missing authentication vulnerability that allows unauthenticated attackers to export the complete member roster of any group, including email addresses, names, join dates, and roles, by submitting requests to the group followers CSV export endpoint whic...

8.7CVSS5.5AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2026-8297

Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Gis Informatics Engineering Consulting Laboratory R&D and Software Services Inc. GisLab Laboratory Management System allows SQL Injection. This issue affects GisLab Laboratory Management System: fr...

9.8CVSS5.7AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 3 hours ago3 views

CVE-2026-58148

The Joomla extension ChronoForms is vulnerable to an unauthenticated stored XSS vulnerability...

8.7CVSS5.2AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 3 hours ago3 views

CVE-2026-60024

The Joomla extension Events Booking prior version 5.8.0 did by default allow unauthenticated users to upload media assets...

5.3AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 3 hours ago2 views

CVE-2026-58149

The Joomla extension Events Booking is vulnerable to an unauthenticated user enumeration that allows to retrieve account usernames and email addresses...

5.3AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 3 hours ago2 views

CVE-2026-63100

Maybe through 0.6.0 contains a missing authorization vulnerability that allows authenticated low-privilege member-role users to access and modify global hosting settings by exploiting unprotected show and update actions in the Settings::HostingsController, where the beforeaction ensureadmin filte...

7.1CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 3 hours ago3 views

CVE-2026-60025

The Joomla extension Events Booking prior version 5.8.0 had an frontend file upload endpoint that lacked CSRF protection...

5.3AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 3 hours ago3 views

CVE-2026-63099

TheHive through 4.1.24 contains a broken object-level authorization vulnerability in the attachment download endpoints that allows any authenticated user to access attachments belonging to other organizations by supplying a content-hash identifier. Attackers can exploit the missing...

7.1CVSS5.6AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 3 hours ago3 views

CVE-2026-63098

TheHive through 4.1.24 contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by sending a GET request to the /api/status endpoint, which lacks authentication enforcement in the StatusCtrl.scala handler...

6.9CVSS5.4AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 3 hours ago2 views

CVE-2026-63097

Dendrite through 0.13.8 contains an improper access control vulnerability in the syncapi /context endpoint syncapi/routing/context.go that allows authenticated local users to access post-leave room state events by exploiting a flawed membership check that evaluates only the RoomExists field while...

5.3CVSS5.4AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 3 hours ago2 views

CVE-2026-63096

Dendrite through 0.13.8 contains a server-side request forgery vulnerability that allows unauthenticated attackers to cause the server to open outbound TLS connections to arbitrary hosts and ports by supplying an unvalidated serverName parameter to the legacy media download endpoint. Attackers ca...

6.9CVSS5.5AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 3 hours ago3 views

CVE-2026-9537

Mojo::JWT versions before 1.02 for Perl verify HMAC signatures with a non-constant-time string comparison. The decode method compares the supplied signature to the recomputed HMAC with Perl's eq operator, which stops at the first differing byte, so the comparison time varies with the number of...

5.3AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added 3 hours ago2 views

CVE-2026-63095

Dendrite through 0.13.8 contains an improper authorization vulnerability in the Matrix Client-Server API that allows any authenticated local user to delete third-party identifier bindings belonging to other users by submitting an arbitrary address and medium to the account deletion endpoint witho...

7.1CVSS5.5AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added 3 hours ago2 views

CVE-2026-15783

A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with write access to any repository to read metadata from private repositories they did not have access to, including private repository owners and names, branch names, commit SHAs,...

5.3CVSS5.5AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added 3 hours ago3 views

CVE-2026-14741

HTTP::Date versions before 6.08 for Perl allow CPU exhaustion via polynomial regex backtracking in parsedate. parsedate matches the date string against a chain of alternative regexes, and str2time delegates to it. Several of these patterns place unbounded quantifiers next to each other before a...

5.4AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added 3 hours ago2 views

CVE-2026-15343

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed an attacker who had code execution inside the Dependabot updater container to write files to arbitrary repository paths, including GitHub Actions workflow files under .github/workflows/ as the path validation d...

8.6CVSS6.3AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added 3 hours ago2 views

CVE-2026-15007

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to cause service disruption by supplying a repository release notes configuration file containing deeply nested YAML. When release notes were generated, the configuration file was parse...

8.3CVSS5.4AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added 3 hours ago3 views

CVE-2026-12715

Missing Authorization in Google Cloud Firebase Studio versions prior to 2026-04-15 on Google Cloud Platform allows an attacker to download other users' deployed source code and access sensitive data via unauthorized GCS URL signing requests. This vulnerability was patched on 15 April 2026, and no...

8.5CVSS5.5AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added 3 hours ago3 views

CVE-2026-14871

osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization BOLA leading to Insecure Direct Object Reference IDOR in the AJAX ticket-management subsystem...

7.1CVSS5.3AI score
Exploits0References6Affected Software1
Total number of security vulnerabilities76252