Lucene search
+L
AttackerkbRecent

77288 matches found

ATTACKERKB
ATTACKERKB
•added yesterday•6 views

CVE-2026-16197

A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. The affected element is the function handleMessageReceive of the file pkg/channels/feishu/feishu64.go of the component Group Message Handler. Such manipulation leads to missing authorization. The attack can be launched...

6.5CVSS5.1AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•6 views

CVE-2026-16196

A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Impacted is the function isPrivateOrRestrictedIP of the file pkg/tools/integration/web.go of the component webfetch. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been made...

6.5CVSS5AI score
Exploits0References8Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2026-16195

A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This issue affects the function dispatchIncoming of the file pkg/channels/wecom/wecom.go of the component Group Message Handler. The manipulation results in incorrect authorization. It is possible to launch the attack remotely. T...

6.5CVSS6.2AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•6 views

CVE-2026-10130

QueryWeaver contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain valid session tokens for existing accounts by submitting a signup request with a known victim email address. The signup route unconditionally creates and links a new token to the matching...

8.8CVSS5.4AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
•added yesterday•3 views

CVE-2026-16194

A vulnerability was determined in zhayujie CowAgent up to 2.1.1. This affects the function WebFetch.execute of the file agent/tools/webfetch/webfetch.py. Executing a manipulation of the argument url can lead to server-side request forgery. The attack may be performed from remote. The exploit has...

6.5CVSS5.9AI score
Exploits0References9Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•3 views

CVE-2026-16156

A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown part of the file /forexam.php. The manipulation of the argument day results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to...

5.1CVSS3.7AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•3 views

CVE-2026-16155

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this issue is some unknown functionality of the file /schoolyr.php. The manipulation of the argument sy leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is...

5.1CVSS3.5AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•3 views

CVE-2026-12228

A stored cross-site scripting XSS vulnerability exists in the POST /api/prompts/share endpoint of parisneo/lollms latest version. The endpoint stores attacker-controlled promptcontent into DBDirectMessage.content without server-side sanitization. When a victim opens the direct message DM thread,...

8.7CVSS7.8AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
•added yesterday•3 views

CVE-2026-57857

The Flow Payment plugin for WordPress flow.cl version 3.0.8 is vulnerable to reflected cross-site scripting on the WooCommerce checkout page. When the plugin handles an order cancellation, the errormessage GET parameter is passed directly to wcaddnotice in flowpayment-fl.php lines 57-58 without...

5.1CVSS5AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2026-16154

A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/1.php. Affected by this vulnerability is an unknown functionality of the file /editroom1.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The...

7.5CVSS7AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2026-16152

A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /editrooma.php. Performing a manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public...

7.5CVSS7.1AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•6 views

CVE-2026-16151

A vulnerability has been found in CartoDB carto-api-client 0.5.29. This impacts the function addFilter of the file src/filters.ts. Such manipulation of the argument column leads to improperly controlled modification of object prototype attributes. The attack can be executed remotely. The project...

6.5CVSS6.3AI score
Exploits0References7Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•4 views

CVE-2026-53994

ProFTPD modsftp contains a heap-based buffer overflow reachable by an authenticated SFTP user. The fxppacketread function accepts the attacker-supplied 32-bit big-endian SFTP packet length without a minimum sanity check. A value of 0 causes an unsigned subtraction elsewhere in the read path to...

7.7CVSS6AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
•added yesterday•6 views

CVE-2026-57848

Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component reachable to any process on the device via the android.intent.action.SEND intent and accepts the file to share as a URI supplied through the android.intent.extra.STREAM extra. The activity does not validate or filte...

6.8CVSS5.4AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
•added yesterday•4 views

CVE-2026-16150

A vulnerability was found in RobinHerbots Inputmask up to 5.0.9. Affected by this issue is the function extendDefaults/extendDefinitions/extendAliases in the library lib/dependencyLibs/extend.js of the component Internal Deep Merge Helper. The manipulation results in improperly controlled...

6.5CVSS6.1AI score
Exploits0References7Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•6 views

CVE-2026-16133

A flaw has been found in LiuMengxuan04 MiniCode 0.1.0. Affected by this vulnerability is the function childprocess.spawn of the file mcp.ts. Executing a manipulation can lead to command injection. The attack can be launched remotely. The attack requires a high level of complexity. The exploitatio...

5.1CVSS5AI score
Exploits0References8Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•3 views

CVE-2026-16131

A weakness has been identified in itsourcecode Hospital Management System 1.0. This affects an unknown function of the file /prescriptionrecord.php. This manipulation of the argument delid causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to...

6.5CVSS6.5AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•3 views

CVE-2026-16130

A vulnerability was identified in nearai ironclaw up to 0.29.1. The affected element is the function validatepath of the file src/tools/builtin/pathutils.rs of the component writefile. The manipulation leads to link following. Local access is required to approach this attack. The exploit is...

4.8CVSS4.5AI score
Exploits0References8Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2026-16129

A vulnerability has been found in princezuda SafestClaw up to 4.2.4. This vulnerability affects the function ShellAction.validatecommand of the file src/safestclaw/actions/shell.py of the component Built-in Web Interface. Such manipulation leads to incomplete blacklist. An attack has to be...

5.3CVSS5AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•6 views

CVE-2026-16128

A security flaw has been discovered in zevorn rt-claw up to 0.2.0. This impacts the function receiverthread of the file claw/services/swarm/swarm.c of the component httprequest. Performing a manipulation results in server-side request forgery. It is possible to initiate the attack remotely. The...

7.5CVSS7AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•6 views

CVE-2026-16127

A vulnerability was identified in zevorn rt-claw up to 0.2.0. This affects the function clawnetget/clawnetpost of the file claw/tools/toolnet.c of the component httprequest. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote. The...

7.5CVSS6.9AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•6 views

CVE-2026-16126

A vulnerability was determined in zevorn rt-claw up to 0.2.0. The impacted element is the function handlerpcrequest of the file claw/services/swarm/swarm.c of the component Swarm RPC Receiver. This manipulation causes incorrect authorization. The attack is possible to be carried out remotely. The...

7.5CVSS6.9AI score
Exploits0References8Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2026-16125

A vulnerability was found in zevorn rt-claw up to 0.2.0. The affected element is the function clawnetget/clawnetpost of the file claw/services/tools/net.c of the component httprequest. The manipulation of the argument url results in server-side request forgery. The attack can be executed remotely...

7.5CVSS6.9AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•6 views

CVE-2026-16124

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.15.0-beta.32. This affects the function CheckSSRF/isPrivateIP of the file internal/tools/webshared.go of the component webfetch. Such manipulation leads to server-side request forgery. The attack can be launched remotel...

6.5CVSS6AI score
Exploits0References9
ATTACKERKB
ATTACKERKB
•added yesterday•3 views

CVE-2026-16123

A weakness has been identified in nextlevelbuilder GoClaw up to 3.13.2. Affected by this issue is the function ToolsInvokeHandler.ServeHTTP of the file internal/http/toolsinvoke.go of the component Invoke Endpoint. This manipulation causes missing authorization. The attack can be initiated...

6.5CVSS6.2AI score
Exploits0References7Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•3 views

CVE-2026-16122

A security flaw has been discovered in nextlevelbuilder GoClaw up to 3.13.2. Affected by this vulnerability is the function extractBin/RequestApproval/matchesAllowlist of the file internal/tools/execapproval.go. The manipulation results in incorrect authorization. The exploit has been released to...

4.8CVSS4.8AI score
Exploits0References7Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•4 views

CVE-2026-16121

A vulnerability was identified in nextlevelbuilder GoClaw up to 3.13.2. Affected is the function isSafeBin of the file internal/tools/execapproval.go. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be...

6.5CVSS6.2AI score
Exploits0References7Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2026-9323

The urwid web display backend urwid/display/web.py generates web session identifiers urwidid in Screen.start by concatenating two random.randrange109 calls that use Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes approximately 30 bits of PRNG state, and t...

9.2CVSS6AI score
Exploits0References7
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2026-11826

OpenPLCv3 contains a heap-based buffer overflow in the getData function in webserver/core/modbusmaster.cpp. getData reads characters between two delimiters into a caller-supplied buffer with no size parameter and no bounds check. In parseConfig the function is invoked with the 100-byte...

8.8CVSS5.8AI score
Exploits0References5
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2026-16120

A vulnerability was determined in nextlevelbuilder GoClaw up to 3.13.3-beta.3. This impacts the function matchesAllowlist/extractBin of the file internal/tools/execapproval.go. Executing a manipulation can lead to incorrectly-resolved name. The attack may be performed from remote. The exploit has...

6.5CVSS6.1AI score
Exploits0References7
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2025-71397

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 allows authenticated users with OWNER or EDITOR permissions at the root, namespace, or database level to define custom database functions via DEFINE FUNCTION using nested FOR loops. Although a single loop's iteration count is...

7.1CVSS5.4AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•4 views

CVE-2025-71398

SurrealDB before 2.2.2 fails to validate HTTP redirects in http functions, allowing authenticated users to bypass deny-net restrictions by redirecting to blocked IP addresses. Attackers can host a public server that redirects to denied network targets, enabling server-side request forgery to acce...

5.8CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•7 views

CVE-2025-71396

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 does not enforce a default execution-time limit on embedded JavaScript scripting functions when the scripting capability is explicitly enabled via --allow-scripting or --allow-all. An authenticated attacker can submit long-running...

2.3CVSS5.2AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2025-71394

SurrealDB versions before 2.2.2 contain a local file read vulnerability in the DEFINE ANALYZER statement that allows authenticated users to read arbitrary files on the file system. Attackers with root, namespace, or database level privileges can point analyzers to arbitrary file paths and...

2.3CVSS5.4AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2025-71395

SurrealDB versions before 2.2.2 contain a memory exhaustion vulnerability in the string::replace function that fails to restrict resulting string length when using regex patterns. An authenticated attacker can craft a malicious query to exhaust server memory through unbounded string allocations,...

7.1CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•4 views

CVE-2025-71393

SurrealDB before 2.2.2 with scripting enabled fails to properly enforce recursion limits when native functions contain embedded JavaScript that issues new queries. Authenticated attackers can bypass the recursion limit by chaining native and JavaScript function calls to trigger infinite recursion...

6CVSS5.2AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2025-71392

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a...

9.4CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2025-71390

SurrealDB before 2.2.6, 2.3.6, and 2.1.8 and 3.0.0-alpha.7 and earlier fails to validate DNS-resolved hostnames against --deny-net network access restrictions in its http:: functions. An authenticated user can invoke http:: with a hostname that resolves to a denied IP address, causing the server ...

5.8CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2025-71391

SurrealDB versions before 2.2.2 contain an uncaught exception vulnerability in the net module that allows authenticated users to crash the database. Attackers can send crafted HTTP queries containing null bytes to the /sql endpoint, causing an unhandled exception that crashes the SurrealDB instan...

7.1CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•4 views

CVE-2024-58370

SurrealDB versions before 1.1.0 fail to enforce recursion depth limits when parsing nested SurrealQL statements including IF, RELATE, and attribute access idioms. Authorized attackers can submit queries with excessive nesting depth to cause stack overflow and crash the server...

7.1CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2024-58369

SurrealDB versions before 1.1.1 fail to properly validate invocation of custom parameters and functions at root or namespace levels, causing server panic. Authorized clients can invoke these entities at unsupported levels to crash the SurrealDB server, resulting in denial of service...

7.1CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•4 views

CVE-2024-58368

SurrealDB versions before 1.1.0 fail to properly parse the ID, DB, and NS headers in HTTP REST API requests containing special characters. Unauthenticated attackers can send crafted HTTP requests with malformed header values to trigger an uncaught exception that crashes the server...

8.7CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•4 views

CVE-2024-58367

SurrealDB versions before 2.0.4 fail to properly enforce field permissions during SELECT, UPDATE, and DELETE operations, allowing authorized users to access unauthorized field values through various query techniques. Attackers can exploit SELECT VALUE operations, field aliasing, function argument...

7.1CVSS5.2AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•4 views

CVE-2024-58365

SurrealDB versions before 1.2.0 contain an uncaught exception vulnerability in the query executor when processing calls to nonexistent built-in functions. Authorized clients can craft pre-parsed queries invoking nonexistent functions to trigger a panic that crashes the server...

7.1CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2024-58366

SurrealDB before 1.1.1 contains a format string vulnerability in the rquickjs Exception::throwtype function when scripting is enabled. Attackers with scripting privileges can supply format string sequences in error inputs to read arbitrary memory or execute code with SurrealDB process privileges...

9CVSS5.6AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2024-58364

SurrealDB versions before 1.2.1 contain an uncaught exception handling vulnerability in span rendering when parsing queries with errors on line terminator characters. Authorized clients can submit malformed queries that trigger a panic in the span rendering code, crashing the server and causing...

7.1CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•4 views

CVE-2024-58362

SurrealDB before 1.5.5 and 2.0.0-beta before 2.0.0-beta.3 accepts an arbitrary object in the signin and signup operations of the RPC API without recursively validating it for non-computed values. When a record access method defines a SIGNIN or SIGNUP query and the RPC API is exposed to untrusted...

8.8CVSS5.5AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•5 views

CVE-2024-58363

SurrealDB before 1.5.4 fails to properly validate authentication when a scope user switches databases using the USE clause or use method. Attackers with an authenticated session can impersonate an unrelated user in a different database if a user record with an identical identifier exists, allowin...

6.3CVSS5.3AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
•added yesterday•4 views

CVE-2024-58361

SurrealDB versions before 2.0.4 contain an uncaught exception handling vulnerability in the parser error rendering code when processing empty strings. Authorized clients can execute malformed queries with empty string conversions to record, duration, or datetime types that cause a panic in error...

7.1CVSS5.5AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added yesterday•4 views

CVE-2024-58358

SurrealDB versions before 2.1.0 contain a denial of service vulnerability in role conversion that allows privileged owner users to define users with nonexistent roles. Attackers can trigger an uncaught panic by signing in with a user assigned an invalid role, crashing the server...

6.9CVSS5.3AI score
Exploits0References3
Total number of security vulnerabilities77288