Lucene search
K
AttackerkbRecent

74190 matches found

ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-15682

AnyDesk Support Information Link Following Denial-of-Service Vulnerability. This vulnerability allows local attackers to create a denial-of-service condition on affected installations of AnyDesk. An attacker must first obtain the ability to execute low-privileged code on the target system in orde...

4.7CVSS6.3AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-15683

Lorex 2K Indoor Wi-Fi Security Camera Device Management Server Improper Certificate Validation Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lorex 2K Indoor Wi-Fi Security Cameras. User interaction is not required to...

7.5CVSS6.9AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-15684

Glarysoft Glary Utilities Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Glarysoft Glary Utilities. An attacker must first obtain the ability to execute low-privileged code on the target system...

7.3CVSS7.2AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-62200

OpenClaw versions before 2026.6.1 contain a flaw in host exec environment filtering that could allow Git ext transport to be abused. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended...

8.8CVSS6.2AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-62199

OpenClaw versions before 2026.6.6 contain a flaw in host exec environment filtering that can miss interpreter startup variables. When the affected feature is enabled and reachable, a lower-trust caller or configured input path can supply crafted environment variables to execute or persist actions...

8.8CVSS6.2AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-62198

OpenClaw versions 2026.5.28 before 2026.6.6 contain an authorization bypass vulnerability in native web search that allows lower-trust callers to perform actions requiring stronger policy checks. Attackers can exploit misconfigured input paths to bypass intended authorization controls and execute...

5.3CVSS6.2AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-62197

OpenClaw before 2026.6.6 contains a policy bypass vulnerability in browser CDP discovery that accepts blocked WebSocket URLs. Attackers with lower-trust access can reach network destinations that should have been blocked by OpenClaw policy when the affected feature is enabled...

8.5CVSS6.1AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-62196

OpenClaw versions 2026.3.22 before 2026.6.6 contain an authorization bypass vulnerability where WhatsApp group IDs can satisfy elevated sender allowlists. Attackers with lower-trust access can perform actions requiring stronger authorization by leveraging group ID validation in the affected featu...

8.7CVSS6.1AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-62194

OpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can exploit misconfigured input paths or enabled features to escalate...

8.8CVSS6.2AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-62195

OpenClaw versions 2026.5.20 before 2026.6.6 contain an authorization bypass vulnerability in the MCP loopback feature that allows lower-trust callers to execute owner-only tools. Attackers can bypass authorization checks through configured input paths to execute or persist actions beyond their...

8.7CVSS6.2AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-62193

OpenClaw versions 2026.6.5 before 2026.6.9 contain a vulnerability in the plugin install wrappers that could skip the install policy authorization check. When the affected feature is enabled and reachable, a lower-trust caller or a configured input path could execute or persist actions beyond the...

6.9CVSS6.2AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-62192

OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in Discord guild actions that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to skip cross-provider requester...

8.1CVSS6.2AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-62191

OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in message mutation handling that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to skip requester authorization and...

7.1CVSS6.2AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-62190

OpenClaw versions before 2026.6.9 contain an authorization bypass vulnerability in the flock wrapper that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can leverage configured input paths to bypass durable exec approval binding and perform...

8.8CVSS6.2AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-62188

OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could...

8.6CVSS6.1AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-62189

OpenClaw versions before 2026.6.9 contain a symlink following vulnerability in the mirror sync feature that allows lower-trust callers to perform actions requiring stronger authorization. Attackers can exploit remote symlink parents to bypass policy checks and authorization boundaries when the...

7.6CVSS6.1AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-62187

OpenClaw Feishu tools npm package @openclaw/feishu in versions = 2026.6.6 could ignore per-account disablement. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue...

8.6CVSS6.1AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-62186

OpenClaw versions before 2026.6.8 contain an authorization bypass vulnerability in OpenAI-compatible HTTP model overrides that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to bypass admin authorization...

7.6CVSS6.2AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-62184

luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP...

8.7CVSS6.2AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-15685

Ollama downloadBlob Improper Validation of Array Index Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ollama. Authentication is not required to exploit this vulnerability. The specific flaw exists...

7.5CVSS7AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-15596

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /subject.php. Such manipulation of the argument subject leads to cross site scripting. It is possible to launch the attack remotely. The exploit is...

5.3CVSS4.7AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-61458

PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any...

8.7CVSS6.1AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-59801

9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the Next.js API routes under...

9.8CVSS6.1AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-58500

MCP Appium is an MCP server that provides AI assistants with tools to automate mobile app testing on Android and iOS. In versions prior to 1.85.10, the createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector...

8.2CVSS6.2AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-58411

ChurchCRM is an open-source church management system. Prior to version 7.4.0, Cross-Site Scripting XSS vulnerabilities were identified due to insufficient output encoding of user-controlled request parameter names and parameter values. The application reflects attacker-controlled input into...

7CVSS6.1AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-62242

Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managementUrl parameters without validation against private IP ranges or metadata endpoints. Attackers can...

8.6CVSS6.2AI score
Exploits0References6
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-62240

CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validateurl function that performs one-shot DNS resolution and blocklist checks before returning the original URL unchanged. Attackers can bypass the security filter by supplying URLs that redirect to internal...

8.3CVSS6.1AI score
Exploits0References6
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-62239

FlashAttention through 2.8.3.post1, fixed in commit 0816ef1, contains a symlink attack vulnerability in the downloadandcopy function within hopper/setup.py that extracts NVIDIA toolchain archives without validating symlinks or filtering tar members. A local attacker can pre-plant a symlink in the...

6.6CVSS6.2AI score
Exploits0References5
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-58407

Please submit CVE requests for each vulnerability...

6.1AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-15595

A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. The affected element is an unknown function of the file /forsubject.php. This manipulation of the argument subject causes cross site scripting. It is possible to initiate the attack remotely. The exploit has...

5.3CVSS4.8AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-58410

ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other families’ records. An authenticated non-admin user with EditSelf access can supply another...

7.1CVSS6.1AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-15594

A vulnerability was found in waooAI waoowaoo up to 0.4.1. Impacted is the function stablePublicIdFromStorageKey in the library src/lib/media/hash.ts of the component Media Handler. The manipulation of the argument storageKey results in improper authorization. The attack may be performed from...

6.3CVSS5.5AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-58409

ChurchCRM is an open-source church management system. Prior to version 7.4.0, an authenticated administrator can achieve Remote Code Execution RCE on the server by installing a malicious plugin ZIP archive containing a PHP webshell. The application explicitly includes 'php' in its ALLOWEDEXTENSIO...

9.1CVSS6.2AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-48363

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Sco...

8.2CVSS6.5AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-48364

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Sco...

8.2CVSS6.5AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday5 views

CVE-2026-58408

ChurchCRM is an open-source church management system. Prior to version 7.4.0, a low-privileged user can bypass the /admin/export UI and exfiltrate the entire member directory. The POST /CSVCreateFile.php endpoint generates and streams a CSV containing the full Personally Identifiable Information...

6.5CVSS6.1AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-12385

The Smart Slider 3 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1.37 via the 'keyword' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles and full content...

4.3CVSS6.1AI score
Exploits0References8
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-12536

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS6.2AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-55771

CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 4.9.0, the EntityIdentifier.equals has inverted null/self branches which could lead to incorrect equality comparisons. The EntityIdentifier.equals meth...

8.8CVSS6AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-55773

CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 2.3.6, 3.4.1 and 4.9.0, under certain circumstances, improper input handling could allow Cedar-expression injection via unescaped toCedarExpr. The...

8.8CVSS6.1AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-55772

CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. In versions prior to 2.3.6, 3.4.1 and 4.9.0, under certain circumstances, improper input handling could allow Record-to-Entity type confusion across the Java-Rust FFI...

8.8CVSS6AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-14906

Pages with malicious titles could potentially allow saved PDF content to overwrite PDF files or bundled content within the Firefox for iOS application sandbox. This vulnerability was fixed in Firefox for iOS 152.4...

5.3CVSS6.1AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-6875

ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow platform. ServiceNow addressed this vulnerability by deploying...

9.5CVSS6.6AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-49972

Laravel-Mediable before 7.0.0 contains a file upload vulnerability that allows unauthenticated attackers to achieve remote code execution by uploading a file with an embedded PHP extension disguised within a double extension such as shell.php.jpg. The PATHINFOFILENAME extraction preserves the inn...

8.8CVSS6.5AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-49971

Laravel-Mediable before 7.0.0 contains a stored cross-site scripting vulnerability that allows authenticated or anonymous users to execute arbitrary JavaScript by uploading unsanitized SVG files containing embedded scripts in onload event handlers, script tags, or foreignObject elements. Attacker...

6.1CVSS6.3AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-49970

Laravel-Mediable before 7.0.0 contains a path traversal vulnerability in the File::sanitizePath function that allows attackers to write uploaded files to arbitrary locations by controlling the directory argument passed to MediaUploader::toDestination. Attackers can exploit the permissive...

8.8CVSS6.3AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-49969

Laravel-Mediable before 7.0.0 contains a server-side request forgery vulnerability that allows remote attackers to issue arbitrary HTTP requests from the server by supplying unvalidated caller-controlled URLs to endpoints backed by MediaUploader::fromSource. Attackers can craft URLs targeting...

7.4CVSS6.2AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-58228

Cross-site scripting vulnerability in phoenixframework phoenixliveview allows an attacker to bypass URL scheme validation and execute JavaScript in a victim's browser session. The Phoenix.LiveView.Utils.validdestination!/2 and Phoenix.LiveView.Utils.validlivenavigationdestination!/2 functions in...

5CVSS6.2AI score
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-60103

Blender 3.0.0 through 5.1.2 contains an out-of-bounds read vulnerability that allows attackers to trigger a crash or read adjacent heap memory by supplying a crafted .blend file with a malicious signed short memberindex value in the SDNA block. The memberindex field is used as an array index into...

6.8CVSS6.1AI score
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-53365

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix zerocopy completion for multi-skb sends When a large message is fragmented into multiple skbs, the zerocopy uarg is only allocated and attached to the last skb in the loop. Non-final skbs carry pinned user pages...

6AI score
Exploits0References4Affected Software1
Total number of security vulnerabilities74190