Lucene search
K
AttackerkbRecent

74190 matches found

ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-53364

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hciconn: Fix memory leak in hcilebigterminate hcilebigterminate allocates isolistdata via kzallocobj but returns 0 without freeing it when neither pasyncterm nor bigsyncterm flags are set after evaluating the PA and BI...

6AI score
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-61505

Rejetto HFS 3.0.0 through 3.2.0 allows path traversal through the lang query parameter, permitting a remote unauthenticated attacker to read certain JSON files outside the shared folders. Exploitation is constrained to files matching a narrow naming and format pattern, limiting practical impact...

6.9CVSS6.1AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-61504

Rejetto HFS 3.0.0 through 3.2.0 does not escape file names in its fallback "basic" web listing, and this listing can be forced by any browser via the ?get=basic parameter. A user with upload permission - or an anonymous user on servers with an open upload folder - can store a file whose name...

5.4CVSS6.1AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-61503

Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and...

6.9CVSS6.1AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-61463

Shiori contains a privilege escalation vulnerability in the account update endpoint that allows authenticated users to modify the owner field without authorization checks. Attackers can escalate to administrator by submitting a crafted PATCH request with owner: true, then re-authenticate to obtai...

8.8CVSS6.1AI score
Exploits0References5
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-61502

Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions including account creation and configuration changes leading to code execution - by causing a...

5.1CVSS6.4AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-61501

Rejetto HFS 3.0.0 through 3.2.0 renders log entries in the administration panel as HTML without sanitization. A remote unauthenticated attacker can submit a failed login with a crafted username that is written to the error log and executes JavaScript in an administrator's browser when the logs ar...

6.1CVSS6.3AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-61500

Rejetto HFS 3.0.0 through 3.2.0 derives its session-cookie signing key from the non-cryptographic Math.random generator and discloses outputs of the same generator to unauthenticated clients during login. A remote attacker can collect a small number of login responses, reconstruct the generator's...

9.8CVSS6.5AI score
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday1 views

CVE-2026-61462

mcp-gitlab contains a path traversal vulnerability in the jobid parameter of build/index.js that allows attackers to redirect GitLab API requests to arbitrary endpoints. Attackers can supply crafted jobid values like ../../../user to escape the intended path prefix and access arbitrary GitLab API...

9.2CVSS6.2AI score
Exploits0References5
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-13221

Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perlstudychunk. When such branches are combined into a trie, the delta between the first branch and the shared tail is stored ...

6.1AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-57432

Perl versions through 5.43.10 have an integer overflow in Smeasurestruct leading to an out-of-bounds heap read in pack and unpack. Smeasurestruct adds each item's size times its repeat count to a running total with no overflow check, so a large repeat count in a pack or unpack template wraps the...

6.2AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-61692

REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-61454. Reason: This candidate is a duplicate of CVE-2026-61454. Notes: All CVE users should reference CVE-2026-61454 instead of this candidate...

6.1AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-57433

Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SXHOOK record. retrievehookcommon reads a signed 32-bit item count from an SXHOOK record and calls avextend with that count plus one. A count of I32MAX wraps the addition to a negative value. A...

6.2AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday8 views

CVE-2026-6847

Remote Code Execution vulnerability exists in ThemisNETPanel due to missing authentication for a critical file upload function. The application exposes an endpoint that allows unauthenticated attackers to upload arbitrary PHP files by providing a base64-encoded payload and to execute arbitrary co...

9.3CVSS6.3AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday6 views

CVE-2026-61498

Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/gengraphs.php endpoint that allows remote unauthenticated attackers to execute arbitrary commands by supplying shell metacharacters in the start, end, key, or format HTTP GET parameters. Attacke...

9.8CVSS6.3AI score
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday6 views

CVE-2026-60121

Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint that allows remote attackers to execute arbitrary commands by exploiting a double-evaluation flaw in shell argument handling. The endpoint applies escapeshellarg to the...

9.8CVSS6.3AI score
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-40553

Buffer overflow vulnerability has been found in "extension/readdir.c" program file of gawk ftype routine. This issue could be used to crash the program and potentially to achieve code execution, although the latter has not been confirmed to be feasible. It affects gawk in versions 5.4.0 and below...

5.1CVSS6AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-40469

Integer overflow vulnerability has been found in "builtin.c" program file of gawk dosub routine. This issue could be used to overwrite gawk heap metadata and objects causing the program to crash. It affects 32-bit builds of gawk in versions 5.4.0 and below...

5.1CVSS6AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-40468

Integer overflow vulnerability has been found in "builtin.c" program file of gawk. This issue may lead to memory exhaustion on the hosting operating system and could be used to overwrite gawk heap metadata and objects with attacker-controlled bytes. It affects gawk in versions 5.4.0 and below...

5.1CVSS6AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-40467

Use After Free vulnerability has been found in "io.c" program file of gawk dogetlineredir routine. This issue may lead to a crash. It affects gawk in versions 5.4.0 and below...

5.1CVSS6AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-15584

A privilege escalation vulnerability was found in the incluster-checks tool for OpenShift. The tool creates privileged debug pods with host filesystem access in the shared default namespace, where any user with the standard edit role can exec into them and obtain root access on cluster nodes...

7.5CVSS6AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-15559

A vulnerability was detected in CodeAstro Simple Online Leave Management System 1.0. This affects an unknown part of the file /SimpleOnlineLeave/admin/accept.php of the component POST Handler. Performing a manipulation of the argument appid results in sql injection. The attack is possible to be...

6.5CVSS6.5AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-62147

The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces...

6.5CVSS6.1AI score
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-15558

A security vulnerability has been detected in CodeAstro Simple Online Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /SimpleOnlineLeave/admin/deletemp.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed...

6.5CVSS6.5AI score
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-12257

Versions of Mura CMS prior to 10.0.712 contain a critical remote code execution RCE vulnerability. The flaw is located in the endpoint “/index.cfm/api/json/v1/default”, where the “method” parameter in POST requests is not properly validated or sanitised before being processed by the ColdFusion...

9.3CVSS6.7AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday5 views

CVE-2026-6541

Mattermost versions 11.7.x = 11.7.1, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook metric settings via a crafted import or update request with a...

4.3CVSS6.1AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-9820

Mattermost versions 11.7.x = 11.7.2, 10.11.x = 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API...

3.8CVSS6.1AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-9824

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to check the managesharedchannels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash...

4.3CVSS6.1AI score
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-14934

A Missing Authorization vulnerability in the repository creation functionality in Google Cloud BigQuery, Dataform and Colab Enterprise, in the versions between October 2025 and May 10th, 2026, on Google Cloud Platform, allows an authenticated attacker to escalate privileges and perform cross-tena...

9.4CVSS6.1AI score
Exploits0References2Affected Software3
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-4765

Stored Cross-Site Scripting XSS vulnerability in the RD Station Conversas chat. The vulnerability resides in the ‘name’ parameter of the initialization process due to improper sanitization of user input. The vulnerability is not limited to self-exploitation: when a support agent joins the...

5.1CVSS6.3AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-61971

Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through = 2.6.3...

2.7CVSS6.1AI score0.00314EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-61952

Missing Authorization vulnerability in Jose Vega WooCommerce Bulk Edit Products – WP Sheet Editor woo-bulk-edit-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Edit Products – WP Sheet Editor: from n/a through = 1.8.21...

4.9CVSS6.1AI score0.00331EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-57778

Missing Authorization vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking System: from n/a through = 3.2.36...

5.3CVSS6.1AI score0.00285EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-61977

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetSearch jet-search allows Retrieve Embedded Sensitive Data.This issue affects JetSearch: from n/a through = 3.6.1.2...

5.3CVSS6.1AI score0.0033EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-57810

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Saad Iqbal APIExperts Square for WooCommerce woosquare allows Blind SQL Injection.This issue affects APIExperts Square for WooCommerce: from n/a through = 4.7.4...

8.5CVSS6.1AI score0.00357EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-57789

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in jwsthemes Aqua aqua allows PHP Local File Inclusion.This issue affects Aqua: from n/a through = 5.1.2...

7.5CVSS6.1AI score0.00496EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-57792

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Dør dor allows PHP Local File Inclusion.This issue affects Dør: from n/a through = 2.4.1...

7.5CVSS6.1AI score0.00496EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-57803

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes Struktur Core struktur-core allows PHP Local File Inclusion.This issue affects Struktur Core: from n/a through = 2.5.1...

7.5CVSS6.1AI score0.00496EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-57787

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in CreativeWS CWS SVGicons cws-svgicons allows Blind SQL Injection.This issue affects CWS SVGicons: from n/a through = 1.5.5...

8.5CVSS6.1AI score0.00347EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-57771

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Milan Petrovic GD Rating System gd-rating-system allows Blind SQL Injection.This issue affects GD Rating System: from n/a through = 3.7...

8.5CVSS6.1AI score0.00357EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-57745

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Reflected XSS.This issue affects RT-Theme 18 | Extensions: from n/a through = 2.5...

7.1CVSS6.1AI score0.00251EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-57811

Improper Control of Generation of Code 'Code Injection' vulnerability in Realtyna Realtyna Organic IDX plugin real-estate-listing-realtyna-wpl allows Remote Code Inclusion.This issue affects Realtyna Organic IDX plugin: from n/a through = 5.2.0...

10CVSS6.2AI score0.00564EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-57743

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows PHP Local File Inclusion.This issue affects RT-Theme 18 | Extensions: from n/a through = 2.5...

8.1CVSS6.1AI score0.00557EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-59523

Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through = 1.6.11.11...

6.5CVSS6.1AI score0.00266EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-57790

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeMove Billey billey allows PHP Local File Inclusion.This issue affects Billey: from n/a through = 2.1.8...

7.5CVSS6.1AI score0.00496EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-61983

Missing Authorization vulnerability in andymoyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through = 5.0.30...

5.3CVSS6.1AI score0.00294EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-61958

Missing Authorization vulnerability in Saad Iqbal License Manager for WooCommerce license-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects License Manager for WooCommerce: from n/a through = 3.0.17...

5.4CVSS6.1AI score0.00287EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-57741

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Stored XSS.This issue affects AcyMailing SMTP Newsletter: from n/a through = 10.11.0...

7.1CVSS6.1AI score0.00251EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-57770

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Photography grandphotography allows Object Injection.This issue affects Grand Photography: from n/a through = 5.7.8...

9.8CVSS6.1AI score0.00564EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-59521

Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC Real Testimonials testimonial-free allows Object Injection.This issue affects Real Testimonials: from n/a through = 3.1.15...

7.2CVSS6.1AI score0.00539EPSS
Exploits0References2
Total number of security vulnerabilities74190