Lucene search
K
AttackerkbRecent

74584 matches found

ATTACKERKB
ATTACKERKB
•added 2026/06/22 5:13 p.m.•4 views

CVE-2026-54287

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.25, on AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attribute...

5.3CVSS5.9AI score0.00186EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:58 p.m.•5 views

CVE-2026-53540

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.31, parseform did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded...

3.7CVSS5.8AI score0.00217EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:57 p.m.•4 views

CVE-2026-53537

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, parseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=...,...

3.7CVSS5.9AI score0.00177EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:56 p.m.•8 views

CVE-2026-53538

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only...

3.7CVSS5.8AI score0.00176EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:55 p.m.•9 views

CVE-2026-53539

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.30, when parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead...

7.5CVSS6.1AI score0.00263EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:52 p.m.•5 views

CVE-2026-54285

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 2.8.0, W3CBaggagePropagator.extract in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were...

5.3CVSS5.9AI score0.00238EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:50 p.m.•4 views

CVE-2026-55388

piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When...

8.1CVSS5.8AI score0.00296EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:46 p.m.•4 views

CVE-2026-54283

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form accepts maxfields and maxpartsize to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An...

7.5CVSS5.9AI score0.00275EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:45 p.m.•5 views

CVE-2026-54282

Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating scheme://hostpath and re-parsing the result, a path that does not begin with / for example...

3.7CVSS5.9AI score0.00187EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:41 p.m.•4 views

CVE-2026-54273

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able to use pipelined requests to use excessive amounts of memory, potentially leading to DoS. This...

8.7CVSS5.8AI score0.00279EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:40 p.m.•5 views

CVE-2026-54280

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause...

6.3CVSS5.8AI score0.00281EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:38 p.m.•4 views

CVE-2026-54278

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk. An attacker may be able to send a compressed payload in specific situations that could be...

8.7CVSS5.8AI score0.00279EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:37 p.m.•5 views

CVE-2026-54277

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, it is possible to bypass the maxlinesize check in parts of an HTTP request in the C parser. If using the optimised C parser the default in pre-built wheels, then an attacker may be able to send...

8.7CVSS5.8AI score0.00322EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:36 p.m.•4 views

CVE-2026-54276

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. This likely requires an open redirect vulnerability or similar on the target domain for an attacker to...

6.3CVSS5.9AI score0.00178EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:34 p.m.•4 views

CVE-2026-54275

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the serverhostname TLS SNI check can be bypassed when an existing connection is reused. If an application makes multiple requests to the same domain, but with different per-request serverhostname...

6.9CVSS5.8AI score0.00266EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:33 p.m.•3 views

CVE-2026-54274

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use. This vulnerability is fixed in 3.14.1...

8.7CVSS5.8AI score0.00305EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:32 p.m.•4 views

CVE-2026-54279

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save and then restored later with CookieJar.load lose their host-only status. This vulnerability is fixed in 3.14.1...

5.3CVSS5.8AI score0.00279EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:31 p.m.•5 views

CVE-2026-42127

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access tok...

7.5CVSS5.9AI score0.00432EPSS
Exploits0References2Affected Software2
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:30 p.m.•5 views

CVE-2026-50269

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing...

6.9CVSS5.8AI score0.00301EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:23 p.m.•4 views

CVE-2026-54269

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names...

5.3CVSS5.9AI score0.00238EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:21 p.m.•4 views

CVE-2026-48712

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.6.1 and 8.4.1, protobufjs could recurse without a depth limit while converting decoded messages to plain objects or JSON. This affected generated toObject conversion and the custom google.protobuf.Any JSON conversio...

7.5CVSS5.8AI score0.00324EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:19 p.m.•4 views

CVE-2026-54270

protobufjs compiles protobuf definitions into JavaScript JS functions. From 8.2.0 to 8.4.2, protobufjs preserved unknown wire elements in message.$unknowns and did not provide a decode-time option to discard unknown fields before retaining them. A crafted protobuf payload containing many unknown...

5.3CVSS5.9AI score0.00293EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:16 p.m.•5 views

CVE-2026-54271

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.3.2 and 2.5.0, a previous fix for unsafe name handling in pbjs static / static-module code generation was incomplete. Affected versions of protobufjs-cli could still emit unsafe JavaScript references when generating static outp...

8.2CVSS5.9AI score0.00228EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:10 p.m.•4 views

CVE-2026-53571

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as...

8.2CVSS5.9AI score0.00393EPSS
Exploits2References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 4:7 p.m.•4 views

CVE-2026-49356

Babel is a compiler for writing next generation JavaScript. Prior to 8.0.0-rc.6 and 7.29.6, @babel/core affected by an arbitrary file read via a sourceMappingURL comment. Using @babel/core to compile maliciously crafted code can allow an attacker to read any source map from the system that is...

3.2CVSS6AI score0.00116EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:58 p.m.•4 views

CVE-2026-56109

The Advanced Linux Sound Architecture ALSA library before 1.2.16.1 contains a double-free vulnerability in parsedef in src/conf.c that allows attackers to corrupt memory by supplying maliciously crafted ALSA configuration text. When parsing nested compound or array configuration blocks, parsedef...

7CVSS5.9AI score0.00138EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:58 p.m.•4 views

CVE-2026-55602

http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request...

6.9CVSS5.9AI score0.0034EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:54 p.m.•5 views

CVE-2026-53632

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the...

5.5CVSS6AI score0.00322EPSS
Exploits0References2Affected Software3
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:49 p.m.•5 views

CVE-2026-50171

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service DoS vulnerability exists in the @angular/common package of Angular. The formatNumber functio...

8.2CVSS5.9AI score0.00161EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:43 p.m.•4 views

CVE-2026-12249

An issue was discovered in Canonical ADSys upstream versions through v0.16.2. During Active Directory Certificate Services AD CS certificate auto-enrollment via the vendored Samba client script internal/policies/certificate/python/vendorsamba/gp/gpcertautoenrollext.py, ADSys utilizes a plaintext...

9.5CVSS6AI score0.00111EPSS
Exploits0References3Affected Software5
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:42 p.m.•4 views

CVE-2026-50184

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during...

5.7CVSS5.9AI score0.0015EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:41 p.m.•3 views

CVE-2026-50169

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during...

5.7CVSS5.9AI score0.00165EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:40 p.m.•4 views

CVE-2026-46417

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server. The issue stems from how...

8.8CVSS5.9AI score0.00221EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:39 p.m.•3 views

CVE-2026-50168

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints an...

8.8CVSS6.1AI score0.00193EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:39 p.m.•2 views

CVE-2026-50170

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability was discovered in @angular/common when Server-Side Rendering SSR and hydration are enabled. The...

8.2CVSS5.8AI score0.00267EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:38 p.m.•2 views

CVE-2026-50556

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting XSS vulnerability exists in @angular/platform-server's DOM emulation dependency domino wh...

8.6CVSS5.8AI score0.00239EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:37 p.m.•2 views

CVE-2026-11994

Akaunting 3.1.21 contains an authenticated stored Cross-Site Scripting vulnerability in the report management workflow. A user with permission to create or update reports can store arbitrary HTML/JavaScript in the description field of a report...

4.8CVSS6AI score0.00321EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:37 p.m.•3 views

CVE-2026-50555

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting XSS vulnerability exists in @angular/platform-server's DOM emulation dependency domino wh...

8.6CVSS5.8AI score0.00167EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:32 p.m.•3 views

CVE-2026-41049

Incorrect caching of authentication between different users of the qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them...

8.4CVSS5.9AI score0.00134EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:32 p.m.•4 views

CVE-2026-54264

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Servi...

8.3CVSS6AI score0.00226EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:31 p.m.•5 views

CVE-2026-54268

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service DoS vulnerability exists in the @angular/common package of the Angular framework. The formatDate function,...

8.2CVSS5.9AI score0.00331EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:31 p.m.•3 views

CVE-2026-41048

Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like "restore from snapshot" even if only allowed to do "delete snapshot"...

8.4CVSS5.9AI score0.00133EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:30 p.m.•3 views

CVE-2026-54267

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered SSR environments, Angular supports Hydration via...

8.6CVSS5.8AI score0.00179EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:30 p.m.•3 views

CVE-2026-11943

Akaunting 3.1.21 contains an authenticated stored cross-site scripting vulnerability in the document timeline shown on invoice and bill detail pages. An authenticated user can store HTML/JavaScript in their own profile name...

4.8CVSS5.7AI score0.00261EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:28 p.m.•4 views

CVE-2026-54266

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, Angular's HttpTransferCache caches HTTP requests made during Server-Side Rendering SSR so that they can be reused during...

8.8CVSS5.9AI score0.0009EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:27 p.m.•3 views

CVE-2026-54265

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property...

5.3CVSS5.8AI score0.00195EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:25 p.m.•3 views

CVE-2026-41047

Lack of authentication when using the "snapshot diff" functions in qSnapper before version 1.3.3 allowed a local attacker to see otherwise read protected information...

6.9CVSS5.9AI score0.0015EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:21 p.m.•3 views

CVE-2026-7253

IBM Watson Speech Services Cartridge is vulnerable to Server-Side Request Forgery SSRF in Sterling File Gateway, due to a flaw which may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks...

5.3CVSS5.8AI score0.002EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:21 p.m.•3 views

CVE-2026-12479

A path traversal vulnerability exists in keras-team/keras version 3.14.0, specifically in the DiskIOStore.make method within the Keras 3 model saving and loading library. This vulnerability arises from the improper handling of user-provided layer names, which are used to construct directory paths...

6.1CVSS6.5AI score0.00263EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
•added 2026/06/22 3:20 p.m.•3 views

CVE-2026-50178

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option located in client/src/client.ts. This setting instructs VS...

8.7CVSS5.9AI score0.00275EPSS
Exploits0References2Affected Software2
Total number of security vulnerabilities74584