Lucene search
K

367610 matches found

CVE
CVE
added 2026/05/28 5:0 a.m.26 views

CVE-2026-9673

CVE-2026-9673 affects json-2-csv versions 3.15.0 and earlier up to 5.5.11, vulnerable to CSV Injection via the preventCsvInjection option, which can be bypassed. An attacker can inject formulas into CSV files that execute when opened in spreadsheet apps. The SNYK entry describes a PoC and recomme...

7CVSS5.9AI score0.00166EPSS
Exploits0References4
CVE
CVE
added 2026/05/28 4:47 a.m.32 views

CVE-2026-9802

Keycloak contains a vulnerability where, with revokeRefreshToken=true and persistent session storage, a server restart can reset internal timing mechanisms, enabling a remote attacker who has captured a user’s refresh token to replay it after revocation. This can grant unauthorized access to the ...

6.8CVSS5.7AI score0.00305EPSS
Exploits0References6Affected Software1
CVE
CVE
added 2026/05/28 4:47 a.m.37 views

CVE-2026-9803

CVE-2026-9803 describes a denial-of-service flaw in Keycloak’s ClientRegistrationAuth component. A remote, unauthenticated attacker can trigger an ArrayIndexOutOfBoundsException by sending a specially crafted POST request with a malformed Authorization: Bearer header to any client registration en...

5.3CVSS5.8AI score0.00417EPSS
Exploits0References6Affected Software1
CVE
CVE
added 2026/05/28 4:42 a.m.48 views

CVE-2026-9801

CVE-2026-9801 affects Keycloak. A remote attacker with high privileges (e.g., a realm administrator configuring a malicious LDAP server or compromising an upstream LDAP server) can trigger an OutOfMemoryError by sending a malformed LDAP password policy response during authentication, causing the ...

4.9CVSS5.8AI score0.00476EPSS
Exploits0References6Affected Software1
CVE
CVE
added 2026/05/28 4:37 a.m.37 views

CVE-2026-9798

Keycloak is affected by a flaw where, after a user account is temporarily locked due to repeated failed logins, an attacker with valid client credentials can abuse the Client-Initiated Backchannel Authentication (CIBA) flow to bypass the lock. This allows continued authentication attempts and tok...

4.3CVSS5.7AI score0.00206EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/28 4:27 a.m.71 views

CVE-2026-9796

This CVE (CVE-2026-9796) affects Keycloak. An authenticated administrator with the manage-clients role can trigger a TOCTOU flaw in the name-based admin role checks, allowing escalation to realm-admin for all users in the realm. The compromised composite role relationship persists after the attac...

6.5CVSS5.8AI score0.00186EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/28 4:1 a.m.25 views

CVE-2026-32999

CVE-2026-32999 affects Comet Backup server; the issue is insufficient character filtering in the backup agent signing module. This vulnerability allows an authenticated tenant administrator to execute arbitrary code on behalf of a privileged user on the affected server and connected devices. The ...

9CVSS6.2AI score0.00313EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 4:1 a.m.92 views

CVE-2026-32998

Veeam Service Provider Console (VSPC) contains a critical remote code execution vulnerability (CVE-2026-32998) that affects versions prior to the fix. The CVE is addressed starting with VSPC 9.2.1.33875, per Veeam KB4853 and KB4788, which state the vulnerability was fixed and list the affected bu...

9.4CVSS6.1AI score0.00403EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 4:1 a.m.46 views

CVE-2026-32995

The CVE-2026-32995 entry affects Rocket.Chat: the DDP method autoTranslate.translateMessage in versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, and 7.10.12. The underlying issue is that the method accepts a client-supplied IMessage object and passes it directly to translateMess...

7.5CVSS7.1AI score0.00283EPSS
Exploits0References2
CVE
CVE
added 2026/05/28 4:1 a.m.85 views

CVE-2026-32997

CVE-2026-32997 affects the Linux-based Veeam Software Appliance used by Veeam Backup & Replication. An authenticated user with the Backup Administrator role can write arbitrary files on the affected server. The issue is documented as high severity (CVSS 4.0 base 8.6) with network attack vector bu...

8.6CVSS7.4AI score0.00514EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 4:1 a.m.185 views

CVE-2026-32996

CVE-2026-32996 affects Veeam Agent for Microsoft Windows, enabling Local Privilege Escalation. The vulnerability is addressed in Veeam Agent for Windows releases, with fix noted in Security Fixes and Improvements: 13.0.3.1220. Public details in KB3108 indicate CVSS v3.1 score 7.3 (AV:L, AC:L, PR:...

7.3CVSS7.1AI score0.00154EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 3:49 a.m.30 views

CVE-2026-9795

The CVE-2026-9795 entries describe a flaw in Keycloak's Fine-Grained Admin Permissions (FGAPv2). An administrator with limited client-management perms can assign any realm role to a client's scope mapping, bypassing controls, causing the injected role to appear in a user’s authentication token an...

7.3CVSS5.7AI score0.00292EPSS
Exploits0References7Affected Software1
CVE
CVE
added 2026/05/28 3:44 a.m.78 views

CVE-2026-9794

Keycloak contains an information-disclosure flaw (CVE-2026-9794) where a remote, unauthenticated attacker can send crafted SOAP requests to the SAML ECP endpoint and observe differing faultstrings to infer the client protocol type. This is the scoped impact reported across NVD/Red Hat CVE entries...

5.3CVSS5.7AI score0.00331EPSS
Exploits0References6Affected Software1
CVE
CVE
added 2026/05/28 3:44 a.m.142 views

CVE-2026-9792

CVE-2026-9792 – Keycloak Client Policies bypass of ROPC block : A flaw in Keycloak’s Client Policies (org.keycloak.protocol.oidc) allows an unauthenticated attacker to obtain tokens via ROPC grants even when a policy blocks them. The issue occurs when certain condition providers (client-type, cli...

6.5CVSS5.8AI score0.00267EPSS
Exploits0References6Affected Software1
CVE
CVE
added 2026/05/28 3:44 a.m.47 views

CVE-2026-9793

Keycloak vulnerability CVE-2026-9793: when a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This can lead to unauthorized claims and data integrity c...

7.5CVSS5.8AI score0.0012EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/28 3:27 a.m.24 views

CVE-2026-7802

The CVE-2026-7802 entry concerns the Frontend Admin by DynamiApps WordPress plugin. Affected versions up to 3.29.2 are vulnerable to an authorization bypass that lets authenticated users with subscriber-level access and higher overwrite administrator profile fields (e.g., user_pass, user_email, n...

8.8CVSS6AI score0.00402EPSS
Exploits0References14
CVE
CVE
added 2026/05/28 3:27 a.m.16 views

CVE-2026-9228

The Timetable and Event Schedule by MotoPress plugin for WordPress (MP Timetable) is affected by an Insecure Direct Object Reference vulnerability (CVE-2026-9228) in all versions up to 2.4.16. The root cause is missing validation on a user-controlled key in the action_get_event_data endpoint, ena...

4.3CVSS5.8AI score0.00218EPSS
Exploits0References6
CVE
CVE
added 2026/05/28 3:27 a.m.20 views

CVE-2026-2374

The CVE-2026-2374 entry applies to the Login No Captcha reCAPTCHA WordPress plugin (v <= 1.8.0). The vulnerability is a Stored Cross-Site Scripting (XSS) that occurs because authenticate() stores the unsanitized basename($_SERVER['PHP_SELF']) output in the login_nocaptcha_error WordPress optio...

7.2CVSS6AI score0.00346EPSS
Exploits0References7
CVE
CVE
added 2026/05/28 3:27 a.m.18 views

CVE-2026-9241

The FOX – Currency Switcher Professional for WooCommerce WordPress plugin (up to version 1.4.6) is affected by an Authorization Bypass through a user-controlled key. The flaw resides in get_value() in classes/fixed/fixed_user_role.php, which trusts the attacker-controlled $_REQUEST['wooc_order_us...

4.3CVSS5.7AI score0.00213EPSS
Exploits0References5
CVE
CVE
added 2026/05/28 3:27 a.m.26 views

CVE-2026-5737

CVE-2026-5737 concerns the Independent Analytics plugin for WordPress, vulnerable through an unauthenticated SSRF in versions up to 2.14.9. A public tracking route at /wp-json/iawp/search accepts attacker-controlled referrer_url values when signatures match, compounded by a scheduled favicon fetc...

6.5CVSS5.9AI score0.00366EPSS
Exploits0References10
CVE
CVE
added 2026/05/28 3:27 a.m.47 views

CVE-2026-9791

CVE-2026-9791 describes a flaw in Keycloak where an authenticated user with existing organization membership can access user-facing APIs (e.g., the account API) or request an OpenID Connect token with the organization scope. This can lead to leakage of organization metadata in tokens even after a...

4.3CVSS5.7AI score0.00214EPSS
Exploits0References6Affected Software1
CVE
CVE
added 2026/05/28 2:39 a.m.25 views

CVE-2026-9789

The CVE-2026-9789 entry describes a Local Privilege Escalation affecting Acer NitroSense software prior to 3.01.3052. The root cause is a PSAdminAgent service that creates a Named Pipe with a weak ACL, allowing any authenticated local user to connect and issue commands. The service does not verif...

8.5CVSS5.9AI score0.00152EPSS
Exploits1References1
CVE
CVE
added 2026/05/28 12:2 a.m.21 views

CVE-2026-8915

Technical details about CVE-2026-8915 are not publicly available in the provided documents. Monitor for updates from Samsung Escargot advisories and NVD entries for affected versions, impact, and remediation.

8.8CVSS5.8AI score0.00324EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/05/28 12:0 a.m.17 views

CVE-2026-30760

CVE-2026-30760 affects SourceBans Material Admin prior to v1.1.6. A crafted XAJAX call allows an attacker to manipulate arbitrary user data in the web application. The root cause is related to insufficient validation/authorization in handling XAJAX requests, leading to data integrity impacts (arb...

7.3CVSS5.9AI score0.00308EPSS
Exploits0References4
CVE
CVE
added 2026/05/28 12:0 a.m.15 views

CVE-2026-38707

Affects InHand Networks IR302 firmware v3.5.108, IR305 v1.0.118, IR315 v1.0.118, IR615 v1.0.118 (and earlier). The issue is a command injection in the IPSec VPN feature that can grant ROOT privileges on remote targets. CVSS 3.1: 9.8 (CRITICAL) with network access, no user interaction, and high im...

9.8CVSS5.8AI score0.01243EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/05/28 12:0 a.m.16 views

CVE-2026-38702

CVE-2026-38702 is a command injection vulnerability in InHand Networks’ Admin Access feature affecting IR302 (V3.5.108) and IR305/IR315/IR615 (V1.0.118) and earlier firmware. The issue could allow remote attackers to gain ROOT privileges on target devices. The connected sources confirm affected m...

9.8CVSS5.8AI score0.01243EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/05/28 12:0 a.m.14 views

CVE-2026-37266

CVE-2026-37266 : The issue affects Responsive File Manager’s Web application (Version 9.14.0). A vulnerability in the force_download.php component allows a remote attacker to execute arbitrary code. The publicly documented impact is significant (base CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H...

8CVSS6.2AI score0.00334EPSS
Exploits0References2
CVE
CVE
added 2026/05/28 12:0 a.m.17 views

CVE-2026-37579

CVE-2026-37579 affects SMSGate sms-core

7.3CVSS6.2AI score0.0029EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 12:0 a.m.39 views

CVE-2026-48004

Technical details for CVE-2026-48004 are not publicly available in the provided documents; monitor for updates.

Exploits0
CVE
CVE
added 2026/05/28 12:0 a.m.12 views

CVE-2026-48824

CVE-2026-48824 is reserved in Initial Description; connected FreeBSD entry reports a memory-exhaustion DoS affecting mail/mailpit caused by unbounded JSON bodies on /api/v1/messages, /api/v1/tags, and /api/v1/message/{id}/release. No vendor/version details or patches are provided in the documents...

Exploits0
CVE
CVE
added 2026/05/28 12:0 a.m.16 views

CVE-2026-38703

CVE-2026-38703 describes a command injection in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 V1.0.118, IR315 V1.0.118, IR615 V1.0.118 and earlier versions. Exploitation could yield ROOT privileges on remote devices. Affected component: ZeroTier VPN on the InHand IR s...

9.8CVSS5.8AI score0.01243EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/05/28 12:0 a.m.14 views

CVE-2026-40710

Dell Container Storage Modules are affected by CVE-2026-40710, a critical vulnerability caused by hardcoded credentials exposed in public repositories. This allows remote attackers to access sessions, exfiltrate data, and move laterally. The PT-2026-44502 entry confirms CVSS 10.0. The provided do...

Exploits0
CVE
CVE
added 2026/05/28 12:0 a.m.25 views

CVE-2026-42998

Summary of CVE-2026-42998 (OpenStack Keystone) : The Keystone application credential authentication plugin fails to verify that the requester owns the credential, allowing an attacker to authenticate with their own application credential and specify another user in the request. The resulting toke...

8.8CVSS5.8AI score0.00303EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/05/28 12:0 a.m.16 views

CVE-2026-30761

SourceBans Material Admin v1.1.6 contains an arbitrary file upload vulnerability in pages/admin.uploadmapimg.php that allows code execution via a crafted image file. Affected component is the upload handler; root cause is improper validation of uploaded files. CVSS v3.1 base score 7.3 (HIGH); att...

7.3CVSS6.2AI score0.00358EPSS
Exploits0References4
CVE
CVE
added 2026/05/28 12:0 a.m.35 views

CVE-2026-44394

CVE-2026-44394 affects OpenStack Keystone before 29.0.2. The federated token rescoping mechanism does not propagate the original token expiry to the newly issued token; repeated rescopes can allow indefinite access by issuing tokens with a fresh TTL, bypassing token lifetime policies. Affected de...

8.1CVSS5.8AI score0.00249EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/05/28 12:0 a.m.32 views

CVE-2026-43000

CVE-2026-43000 affects OpenStack Keystone (identity service). Affected: Keystone before 29.0.2. The issue arises when an impersonation vulnerability in application credentials is chained with Keystone trusts, allowing a user with member role to escalate to admin by delegating the victim's admin r...

8.8CVSS5.8AI score0.00328EPSS
Exploits1References5Affected Software1
CVE
CVE
added 2026/05/28 12:0 a.m.30 views

CVE-2026-42999

OpenStack Keystone prior to 29.0.2 contains CVE-2026-42999, where the RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary (policy_dict.update(json_input.copy())). Since flask.request.get_json is called with force=True, this ...

8.8CVSS6AI score0.00329EPSS
Exploits1References5Affected Software1
CVE
CVE
added 2026/05/28 12:0 a.m.22 views

CVE-2026-38704

CVE-2026-38704 describes a command injection vulnerability in the WireGuard VPN feature of InHand Networks firmware. Affected devices include IR302 (V3.5.108), IR305 (V1.0.118), IR315 (V1.0.118), IR615 (V1.0.118), and earlier versions. Successful exploitation can yield ROOT privileges on remote t...

9.8CVSS5.8AI score0.01269EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/05/27 11:26 p.m.22 views

CVE-2026-4888

CVE-2026-4888 affects the Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder for WordPress. The vulnerability is due to a missing capability check in the send_test_email() function across all versions up to and including 3.4.7, allowing authenticated attackers with Sub...

4.3CVSS5.9AI score0.00275EPSS
Exploits0References2
CVE
CVE
added 2026/05/27 10:57 p.m.26 views

CVE-2026-45725

The CVE entry CVE-2026-45725 is not detailed in the Initial Description, but connected material documents a concrete vulnerability in the compliance-trestle project. The issue resides in trestle/core/remote/cache.py (HTTPSFetcher and SFTPFetcher) of the compliance-trestle library (version ~4.0.2)...

0.00047EPSS
Exploits0
CVE
CVE
added 2026/05/27 10:51 p.m.29 views

CVE-2026-47717

The connected advisory (GHSA-Q3W6-Q3HC-C5X6) details a data disclosure flaw in FUXA v1.3.0-2773 where GET /api/project exposes full project data to unauthenticated requests even when secureEnabled is true. The root cause is that the secure middleware calls verifyToken but auto-generates a guest J...

0.00088EPSS
Exploits0
CVE
CVE
added 2026/05/27 10:49 p.m.32 views

CVE-2026-46621

The Connected document GHSA-2G95-6X5Q-XJWJ describes a Server-Side Code Injection in Yamcs where the script evaluation engine for Python algorithms uses Jython via the JSR-223 ScriptEngine API without a secure sandbox. An authenticated user with the ChangeMissionDatabase privilege can override an...

0.00473EPSS
Exploits0
CVE
CVE
added 2026/05/27 10:45 p.m.25 views

CVE-2026-46562

CVE-2026-46562 is reserved; however, connected data reveal an explicit vulnerability in Yamcs: remote code execution via the Mission Database algorithm override due to a Nashorn ScriptEngine created without a ClassFilter, allowing attacker-supplied JavaScript to reach arbitrary Java classes. The ...

0.00562EPSS
Exploits0
CVE
CVE
added 2026/05/27 10:34 p.m.23 views

CVE-2026-45704

Pimcore CustomReports vulnerability: a backend user with the reports permission can read a report’s configuration by directly requesting it even when the report is not visible in the listing, due to inconsistent authorization between listing and detail endpoints. The root cause is that getAction(...

0.00035EPSS
Exploits0
CVE
CVE
added 2026/05/27 10:27 p.m.20 views

CVE-2026-45703

CVE-2026-45703 / GHSA-332X-R494-54FQ (Pimcore WordExport authorization bypass) : The advisory describes an authorization flaw in Pimcore’s WordExport export flow where the system only checks a feature permission (word_export) and does not enforce object-level access rights on the target element (...

0.00089EPSS
Exploits0
CVE
CVE
added 2026/05/27 9:56 p.m.26 views

CVE-2026-46538

CVE-2026-46538 affects Microsoft UFO open-source framework; in version 3.0.1-4-ge2626659, the constellation client tracks pending task responses by session_id and does not bind completion to the originating device. An authenticated peer can forge a TASK_END with the same session_id to inject atta...

5.9CVSS5.8AI score0.00225EPSS
Exploits0References1
CVE
CVE
added 2026/05/27 9:56 p.m.28 views

CVE-2026-46416

Microsoft UFO (open-source framework for intelligent automation) in version 3.0.1-4-ge2626659 uses a single shared UFOWebSocketHandler instance for multiple authenticated WebSocket connections. The handler caches per-connection protocol objects in mutable fields, and each new connection overwrite...

6.3CVSS5.8AI score0.00276EPSS
Exploits0References1
CVE
CVE
added 2026/05/27 9:54 p.m.39 views

CVE-2026-46414

Technical details are not publicly available in the provided documents. Monitor for updates.

8.8CVSS5.8AI score0.00502EPSS
Exploits0References1
CVE
CVE
added 2026/05/27 9:54 p.m.32 views

CVE-2026-46402

Microsoft UFO (open-source framework) 3.0.1-4-ge2626659 exposes a path traversal risk by using the user-controlled task_name when building session log paths, enabling an authenticated client to create log directories/files outside the intended logs/ directory. This can impact integrity and availa...

8.1CVSS5.8AI score0.00674EPSS
Exploits0References1
CVE
CVE
added 2026/05/27 9:53 p.m.22 views

CVE-2026-46544

Technical details beyond the provided CVE description are not publicly available in the supplied documents. Monitor for updates from the referenced UFO advisory and CVE entry.

5.3CVSS5.8AI score0.00422EPSS
Exploits0References1
Total number of security vulnerabilities367610