Lucene search
K

367841 matches found

CVE
CVE
added 47 minutes ago3 views

CVE-2026-55793

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under th...

5.9CVSS5.7AI score
Exploits0References2
CVE
CVE
added 1 hour ago4 views

CVE-2026-54712

The CVE pertains to OpenTelemetry Java Instrumentation . In versions prior to 2.27.0 , the RMI context propagation payload reader limits the number of context entries but not the aggregate size of the strings, allowing an attacker who can reach an RMI endpoint on an instrumented JVM to send an ov...

5.3CVSS5.8AI score
Exploits0References1
CVE
CVE
added 1 hour ago3 views

CVE-2026-54704

OpenTelemetry Java Instrumentation contains a vulnerability in JDBC auto-instrumentation prior to version 2.28.0 where passwords in SQL CONNECT statements may not be sanitized if the password is double-quoted. This can cause clear-text database passwords to be added to trace spans and exported to...

6.5CVSS5.7AI score
Exploits0References1
CVE
CVE
added 1 hour ago4 views

CVE-2026-54263

Wagtail (Django-based CMS) has a reflected XSS in the dynamic image URL generator view within the admin. A limited-permission editor could craft a URL that, when seen by a higher-privilege user, could act with that user’s credentials. Affected versions: < 7.0.8, < 7.3.3,

7.3CVSS5.5AI score
Exploits0References1
CVE
CVE
added 1 hour ago4 views

CVE-2026-54262

Wagtail’s CVE-2026-54262 affects the translation feature. In versions before 7.0.8, 7.3.3, and 7.4.2, a user with the can submit translation permission could create translations for any page, including pages they lack access to. The root cause is described as a permission/authorization issue rela...

4.3CVSS5.8AI score
Exploits0References1
CVE
CVE
added 1 hour ago6 views

CVE-2026-54261

Wagtail (Django-based CMS) has a permission-check flaw in the image preview endpoint. In versions prior to 7.0.8, 7.3.3, and 7.4.2, a user with admin access could preview any image due to a missing permission check; this does not expose the image data itself to ordinary site visitors. The issue h...

6.5CVSS5.6AI score
Exploits0References1
CVE
CVE
added 1 hour ago4 views

CVE-2026-54259

Wagtail (Django-based CMS) has a vulnerability in older branches where the Documents and Images chooser endpoint could show items to users who lack choose permission. Affected versions: < 7.0.8, < 7.3.3, and

4.3CVSS5.6AI score
Exploits0References1
CVE
CVE
added 1 hour ago5 views

CVE-2026-54260

CVE-2026-54260 affects Wagtail (Django-based CMS). In versions prior to 7.0.8, 7.3.3, and 7.4.2, an authenticated admin user can trigger expensive rendition processing via crafted filter specs in the image preview, leading to potential service degradation. This is not exploitable by anonymous vis...

4.3CVSS5.6AI score
Exploits0References1
CVE
CVE
added 1 hour ago5 views

CVE-2026-14340

GitHub Enterprise Server (GitHub ES) suffers an incorrect authorization vulnerability (CVE-2026-14340) where a user-to-server token scoped to a GitHub App installation could perform write operations on public repositories outside the token’s scope. The root cause is an authorization check that on...

5.3CVSS5.8AI score
Exploits0References6
CVE
CVE
added 1 hour ago4 views

CVE-2026-54720

Silverstripe Framework (PHP) contains an XSS vulnerability in the CMS “Insert media from web” feature, exploitable via a specially crafted embed. The issue affects versions prior to 6.2.2 and is mitigated by upgrading to 6.2.2 or later. The vulnerability stems from the media embed handling and co...

5.4CVSS5.8AI score
Exploits0References2
CVE
CVE
added 1 hour ago19 views

CVE-2026-55660

CVE-2026-55660 : TinaCMS and Tinacms app prior to versions 2.5.6 / 3.9.3 allow cross-origin postMessage abuse due to window message listeners that do not validate event.origin/source and post to non-specific origins, combined with insufficient URL sanitization in rich-text content. This enables s...

7.6CVSS5.7AI score
Exploits0References2
CVE
CVE
added 1 hour ago12 views

CVE-2026-54074

CVE-2026-54074 affects @tinacms/cli (pre-2.4.3) used with TinaCMS. A Forestry-to-Tina migration path unquotes values in user-controlled YAML fields via the TINA_INTERNAL marker, allowing injection of arbitrary JavaScript into the generated tina/templates.{ts,js} file. The code executes at module ...

7.8CVSS6.1AI score0.00082EPSS
Exploits0References1
CVE
CVE
added 2 hours ago10 views

CVE-2026-55661

CVE-2026-55661 affects TinaCMS rich-text rendering (Slate JSON) where the url field on Slate link/image nodes was not sanitized, allowing stored XSS via dangerous URL schemes such as javascript: or data:text/html. Affected versions include tinacms/mdx <2.1.7 and tinacms =2.1.7 and tinacms >...

4.8CVSS5.6AI score
Exploits0References2
CVE
CVE
added 2 hours ago4 views

CVE-2026-58263

CVE-2026-58263 affects Jodit Editor prior to 4.12.28. The built‑in clean-html sanitizer can be bypassed via a MathML/ carrier, allowing a no‑interaction event handler (e.g., onload) to survive in the editor value. When attacker‑supplied HTML is rendered (element.innerHTML = editor.value), the han...

7.2CVSS5.7AI score
Exploits0References1
CVE
CVE
added 2 hours ago4 views

CVE-2026-54756

The CVE pertains to Jodit Editor (TypeScript WYSIWYG) where versions prior to 4.12.18 expose a Prototype Pollution risk via Jodit.configure(options) and internal ConfigMerge/ConfigProto, which may merge user-controlled options (e.g., under a plain-object option like controls) into Object.prototyp...

6.3CVSS5.7AI score
Exploits0References1
CVE
CVE
added 2 hours ago13 views

CVE-2026-55886

CVE-2026-55886 — Jodit Prototype Pollution Affected software: Jodit Editor (npm package) up to version 4.12.25 (vulnerability fixed in 4.12.26). Root cause: Prototype pollution via Jodit.modules.Helpers.set(chain, value, obj) which walks a dot-separated path and creates path segments without filt...

6.3CVSS5.7AI score
Exploits0References1
CVE
CVE
added 2 hours ago30 views

CVE-2026-50521

Use after free in Microsoft Edge Chromium-based allows an authorized attacker to execute code over a network...

8.3CVSS5.9AI score
Exploits0References1
CVE
CVE
added 2 hours ago4 views

CVE-2026-54786

Summary: CVE-2026-54786 affects Wasmtime’s native WASIp1 implementation. The leak occurs in the fd_renumber path where the destination file descriptor is not properly closed, causing host-side resource and file descriptor leaks. The bug only affects runtimes that load core wasm modules and expose...

2.3CVSS5.7AI score
Exploits0References1
CVE
CVE
added 2 hours ago5 views

CVE-2026-55153

CVE-2026-55153 affects mchange-commons-java before 0.6.0, where the JNDI ObjectFactory (com.mchange.v2.naming.JavaBeanObjectFactory) constructs arbitrary JavaBean properties, enabling JNDI injection and deserialization gadget abuse in some classes. An example is setting a Swing JEditorPane’s cont...

7.1CVSS5.9AI score
Exploits0References1
CVE
CVE
added 3 hours ago4 views

CVE-2026-55688

Affected software: AsyncHttpClient (AHC) library for Java. Vulnerable versions: 2.0.0 up to (but not including) 2.16.0, and 3.0.0.Beta1 up to (but not including) 3.0.11. Root cause: ThreadSafeCookieStore may store a cookie using the.Domain value without validating that the responding host is allo...

4CVSS5.8AI score
Exploits0References2
CVE
CVE
added 3 hours ago4 views

CVE-2026-36541

Technical details are not publicly available in the provided documents for CVE-2026-36541; no affected products, vectors, or remediation are described. Monitor for updates.

Exploits0References1
CVE
CVE
added 3 hours ago7 views

CVE-2026-36542

Technical details for CVE-2026-36542 are not publicly available in the provided documents; no affected products, impact, or remediation are specified. Monitor for updates.

Exploits0References1
CVE
CVE
added 3 hours ago4 views

CVE-2026-54908

CVE-2026-54908 affects the Pion DTLS Go implementation. Versions prior to 3.1.4 are vulnerable to a remote Denial of Service caused by a panic while parsing a crafted ECDHE_PSK ServerKeyExchange message. The issue has been fixed in 3.1.4. No exploitation details are provided in the documents.

6.3CVSS5.8AI score
Exploits0References2
CVE
CVE
added 3 hours ago6 views

CVE-2026-14265

The CVE affects AWS Advanced JDBC Wrapper (AWR) RemoteQueryCachePlugin versions 3.3.0–4.0.0. Deserialization of untrusted data via ObjectInputStream without class filtering when reading cached query results from Redis or Valkey enables gadget-chain execution, allowing arbitrary code execution on ...

7.7CVSS6.3AI score
Exploits0References3
CVE
CVE
added 3 hours ago5 views

CVE-2026-58593

NodeBB is affected by CVE-2026-58593 where inbound ActivityPub objects are not correctly bound to the authenticated remote actor. The middleware verifies the HTTP-signature actor and origin of object.id but does not validate that attributedTo corresponds to the sender, treating attributedTo as a ...

8.7CVSS6AI score
Exploits0References3
CVE
CVE
added 3 hours ago6 views

CVE-2026-58592

Vulnerability summary (CVE-2026-58592, Ladybird): A dangling-reference memory-safety flaw in Ladybird’s WebAssembly ESM integration loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference...

8.9CVSS6.4AI score
Exploits0References3
CVE
CVE
added 3 hours ago14 views

CVE-2026-49858

API Platform Core contains a cross-user attribute leak in JSON:API and HAL item normalizers due to a missing isCacheKeySafe gate. Affected versions: 2.6.0 up to 4.1.28, 4.2.25, and 4.3.11 (i.e., before 4.1.29, 4.2.26, 4.3.12). Root cause: componentsCache arrays are keyed on $context['cache_key'] ...

5.9CVSS5.7AI score
Exploits0References1
CVE
CVE
added 3 hours ago4 views

CVE-2026-58457

CVE-2026-58457 affects Shenzhen Aitemi M300 MT02 (Wi‑Fi Repeater). An unauthenticated OS command injection exists in the commuos web backend via the smacfilter_conf handler. Attackers can append semicolon-delimited payloads to the name, enable, or mac GET parameters, which are unsanitized and pas...

9.8CVSS6.1AI score
Exploits0References3
CVE
CVE
added 3 hours ago5 views

CVE-2026-14363

CVE-2026-14363 affects the Wikimedia Foundation MediaWiki Cargo Extension and allows SQL injection due to improper neutralization of special elements in SQL commands. The issue impacts Cargo Extension versions before 1.43.9, 1.44.6, and 1.45.4 (i.e., these versions are vulnerable; later versions ...

6.9CVSS5.8AI score
Exploits0References3
CVE
CVE
added 3 hours ago18 views

CVE-2026-54164

Summary: API Platform Core versions prior to 4.1.30, 4.2.26 and 4.3.12 contain a type-confusion in the serializer’s AbstractItemNormalizer when resolving relation IRIs. An attacker able to submit write requests (POST/PUT/PATCH) to an API endpoint with writable relations can supply a relation IRI ...

6.5CVSS5.7AI score
Exploits0References1
CVE
CVE
added 3 hours ago5 views

CVE-2026-13760

OS command injection in the NodejsFunction Docker bundling pipeline OsCommand helper in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected...

7.3CVSS6.1AI score
Exploits0References3
CVE
CVE
added 3 hours ago6 views

CVE-2026-55597

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-26, an incorrect handling of arguments can cause a heap buffer over-write in the JP2 encoder. This issue has been fixed in version7.1.2-26...

5.5CVSS5.9AI score
Exploits0References1
CVE
CVE
added 3 hours ago5 views

CVE-2026-55595

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, when providing invalid arguments to the connected-components option an infinite loop will occur. This issue has been fixed in versions 6.9.13-51 and 7.1.2-26...

4.7CVSS5.8AI score
Exploits0References1
CVE
CVE
added 3 hours ago6 views

CVE-2026-55594

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, a missing depth check in the MVG decoder will result in a stack overflow when a crafted image is provided. This issue has been fixed in versions 6.9.13-51 and...

5.3CVSS5.8AI score
Exploits0References1
CVE
CVE
added 3 hours ago4 views

CVE-2026-55577

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in...

5.9CVSS6AI score
Exploits0References1
CVE
CVE
added 3 hours ago4 views

CVE-2026-55510

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, when identifying an image with a crafted 8BIM profile with a specific format string a use-after-free will occur. This issue has been fixed in versions 6.9.13-51...

5.5CVSS5.7AI score
Exploits0References1
CVE
CVE
added 3 hours ago4 views

CVE-2026-53467

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, the MNG decoder contains a possible heap information disclosure vulnerability because part of the pixels are left unchanged. This issue has been fixed in versio...

5.3CVSS5.8AI score
Exploits0References1
CVE
CVE
added 3 hours ago3 views

CVE-2026-14358

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in The Wikimedia Foundation Mediawiki - Charts Extension allows Cross-Site Scripting XSS. This issue affects Mediawiki - Charts Extension: from before 1.43.9,1.44.6,1.45.4...

6.9CVSS5.8AI score
Exploits0References2
CVE
CVE
added 3 hours ago3 views

CVE-2026-41121

Dell Device Management Agent, versions prior to DDMA 26.05, contain an Improper Link Resolution Before File Access 'Link Following’ vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges...

7.3CVSS5.8AI score
Exploits0References1
CVE
CVE
added 4 hours ago3 views

CVE-2026-13769

Overly permissive file permissions in AWS CLI before 1.44.78 v1 and 2.34.29 v2 on Unix-like systems where the umask has not been configured to restrict file permissions the default on most systems may allow other local users on the same host to read credentials written by certain CLI subcommands...

6.8CVSS5.8AI score
Exploits0References4
CVE
CVE
added 4 hours ago6 views

CVE-2026-57155

Technical details for CVE-2026-57155 are not publicly available in the provided documents. No affected products, impact, or remediation are listed. Monitor for updates.

Exploits0References1
CVE
CVE
added 4 hours ago3 views

CVE-2026-49119

Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess method that allows unauthenticated attackers to escape the configured root directory by supplying path segments containing directory traversal sequences or absolute paths. Attackers can provide...

8.7CVSS5.9AI score
Exploits0References4
CVE
CVE
added 4 hours ago7 views

CVE-2026-58517

Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass. This issue affects Mediawiki - WikiLambda Extension: from before 1.43.9,1.44.6,1.45.4...

6.9CVSS5.8AI score
Exploits0References2
CVE
CVE
added 4 hours ago6 views

CVE-2026-53466

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-51 and 7.1.2-26, an integer overflow in the XCF decoder can result in an out of bounds read when a crafted image is read, potentially resulting in a crash. This issue has been...

6.5CVSS5.8AI score
Exploits0References1
CVE
CVE
added 4 hours ago10 views

CVE-2026-55628

In versions prior to 7.1.2-26he, the -concatenate operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26...

5.5CVSS5.7AI score
Exploits0References1
CVE
CVE
added 4 hours ago8 views

CVE-2026-58451

Horde IMP before 7.0.1 contains a path traversal vulnerability in lib/Compose.php that allows authenticated attackers to read arbitrary files from the server filesystem by embedding traversal sequences after a CKEditor path prefix in img src URLs. Attackers can bypass the stripos prefix validatio...

7.1CVSS5.9AI score
Exploits0References5
CVE
CVE
added 4 hours ago25 views

CVE-2026-53489

containerd is an open-source container runtime. Versions prior to 2.3.2, 2.2.5 and 2.1.9 contain a bug where the CRI plugin restores container.log from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via kubectl logs. This issue h...

8.2CVSS5.9AI score
Exploits0References1
CVE
CVE
added 4 hours ago23 views

CVE-2026-53492

containerd is an open-source container runtime. In Versions prior to 2.3.2, 2.2.5 and 2.1.9, the CRI implementation improperly trusts Container Device Interface CDI annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a...

8.4CVSS5.9AI score
Exploits0References1
CVE
CVE
added 4 hours ago5 views

CVE-2025-36374

This candidate has been reserved by an organization or individual " "that will use it when announcing a new security problem. When the candidate has been " "publicized, the details for this candidate will be provided...

Exploits0
CVE
CVE
added 4 hours ago5 views

CVE-2026-12733

This candidate has been reserved by an organization or individual " "that will use it when announcing a new security problem. When the candidate has been " "publicized, the details for this candidate will be provided...

Exploits0
Total number of security vulnerabilities367841