Lucene search
+L
CvelistRecent

366857 matches found

Cvelist
Cvelist
•added 2 days ago•36 views

CVE-2026-58559

DoS vulnerability in the vibration service. Impact: Successful exploitation of this vulnerability may affect availability...

6.5CVSS0.00142EPSS
Exploits0References1
Cvelist
Cvelist
•added 2 days ago•36 views

CVE-2026-58558

Permission control vulnerability in the file system. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

7.8CVSS0.00084EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•35 views

CVE-2026-58556

Permission control vulnerability in the Bluetooth module. Impact: Successful exploitation of this vulnerability may affect availability...

5.1CVSS0.0008EPSS
Exploits0References1
Cvelist
Cvelist
•added 2 days ago•35 views

CVE-2026-15779 Samba-winbind: samba: pam_winbind mkhomedir chowns critical system paths without validation

A flaw was found in samba's pamwinbind. When mkhomedir is enabled, pamwinbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory a common default for system accounts can...

6.1CVSS0.00104EPSS
Exploits0References5
Cvelist
Cvelist
•added 2 days ago•38 views

CVE-2026-15809 Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 — /etc/passwd injection via home env

A flaw was found in CRI-O. The fix for a previous vulnerability CVE-2022-4318 was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitra...

7.8CVSS0.00126EPSS
Exploits0References4
Cvelist
Cvelist
•added 2 days ago•39 views

CVE-2026-58557

Design defect vulnerability in Expedition mode. Impact: Successful exploitation of this vulnerability may affect availability...

4.8CVSS0.0007EPSS
Exploits0References1
Cvelist
Cvelist
•added 2 days ago•36 views

CVE-2026-58554

Permission control vulnerability in the Settings module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

6.6CVSS0.00077EPSS
Exploits0References1
Cvelist
Cvelist
•added 2 days ago•37 views

CVE-2026-58555

Permission bypass vulnerability in the card module. Impact: Successful exploitation of this vulnerability may affect availability...

6.6CVSS0.0008EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•32 views

CVE-2026-58553

Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

4CVSS0.00089EPSS
Exploits0References4
Cvelist
Cvelist
•added 2 days ago•33 views

CVE-2026-58552

Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

5.1CVSS0.00088EPSS
Exploits0References4
Cvelist
Cvelist
•added 2 days ago•33 views

CVE-2026-58551

Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

5.1CVSS0.00088EPSS
Exploits0References4
Cvelist
Cvelist
•added 2 days ago•33 views

CVE-2026-58550

Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

4CVSS0.00089EPSS
Exploits0References4
Cvelist
Cvelist
•added 2 days ago•35 views

CVE-2026-58549

Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

4CVSS0.00089EPSS
Exploits0References4
Cvelist
Cvelist
•added 2 days ago•29 views

CVE-2026-61873 Grav before 9.1.8 Arbitrary File Write via Twig-Processed Filename

Grav before 9.1.8 contains an arbitrary file write vulnerability in the Form plugin's process.save.filename parameter, which is validated against path traversal before Twig processing but never re-validated after rendering. Attackers can submit form data containing path traversal sequences that a...

8.1CVSS0.00256EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•31 views

CVE-2026-61872 ImageMagick before 7.1.2-26 Memory Leak via TIFF Encoder

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the TIFF encoder when an invalid tiff:tile-geometry is specified. Supplying malformed tile geometry parameters causes allocated memory not to be released, which can lead to increased memory consumption...

2.5CVSS0.00096EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•26 views

CVE-2026-61871 ImageMagick before 7.1.2-26 Memory Leak in ICON decoder

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the ICON decoder that occurs when a memory allocation fails. Processing a crafted ICON file that triggers an allocation failure leaks memory, which may lead to a denial of service...

6.3CVSS0.00232EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•32 views

CVE-2026-61869 ImageMagick before 7.1.2-26 Memory Leak in MIFF Encoder

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the MIFF encoder that occurs when a memory allocation fails during MIFF image processing, which can lead to denial of service...

2.9CVSS0.00102EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•30 views

CVE-2026-61868 ImageMagick before 7.1.2-26 Memory Leak in YUV Decoder

ImageMagick before 7.1.2-26 and 6.9.x before 6.9.13-51 contains a memory leak in the YUV decoder that occurs when opening of the blob fails. Repeated triggering can lead to resource exhaustion denial of service...

6.3CVSS0.00222EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•30 views

CVE-2026-61867 ImageMagick before 7.1.2-26 Memory Leak in TIFF Encoder

ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the TIFF encoder when memory allocation fails. Attackers can trigger allocation failures during TIFF image processing to cause memory exhaustion and denial of service...

2.9CVSS0.00102EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•31 views

CVE-2026-61865 ImageMagick before 7.1.2-26 Memory Leak in Hough Lines

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the hough lines operation: when a specific operation fails, a small memory leak occurs...

2.9CVSS0.00102EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•31 views

CVE-2026-61866 ImageMagick before 7.1.2-26 Memory Leak in JNG encoder

ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the JNG encoder when a blob cannot be opened. Attackers can trigger the memory leak by providing malformed JNG files that fail blob operations, causing resource exhaustion...

2.9CVSS0.00187EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•29 views

CVE-2026-61864 ImageMagick before 7.1.2-26 Memory Leak in Log Colorspace

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in color transformation to the log colorspace: when the operation fails, a small amount of memory is not released...

2.9CVSS0.00102EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•29 views

CVE-2026-61862 ImageMagick before 7.1.2-26 Information Disclosure via identify

ImageMagick before 7.1.2-26 and 6.9.13-51 contains an information disclosure vulnerability: when a profile is displayed with the identify command and the profile value is not printable, a single byte at the end of the profile can be printed read past the profile boundary. This behavior occurs whe...

2.9CVSS0.00105EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•34 views

CVE-2026-61863 ImageMagick before 7.1.2-26 Memory Leak in TIFF Encoder

ImageMagick before 7.1.2-26 and 6.x before 6.9.13-51 contains a memory leak in the TIFF encoder that occurs when a temporary file cannot be created, resulting in a small memory leak...

2.9CVSS0.00102EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•31 views

CVE-2026-61860 ImageMagick before 7.1.2-26 Use-After-Free via freetype

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a use-after-free vulnerability that occurs when freetype initialization fails: the method does not exit and continues to use memory that was already freed. This can be triggered during image processing and may lead to a denial of service...

6.3CVSS0.00221EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•29 views

CVE-2026-61859 ImageMagick before 7.1.2-26 Policy Bypass via script operation

ImageMagick before 7.1.2-26 and 6.9.13-x before 6.9.13-51 contains a policy bypass vulnerability in the -script operation due to missing security policy checks. This allows reading files from paths that are otherwise disallowed by the configured security policy...

4.8CVSS0.00131EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•33 views

CVE-2026-61464 ImageMagick before 7.1.2-26 Heap Buffer Over-Write via X11

ImageMagick before 7.1.2-26 and 6.9.13-51 contains a heap-based buffer over-write vulnerability that occurs when running an X11 import with a crafted window title, which can result in heap memory corruption and denial of service...

1.8CVSS0.00092EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•30 views

CVE-2026-61457 Grav before 1.0.3 Remote Code Execution via File Upload Extension Bypass

The Grav API plugin getgrav/grav-plugin-api before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension inspects only the final file extension via pathinfo$filename, PATHINFOEXTENSION, so a user with api.media.write permission can...

8.8CVSS0.00464EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•30 views

CVE-2026-61453 Grav before 2.0.1 XSS via Twig String Concatenation

Grav v2.0.0 contains a cross-site scripting vulnerability fixed in 2.0.1. The XSS blueprint validator Security::detectXss runs on raw page content before Twig processing. When Twig content processing is enabled twigcontent.processenabled: true, an attacker with page-write API permission can use...

6.1CVSS0.00155EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•28 views

CVE-2026-61452 Grav before 2.0.4 Improper Session Invalidation JWT Access Tokens

The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...

6.9CVSS0.00194EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•34 views

CVE-2026-61451 Grav before 1.0.4 Password Reset Token Poisoning via admin_base_url

The Grav API plugin grav-plugin-api before 1.0.4 does not validate the origin of the client-supplied adminbaseurl field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl function only checks that the URL scheme is http/https and never verifies the host against the server's ow...

9.6CVSS0.00244EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•33 views

CVE-2026-61446 PraisonAI before 1.6.78 Remote Code Execution via Plugin Auto-Discovery

PraisonAI praisonaiagents before 1.6.78 contains a remote code execution vulnerability in the plugin manager, which loads and executes arbitrary Python .py files from project-level and user-home .praisonai/plugins/ directories using importlib specfromfilelocation and execmodule without code...

8.6CVSS0.00221EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•30 views

CVE-2026-61449 Grav before 2.0.2 Decompression Bomb via Forged ZIP Size

Grav 2.0.1 contains a decompression-bomb size-cap bypass in ZipArchiver and GPM\Installer. The size bound introduced in 2.0.1 sums the uncompressed size declared in each entry's ZIP central-directory header ZipArchive::statIndex'size' and rejects archives exceeding...

7.1CVSS0.00247EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•31 views

CVE-2026-61443 PraisonAI before 1.6.78 Remote Code Execution via SkillTools

PraisonAI before 1.6.78 contains a remote code execution vulnerability in SkillTools.runskillscript that executes scripts without path containment validation. Attackers can supply absolute file paths to execute arbitrary scripts from any filesystem location, including those outside the intended...

8.6CVSS0.00499EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•32 views

CVE-2026-61438 PraisonAI before 4.6.78 Remote Code Execution via Broken AST Sandbox

PraisonAI before 4.6.78 contains a remote code execution vulnerability in JobWorkflowExecutor.execinlinepython due to insufficient AST validation of workflow script steps. Attackers can create malicious YAML workflow files with import os statements followed by os.system calls that bypass sandbox...

7.3CVSS0.00202EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•31 views

CVE-2026-61440 PraisonAI Platform before 0.1.9 Authorization Bypass via Label Endpoints

PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member privileges can exploit PATCH and POST/DELETE endpoints to...

7.1CVSS0.00213EPSS
Exploits0References3
Cvelist
Cvelist
•added 2 days ago•30 views

CVE-2026-61436 PraisonAI before 4.6.78 Missing Webhook Signature Verification

PraisonAI before 4.6.78 fails to verify Svix webhook signatures in AgentMail webhook mode, allowing unauthenticated attackers to forge message.received events. Attackers can send crafted JSON payloads to the webhook endpoint to invoke configured agents with arbitrary sender addresses and message...

8.8CVSS0.0029EPSS
Exploits0References4
Cvelist
Cvelist
•added 2 days ago•28 views

CVE-2026-61435 PraisonAI before 4.6.78 Authentication Bypass via Host Header Spoofing

PraisonAI before 4.6.78 contains an authentication bypass in the Call API agent invocation endpoints src/praisonai/praisonai/api/agentinvoke.py when PRAISONAICALLAUTH=disabled is configured. The safeguard intended to restrict the disabled-auth opt-out to localhost binding derives the bind host fr...

8.8CVSS0.00384EPSS
Exploits0References4
Cvelist
Cvelist
•added 2 days ago•30 views

CVE-2026-61433 PraisonAI before 4.6.78 Code Injection via API deployment generator

PraisonAI before 4.6.78 fails to safely encode deployment configuration values when generating Python source code for API servers. Attackers can inject arbitrary Python expressions through the deploy.api.host and agentsfile configuration parameters that execute when the generated server starts or...

8.5CVSS0.00144EPSS
Exploits0References3
Cvelist
Cvelist
•added 2 days ago•31 views

CVE-2026-61430 PraisonAI before 1.6.78 DNS Rebinding SSRF via web_crawl

PraisonAI before 1.6.78 contains a server-side request forgery vulnerability in the webcrawl tool that validates hostnames at check time but re-resolves them at connection time without IP pinning. Attackers can use DNS rebinding to bypass SSRF protection and retrieve internal HTTP response bodies...

8.5CVSS0.00205EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•33 views

CVE-2026-61427 PraisonAI before 4.6.78 Authentication Bypass via HTTP-stream

PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks when an API key is configured. When an operator runs 'praisonai mcp serve --transport http-stream'...

7.3CVSS0.00338EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•29 views

CVE-2026-60085 PraisonAI before 4.6.78 Unenforced Security Policy in Subprocess Sandbox

PraisonAI before 4.6.78 contains an unenforced security policy vulnerability in the default Subprocess Sandbox backend where blockedcommands, blockedpaths, blockedimports, allowsubprocess, and allowfilewrite restrictions are completely ignored. Attackers can execute arbitrary subprocess commands,...

8.7CVSS0.00241EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•31 views

CVE-2026-60087 PraisonAI before 1.6.78 Tool Approval Cache Bypass

PraisonAI before 1.6.78 caches tool approval decisions by tool name only, allowing attackers to reuse initial approvals for subsequent calls with arbitrary arguments. Attackers can exploit this by obtaining approval for a benign operation and then executing dangerous file write operations with...

6.9CVSS0.00189EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•32 views

CVE-2026-59259 n8n - Permission Bypass via Expression Parser Mismatch in External Secrets

n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with credential create or update permissions but without the...

6CVSS0.00344EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•30 views

CVE-2026-59254 n8n - External Secrets Disclosure via Workflow Node Expressions

n8n before 2.28.1 contains an information disclosure vulnerability where external secrets are incorrectly resolved in workflow node expressions outside credentials scope. Authenticated project editors can read plaintext external secret values by referencing them in node expressions without...

6.3CVSS0.00265EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•30 views

CVE-2026-58655 Grav Flex Objects - Server-Side Template Injection via Dynamic Titles

The bundled Grav Flex Objects plugin getgrav/grav-plugin-flex-objects before 1.4.0 contains a stored server-side template injection vulnerability. When rendering dynamic collection or object titles, the plugin passes user-controlled frontmatter values page.header.flex.collection.title or...

8.8CVSS0.01084EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•32 views

CVE-2026-57996 phpMyFAQ - Privilege Escalation via Missing SuperAdmin Guard in user/add Endpoint

phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in the user/add API endpoint that allows non-SuperAdmin administrators to create SuperAdmin accounts. A delegated administrator with USERADD/EDIT/DELETE permissions can call POST /admin/api/user/add with isSuperAdmin: true and...

8.8CVSS0.00246EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•32 views

CVE-2026-56764 Hono - Timing Attack in basicAuth and bearerAuth Middleware

Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing...

6.3CVSS0.00229EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•32 views

CVE-2026-56699 Wazuh Manager - NDJSON Injection in inventory_sync via Agent-Controlled DataValue.index

Wazuh Manager before 5.0.0-beta3 fails to escape the DataValue.index field when constructing OpenSearch bulk requests, allowing enrolled agents to inject arbitrary NDJSON operations. Attackers can smuggle delete, index, or update operations into bulk requests executed under the manager's admin...

10CVSS0.00351EPSS
Exploits0References2
Cvelist
Cvelist
•added 2 days ago•32 views

CVE-2026-56400 open-webui - Remote Code Execution via CORS Misconfiguration and Session Validation

open-webui before 0.3.14 contains a cross-origin resource sharing misconfiguration allowing arbitrary origins with alloworigins= and authenticated requests to the /api/v1/functions endpoint. Attackers can execute arbitrary code on the openwebui instance by crafting malicious cross-site requests...

9CVSS0.00264EPSS
Exploits1References2
Total number of security vulnerabilities366857