Lucene search
K

418889 matches found

EUVD
EUVD
added 2026/06/12 8:48 p.m.10 views

EUVD-2026-36573

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 are vulnerable to stored cross-site scripting via unsanitized user display name in draft version tooltip. As of time of publication, no known patched versions are available...

5.3CVSS4.9AI score0.00286EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:48 p.m.13 views

EUVD-2026-36572

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.userid value from the submitted request data. An authenticated user with...

5.3CVSS5.5AI score0.00247EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:46 p.m.10 views

EUVD-2026-36571

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using req.hostname, which is derived directly from the attacker-controlled HTTP Host header when apos.baseUrl is not explicitly configure...

8.1CVSS5.3AI score0.0025EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:46 p.m.11 views

EUVD-2026-36570

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in HashThemes Hash Elements allows Retrieve Embedded Sensitive Data. This issue affects Hash Elements: from n/a through 1.5.4...

4.3CVSS5.2AI score0.00175EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:45 p.m.11 views

EUVD-2026-36569

A security flaw has been discovered in CodeAstro Human Resource Management System 1.0. This affects an unknown part of the file /Projects/AddProjects of the component Projects Management Page. The manipulation of the argument protitle results in cross site scripting. The attack may be launched...

5.1CVSS3.7AI score0.00203EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 8:44 p.m.11 views

EUVD-2026-36568

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery SSRF in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch...

7.6CVSS5.3AI score0.00197EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:43 p.m.10 views

EUVD-2026-36567

ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to...

7.3CVSS5.3AI score0.00211EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 8:39 p.m.10 views

EUVD-2026-36566

ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of sanitize-html prior to 2.17.4 can turn attacker-controlled content inside a disallowed xmp element into live HTML or...

9.3CVSS5.2AI score0.0037EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:37 p.m.10 views

EUVD-2026-36565

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command...

6.5CVSS5.8AI score0.00428EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:36 p.m.9 views

EUVD-2026-36564

MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a...

5.3CVSS5.2AI score0.00256EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:30 p.m.10 views

EUVD-2026-36563

MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended APP/files/img/orgs/...

5.3CVSS5.6AI score0.00319EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:30 p.m.10 views

EUVD-2026-36562

A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Affected by this issue is some unknown functionality of the file /dashboard/addtod of the component Dashboard Interface. The manipulation of the argument tododata leads to cross site scripting. The attack may be...

5.1CVSS3.7AI score0.00203EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 8:26 p.m.9 views

EUVD-2026-36561

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, DetailedTagSerializertaggroupnames returned every tag group a tag belonged to without filtering against the requesting...

5.3CVSS5.2AI score0.00216EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:26 p.m.11 views

EUVD-2026-36560

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the MessageBus.publish call for /webhookevents/ in Jobs::RedeliverWebHookEvents did not pass groupids, leaving the channel...

4.3CVSS5.2AI score0.00211EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:25 p.m.9 views

EUVD-2026-36559

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a path traversal vulnerability in Discourse backup handling could allow an authenticated administrator on one site in a...

6.8CVSS5.2AI score0.00323EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:25 p.m.10 views

EUVD-2026-36558

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues in the chat plugin one also involving discourse-calendar: read-only category users...

5.3CVSS5.3AI score0.00204EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:24 p.m.11 views

EUVD-2026-36557

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the AI "explain" helper only checks cansee? on the post being explained, not its replytopost, so any authenticated user wi...

4.3CVSS5.3AI score0.00189EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:23 p.m.13 views

EUVD-2026-36587

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext...

6.5CVSS5.3AI score0.00231EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:23 p.m.9 views

EUVD-2026-36586

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in...

5.4CVSS5.3AI score0.00148EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:23 p.m.12 views

EUVD-2026-36585

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared includeuserlongname? as the predicate for its :name attribute, but AMS looks for includename?...

4.3CVSS5.3AI score0.00189EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:22 p.m.10 views

EUVD-2026-36584

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, ReviewableQueuedPostSerializer unconditionally included payload"rawemail" for posts that arrived via incoming email...

4.3CVSS5.2AI score0.00189EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:22 p.m.11 views

EUVD-2026-36583

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, bot debug endpoints disclose whisper translation audit logs. This issue has been patched in versions 2026.1.4, 2026.3.1,...

4.3CVSS5.2AI score0.00235EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:22 p.m.10 views

EUVD-2026-36582

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus...

7.5CVSS5.3AI score0.00259EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:21 p.m.12 views

EUVD-2026-36581

A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal, bypassing the normal setSetting validation logic, including validatehomepage, which requires homepage...

5.1CVSS5.3AI score0.00377EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:8 p.m.10 views

EUVD-2026-36580

An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or...

5.3CVSS5.4AI score0.00207EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:8 p.m.22 views

EUVD-2026-35391

TYPO3 CMS has Broken Access Control in its Form Framework...

7.6CVSS5.2AI score0.00238EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 8:8 p.m.14 views

EUVD-2026-35396

TYPO3 CMS has Broken Access Control in the Recycler Module...

5.3CVSS5.2AI score0.00238EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 8:7 p.m.11 views

EUVD-2026-35394

TYPO3 CMS has an Open Redirect Vulnerability via Core Utilities...

5.3CVSS5.2AI score0.00294EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 8:7 p.m.13 views

EUVD-2026-35392

TYPO3 CMS: Destructive Actions on File Mount Folders...

7.2CVSS5.2AI score0.00238EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 8:7 p.m.10 views

EUVD-2026-35192

TYPO3 HTML Sanitizer allows Cross-site Scripting...

5.1CVSS5.1AI score0.00366EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/12 8:7 p.m.11 views

EUVD-2026-36579

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 color-control query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue...

7.3CVSS5.3AI score0.00166EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/12 8:6 p.m.12 views

EUVD-2026-36578

Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, kitten dnd can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote text/uri-list drops are staged in a temporary directory, but on case-sensitiv...

7.6CVSS5.7AI score0.00268EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/12 8:3 p.m.10 views

EUVD-2026-36556

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU...

5CVSS5.5AI score0.00072EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 8:0 p.m.12 views

EUVD-2026-36555

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with cat, a log line, an email body rendered in less, an issue body in a TUI, etc. — can cause kitty to execute...

7.8CVSS5.6AI score0.00164EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/12 7:59 p.m.10 views

EUVD-2026-36554

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-relat...

8.8CVSS5.2AI score0.00262EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:59 p.m.10 views

EUVD-2026-36553

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as su...

7.4CVSS5.5AI score0.00287EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/12 7:51 p.m.12 views

EUVD-2026-36552

A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create followed by save...

8.4CVSS5.4AI score0.00226EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:44 p.m.12 views

EUVD-2026-36551

MISP contains an insecure default configuration in which the Security.checksecfetchsiteheader control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote...

7.1CVSS5.3AI score0.00189EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:34 p.m.10 views

EUVD-2026-36550

An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own...

7.5CVSS5.4AI score0.00229EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:32 p.m.11 views

EUVD-2026-35402

TYPO3 CMS has Privilege Escalation & SQL Injection in its Form Framework...

8.7CVSS5.8AI score0.00244EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:32 p.m.14 views

EUVD-2026-35397

TYPO3 CMS has Broken Access Control in its DataHandler...

5.3CVSS5.2AI score0.00238EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:32 p.m.16 views

EUVD-2026-35393

TYPO3 CMS has Broken Access Control in its Form Framework...

7.6CVSS5.2AI score0.00253EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:25 p.m.10 views

EUVD-2026-36549

An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership...

5.1CVSS5.2AI score0.00254EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:9 p.m.13 views

EUVD-2026-35403

TYPO3 CMS has Broken Access Control in its Media Module...

7.1CVSS5.2AI score0.00313EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:9 p.m.12 views

EUVD-2026-35401

TYPO3 CMS has Insecure Deserialization via Core API...

6.3CVSS5.2AI score0.00215EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:9 p.m.12 views

EUVD-2026-35400

TYPO3 CMS has Broken Access Control in its File Abstraction Layer...

2.1CVSS5.2AI score0.00356EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:8 p.m.15 views

EUVD-2026-35399

TYPO3 CMS has Broken Access Control in Backend API...

5.3CVSS5.2AI score0.00238EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:6 p.m.12 views

EUVD-2026-35398

TYPO3 CMS: Broken Access Control in Media Module...

5.3CVSS5.1AI score0.00238EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:6 p.m.12 views

EUVD-2026-35395

TYPO3 CMS has Cross-Site Scripting in Indexed Search...

5.1CVSS5.2AI score0.00269EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:6 p.m.12 views

EUVD-2026-35191

TYPO3 HTML Sanitizer allows Cross-site Scripting...

2.1CVSS5.1AI score0.00282EPSS
Exploits0References5
Total number of security vulnerabilities418889