Lucene search
K

418955 matches found

EUVD
EUVD
added 2026/06/12 7:59 p.m.10 views

EUVD-2026-36554

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-relat...

8.8CVSS5.2AI score0.00262EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:59 p.m.10 views

EUVD-2026-36553

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as su...

7.4CVSS5.5AI score0.00287EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/12 7:51 p.m.12 views

EUVD-2026-36552

A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create followed by save...

8.4CVSS5.4AI score0.00226EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:44 p.m.12 views

EUVD-2026-36551

MISP contains an insecure default configuration in which the Security.checksecfetchsiteheader control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote...

7.1CVSS5.3AI score0.00189EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:34 p.m.10 views

EUVD-2026-36550

An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own...

7.5CVSS5.4AI score0.00229EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:32 p.m.11 views

EUVD-2026-35402

TYPO3 CMS has Privilege Escalation & SQL Injection in its Form Framework...

8.7CVSS5.8AI score0.00244EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:32 p.m.14 views

EUVD-2026-35397

TYPO3 CMS has Broken Access Control in its DataHandler...

5.3CVSS5.2AI score0.00238EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:32 p.m.16 views

EUVD-2026-35393

TYPO3 CMS has Broken Access Control in its Form Framework...

7.6CVSS5.2AI score0.00253EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:25 p.m.10 views

EUVD-2026-36549

An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership...

5.1CVSS5.2AI score0.00254EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:9 p.m.13 views

EUVD-2026-35403

TYPO3 CMS has Broken Access Control in its Media Module...

7.1CVSS5.2AI score0.00313EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:9 p.m.12 views

EUVD-2026-35401

TYPO3 CMS has Insecure Deserialization via Core API...

6.3CVSS5.2AI score0.00215EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:9 p.m.12 views

EUVD-2026-35400

TYPO3 CMS has Broken Access Control in its File Abstraction Layer...

2.1CVSS5.2AI score0.00356EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:8 p.m.15 views

EUVD-2026-35399

TYPO3 CMS has Broken Access Control in Backend API...

5.3CVSS5.2AI score0.00238EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:6 p.m.12 views

EUVD-2026-35398

TYPO3 CMS: Broken Access Control in Media Module...

5.3CVSS5.1AI score0.00238EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:6 p.m.12 views

EUVD-2026-35395

TYPO3 CMS has Cross-Site Scripting in Indexed Search...

5.1CVSS5.2AI score0.00269EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 7:6 p.m.12 views

EUVD-2026-35191

TYPO3 HTML Sanitizer allows Cross-site Scripting...

2.1CVSS5.1AI score0.00282EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/12 7:5 p.m.9 views

EUVD-2026-36548

Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue...

5.3CVSS5.3AI score0.00303EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:58 p.m.12 views

EUVD-2026-36547

Actual is an open-source personal finance application. In the macOS desktop application version 25.x built on Electron 39.2.7, the ELECTRONRUNASNODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary wit...

4.8CVSS5.6AI score0.00126EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:51 p.m.10 views

EUVD-2026-36546

Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery SSRF vulnerability in the radio station creation endpoint POST /api/radio/stations. The url field validation rules are declared without the bail keyword, so the...

6.3CVSS5.5AI score0.0016EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:50 p.m.8 views

EUVD-2026-36545

Koel is a free, open-source music streaming solution. Prior to version 9.3.5, Koel validates the podcast feed URL via the SafeUrl rule DNS resolution + public IP check, but the individual episode values extracted from the RSS XML are stored directly into the database without any SSRF validation...

7.7CVSS5.3AI score0.00263EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:44 p.m.10 views

EUVD-2026-36544

AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCPHTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can...

8.7CVSS5.3AI score0.00359EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 6:42 p.m.9 views

EUVD-2026-36543

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

9.1CVSS5.3AI score0.004EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:35 p.m.40 views

EUVD-2026-36541

Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2...

8.8CVSS5.8AI score0.00351EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/12 6:29 p.m.15 views

EUVD-2026-32913

pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams...

5.1CVSS5.1AI score0.00124EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/12 6:29 p.m.11 views

EUVD-2026-32914

pypdf: Possible large memory usage for large offsets for layout mode text...

5.5CVSS5.1AI score0.00127EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/12 6:28 p.m.12 views

EUVD-2026-32588

Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL...

8.1CVSS5.2AI score0.00257EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:28 p.m.9 views

EUVD-2026-32589

Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema...

7.5CVSS5.2AI score0.00224EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:28 p.m.14 views

EUVD-2026-32590

Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign...

9CVSS5.2AI score0.00292EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:27 p.m.13 views

EUVD-2026-32605

Budibase: Unvalidated VectorDB Host Parameter Enables SSRF...

5.3CVSS5.2AI score0.00226EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:24 p.m.15 views

EUVD-2026-36538

During WiFi association, Naxclow device firmware prints the host network’s SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits...

5.1CVSS5.3AI score0.00171EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:23 p.m.12 views

EUVD-2026-32606

Budibase: Unanchored Regex in matchers.ts Allows CSRF Bypass via Query String Injection in Budibase Worker...

6.5CVSS5.2AI score0.00115EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:22 p.m.11 views

EUVD-2026-36536

Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary postid to POST /admin/posttype//drafts and overwrite the draft associated with another user's post...

5.1CVSS5.4AI score0.00215EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:22 p.m.10 views

EUVD-2026-36535

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains...

8.7CVSS5.2AI score0.00584EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/12 6:21 p.m.11 views

EUVD-2026-36534

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL...

6.9CVSS5.2AI score0.00291EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/12 6:21 p.m.12 views

EUVD-2026-36533

The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water...

6.9CVSS5.3AI score0.00221EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:17 p.m.12 views

EUVD-2026-36532

Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endpoint that reveals the current identifier high-water mark, the active fleet can be enumerated...

6.9CVSS5.2AI score0.00233EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:13 p.m.10 views

EUVD-2026-36531

A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. Because the affected endpoints validate request signatures but do not confirm legitimate ownership, an attacker with any account can...

8.8CVSS5.4AI score0.00312EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:11 p.m.10 views

EUVD-2026-36530

Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...

4.3CVSS5.2AI score0.00183EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:10 p.m.10 views

EUVD-2026-36529

The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register o...

8.7CVSS5.5AI score0.00306EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:9 p.m.14 views

EUVD-2026-36528

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary...

7.2CVSS5.2AI score0.00104EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 6:8 p.m.11 views

EUVD-2026-36527

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitra...

6.1CVSS5.3AI score0.00108EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 6:7 p.m.52 views

EUVD-2026-36526

Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintai...

9.2CVSS5.2AI score0.00281EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:3 p.m.12 views

EUVD-2026-36525

Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys,...

9.8CVSS5.4AI score0.0033EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 5:57 p.m.9 views

EUVD-2026-36523

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access...

8.1CVSS5.3AI score0.00211EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 5:56 p.m.13 views

EUVD-2026-36522

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access...

8.1CVSS5.3AI score0.00231EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 5:52 p.m.12 views

EUVD-2026-36521

Insufficient Verification of Data Authenticity in Remote Control for Zoom Contact Center for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access...

7.8CVSS5.3AI score0.0008EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 5:35 p.m.15 views

EUVD-2026-36520

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrepsstreceiveaddress or wsrepsstdonor global system...

8CVSS5.5AI score0.00967EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 5:34 p.m.15 views

EUVD-2026-36519

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. No...

8CVSS5.8AI score0.00654EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 5:34 p.m.10 views

EUVD-2026-36518

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privileg...

5CVSS5.2AI score0.00399EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 5:34 p.m.9 views

EUVD-2026-36517

MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysqlrealescapestring and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections,...

6.9CVSS5.5AI score0.00419EPSS
Exploits0References2
Total number of security vulnerabilities418955