Lucene search
K

418139 matches found

EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42275

App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes. When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a...

7.5CVSS5.9AI score
Exploits0References1
EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42274

App::Ack versions before 3.10.0 for Perl allow memory exhaustion via an unbounded context value in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The -B and -C context options accepted any positive integer, and ack...

7.5CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42273

repomix contains a local file inclusion vulnerability in the git clone endpoint that allows unauthenticated attackers to read arbitrary local git repositories. The isValidRemoteValue function in src/core/git/gitRemoteParse.ts fails to block file:// URLs, permitting attackers to supply file://...

8.7CVSS6.1AI score
Exploits0References4
EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42272

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create...

6.3CVSS6AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42288

App::Ack versions through 3.10.0 for Perl read arbitrary files via --files-from in a project .ackrc. ack searches up the directory hierarchy from the current directory for a project .ackrc and loads its options. The project-source option blocklist in App::Ack::ConfigLoader does not include...

7.5CVSS6AI score
Exploits0References1
EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42287

Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/service endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and...

8.1CVSS5.9AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42286

SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated...

4.3CVSS5.9AI score
Exploits0References4
EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42285

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side...

7.7CVSS6AI score
Exploits0References4
EUVD
EUVD
added 2 hours ago2 views

EUVD-2026-42284

Snowflake Terraform Provider versions prior to 2.18.0 contain several security vulnerabilities, including SQL injection via an unsanitized data source input could result in arbitrary SQL execution under the provider's privileged Snowflake session, potentially enabling sensitive data exfiltration...

8.8CVSS6.2AI score
Exploits0References1
EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42283

A flaw was found in the TrustyAI Service Operator. When deploying services like gorch or NemoGuardrails, if a specific security setting is not enabled, these services can expose their communication channels without requiring users to prove their identity. This allows any other program within the...

6.3CVSS5.9AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago2 views

EUVD-2026-42282

SQL injection vulnerabilities in the Snowflake Snowpark Python SDK snowpark-python versions prior to 1.53.0 could allow authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by embedding SQL payloads in source database...

9.6CVSS6.2AI score
Exploits0References1
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42281

A vulnerability was determined in Harness up to 2.28.2. This vulnerability affects the function getAuthorizedSpaces of the file app/api/controller/gitspace/listall.go of the component gitspaces Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotel...

5.3CVSS5.6AI score
Exploits0References6
EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42280

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Progress MOVEit Transfer Ad Hoc module. This issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8...

8CVSS5.9AI score
Exploits0References1
EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42279

Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1...

7.5CVSS5.9AI score
Exploits0References1
EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42278

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1...

7.2CVSS5.9AI score
Exploits0References1
EUVD
EUVD
added 2 hours ago1 views

EUVD-2026-42277

In Adalo’s no-code app builder, Versions 1 and 2 the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing...

5.9AI score
Exploits0References1
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42276

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the...

6AI score
Exploits0References1
EUVD
EUVD
added 3 hours ago4 views

EUVD-2026-42271

A vulnerability was found in bentoml OpenLLM 0.6.30. This affects the function asyncruncommand of the file src/openllm/common.py of the component Model Repository Directory Name Handler. Performing a manipulation of the argument cmd results in command injection. Attacking locally is a requirement...

5.3CVSS5.8AI score
Exploits0References7
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42270

AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored meetjoinlog.useragent without...

6.1CVSS5.7AI score
Exploits0References3
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42269

n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated ... expression values directly into the raw SQL string without parameterization. When a workflow uses...

5.3CVSS6.3AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago4 views

EUVD-2026-42268

n8n before 2.28.0 contains an improper authorization vulnerability allowing authenticated users to assign workflows to folders in other projects. Attackers can bypass project and folder authorization boundaries by supplying crafted request payloads during workflow creation, causing logical...

5.3CVSS5.9AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago2 views

EUVD-2026-42267

Grav before 2.0.0 affected through 2.0.0-rc.9 and the 2.0 branch contains a stored CSS injection vulnerability in the Markdown image resize media action. Prior media hardening rejects direct ?style= payloads and unsafe attribute fallbacks, but the resize action in Excerpts::processMediaActions...

4.8CVSS6.1AI score
Exploits0References4
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42266

Grav API plugin before v1.0.0-rc.16 accepts JWT tokens via the ?token= URL query parameter and responds with Access-Control-Allow-Origin: , allowing unauthenticated attackers to make fully authenticated cross-origin API requests from any malicious website. Attackers who obtain a leaked JWT token...

8.7CVSS6AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42265

The Grav API plugin getgrav/grav-plugin-api 1.0.0 contains an unrestricted file upload vulnerability in the avatar upload endpoint /api/v1/users/user/avatar. The endpoint validates only the client-declared MIME type getClientMediaType beginning with 'image/' and does not inspect the actual file...

5.3CVSS6.7AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42264

n8n before 2.25.7 and 2.26.x before 2.26.2 contains an authorization bypass in the Public API execution retry endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a shared workflow can use the Public API to ret...

6.4CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago2 views

EUVD-2026-42262

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization vulnerability in three mutating evaluation test-run endpoints that authorize state-changing actions using the workflow:read scope instead of the action-appropriate workflow:execute scope. On instances using Advanced Permissions...

5.4CVSS6AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42263

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization bypass in the POST /workflows/workflowId/test-runs/new endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a workflow can trigger a real...

7.4CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42261

Wazuh wazuh-modulesd before 5.0.0-beta3 contains a null pointer dereference vulnerability in inventorysync FlatBuffer DataValue handling. An enrolled agent can send a verifier-valid DataValue message omitting the optional id field, causing wazuh-modulesd to crash when dereferencing...

7.1CVSS6AI score
Exploits0References3
EUVD
EUVD
added 3 hours ago2 views

EUVD-2026-42260

ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the FTXT encoder due to missing boundary checks when parsing ftxt:format. Remote attackers can trigger an out of bounds read by crafting malicious FTXT image files to cause denial of service or information disclosure...

4.8CVSS6.2AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42259

ImageMagick before 7.1.2-15 contains a heap-buffer-overflow read vulnerability in GetPixelIndex caused by OpenPixelCache updating image channel metadata before pixel cache memory allocation. Attackers can trigger memory and disk allocation failures to cause a heap-buffer-overflow read affecting a...

3.3CVSS6AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago2 views

EUVD-2026-42258

n8n before versions 1.123.18 and 2.6.2 fails to verify HMAC-SHA256 signatures on Zendesk webhooks in the ZendeskTrigger node. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary malicious data...

6.3CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42256

Capgo before 12.128.2 fails to strip EXIF metadata from images uploaded via the app information endpoint, exposing sensitive geolocation data. Attackers can upload images containing EXIF metadata to extract geographic location information and other embedded metadata from uploaded files...

5.3CVSS5.9AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42257

n8n before 2.8.0 contains a cross-site scripting vulnerability in the credential management flow where authenticated users can inject malicious JavaScript URLs into OAuth2 credential Authorization URL fields. Attackers can craft malicious credentials and trick victims into clicking the OAuth...

5.4CVSS5.9AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42255

FreeRDP before 3.22.0 contains a use-after-free vulnerability in dvcmanchannelclose and dvcmancallonreceive due to improper synchronization of channelcallback access. A malicious RDP server can trigger a race condition by sending DYNVCDATA and DYNVCCLOSE messages concurrently, causing...

8.3CVSS6.6AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42254

Capgo before 12.128.2 contains an authorization flaw in transferapp that fails to update deployhistory.ownerorg when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cause...

5.4CVSS6AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42252

Capgo before 12.128.2 contains an html injection vulnerability in the organization settings endpoint that allows attackers to inject malicious HTML content. Attackers can craft payloads in the organization name field to redirect users to untrusted websites, enabling phishing attacks and...

5.4CVSS6AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago2 views

EUVD-2026-42253

Capgo Cap-go/capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST RPC function public.gettotalmetricsorgid, which is callable by the anon role using only the public sbpublishable key. An unauthenticated attacker can probe organization existence and leak...

6.9CVSS5.9AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42251

Flowise before 3.1.0 contains a path traversal vulnerability in Faiss and SimpleStore vector store implementations that accept unsanitized basePath parameters from authenticated users. Attackers with valid API tokens can write vector store data to arbitrary filesystem locations, potentially...

6.5CVSS6.5AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago4 views

EUVD-2026-42249

Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key limitedtoorgs inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mod...

8.1CVSS6AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42250

Capgo before 12.128.2 allows upload-scoped API keys to modify the mutable appversions.r2path field through PostgREST, enabling retargeting to arbitrary R2 bundle objects. Attackers can patch r2path to point to victim objects, soft-delete the attacker-controlled version, and trigger the...

8.7CVSS6AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42248

Capgo Cap-go/capgo before 12.128.2 exposes the Supabase PostgREST RPC function public.getorgsv6userid uuid, which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the...

8.7CVSS6AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42247

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3path values that are served to device...

7.1CVSS6AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42246

Capgo before 12.128.2 contains a policy bypass vulnerability in appversions update enforcement that allows app-scoped API keys to downgrade encrypted bundles to non-encrypted state. Attackers with app-scoped all API keys can directly update the appversions table via PostgREST to clear sessionkey...

5.3CVSS6AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago4 views

EUVD-2026-42245

Tanium addressed a denial of service vulnerability in Tanium Server...

7.5CVSS5.9AI score
Exploits0References1
EUVD
EUVD
added 3 hours ago2 views

EUVD-2026-42244

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an improper limitation of a pathname to a restricted directory 'path...

2.7CVSS6AI score
Exploits0References1
EUVD
EUVD
added 3 hours ago4 views

EUVD-2026-42243

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Integer overflow or wraparound vulnerability. An unauthenticated attacker...

7.5CVSS6AI score
Exploits0References1
EUVD
EUVD
added 3 hours ago4 views

EUVD-2026-42242

Omnissa Workspace ONE® Tunnel for Windows addresses a Local Privilege Escalation Vulnerability...

7.8CVSS5.9AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42241

MISP’s importModule path used getEnabledModule to resolve a single import module by name, but this lookup did not enforce the per-organisation module restriction checked by getEnabledModules. As a result, an authenticated user from an organisation that was not allowed to use a module restricted v...

5.3CVSS5.9AI score
Exploits0References1
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42240

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Incorrect Authorization vulnerability. A low privileged attacker with...

8.8CVSS6AI score
Exploits0References1
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42239

An authorization bypass in MISP’s EventsController::importModule allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the mispstandard format, the write path did not verify eve...

5.3CVSS6AI score
Exploits0References1
Total number of security vulnerabilities418139