Lucene search
K

418769 matches found

EUVD
EUVD
added 2 hours ago5 views

EUVD-2026-42409

libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays...

7.5CVSS6.1AI score0.00446EPSS
Exploits0References5
EUVD
EUVD
added 2 hours ago4 views

EUVD-2026-42902

PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agentsfile parameter is directly interpolated into an f-string without sanitization. Attackers can inject arbitrary Python code that executes when the generated server code runs via subprocess.Popen...

9.4CVSS6.2AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42900

PraisonAI pip package praisonaiagents before 1.6.78 contains an unsafe dynamic module loading vulnerability in AgentFlow.resolvepydanticclass src/praisonai-agents/praisonaiagents/workflows/workflows.py. When a workflow step uses a string outputpydantic reference, the framework locates and imports...

8.5CVSS6.3AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago4 views

EUVD-2026-42903

Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author any admin.pages user, or anyone able to write to user/pages to exfiltrate configuration secrets. Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method...

7.1CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42905

The Grav API plugin getgrav/grav-plugin-api before 1.0.3 fails to sanitize SVG files uploaded through the POST /api/v1/media endpoint. The HandlesMediaUploads::processUploadedFile method validates only the file extension and never invokes Security::sanitizeSVG, so an authenticated attacker with t...

5.1CVSS6.2AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42915

In JetBrains YouTrack before 2026.2.17394 stored XSS via article titles in digest emails was possible...

3.5CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42901

PraisonAI Platform praisonai-platform before 0.1.9 improperly authorizes deletion of issue dependencies. The DELETE dependency route accepts either endpoint of a dependency edge and checks delete permission only against the caller-selected URL issue. A workspace member who cannot delete a...

7.1CVSS6.1AI score
Exploits0References4
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42899

PraisonAI versions before 4.6.78 contain an allowlist bypass vulnerability in shell command execution that allows attackers to execute restricted commands via find's built-in -exec, -execdir, and -delete actions. Attackers can craft find commands with these built-in actions to read blocked files,...

8.8CVSS6.3AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42904

Grav before 2.0.1 contains a decompression bomb vulnerability in ZipArchiver::extract that lacks limits on uncompressed size, file count, and nesting depth. Attackers can supply a crafted ZIP archive that expands to fill available disk space, causing denial of service by exhausting storage...

7.1CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago4 views

EUVD-2026-42894

PraisonAI before 4.6.78 contains a prompt injection defense bypass vulnerability where the injection defense only blocks threats classified as CRITICAL, requiring three or more detector families to match simultaneously. Attackers can craft single or double-vector prompt injections that are...

6.9CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42897

PraisonAI before 4.6.78 contains a path traversal vulnerability in ContextGatherer that fails to validate include paths in .praisoncontext and .praisoninclude files. Attackers can supply absolute paths or parent directory traversal sequences to read arbitrary files outside the workspace and inclu...

6.8CVSS6.2AI score
Exploits0References4
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42895

PraisonAI pip package praisonaiagents before 1.6.78 automatically loads defaults from a project-local .praisonai/config.toml when constructing an Agent, and does not validate the defaults.output.outputfile path. A repository-controlled config file can set outputfile to an absolute or '..' travers...

6.9CVSS6.1AI score
Exploits0References4
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42909

In JetBrains YouTrack before 2026.2.17012 cSS injection via Mermaid diagram rendering was possible...

3.5CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42912

In JetBrains TeamCity before 2026.1.2 stored XSS on the cloud profile page was possible via agent-reported data...

7.3CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42913

In JetBrains TeamCity before 2026.1.2 stored XSS via unauthenticated agent registration was possible...

8.1CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42911

In JetBrains TeamCity before 2026.1.2 arbitrary file access was possible via the Perforce VCS integration...

8.8CVSS6.2AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42914

In JetBrains TeamCity before 2026.1.2 pipeline modification was possible due to improper permission checks...

8.1CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42898

PraisonAI praisonaiagents before 1.6.78 contains a path traversal vulnerability in the FastContext feature praisonaiagents.context.fast. FastContextAgent.executetool prepends the configured workspacepath only for relative paths and neither rejects absolute paths nor canonicalizes joined paths...

6.9CVSS6.1AI score
Exploits0References4
EUVD
EUVD
added 2 hours ago4 views

EUVD-2026-42893

n8n before 2.28.0 and before 1.123.58 on the 1.x branch contains a disk space exhaustion vulnerability in the data-table file upload endpoint. The per-request quota check does not account for files already written to the shared temporary directory, allowing an authenticated user to repeatedly...

5.3CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42896

PraisonAI before 4.6.78 contains an unauthenticated server-side request forgery vulnerability in the Jobs API /api/v1/runs endpoint. The webhookurl parameter is validated at request time but re-resolved at connection time, allowing attackers to use DNS rebinding to reach internal services with a...

7.2CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42910

In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible...

9.6CVSS6.4AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42887

n8n before 1.123.24, 2.10.4, and 2.12.0 across its 1.x and 2.x branches contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML description fields and overly permissive iframe sandbox policies. Authenticated users with workflow creation permissions...

5.1CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42889

ImageMagick before 7.1.2-15 contains a use-after-free vulnerability in the PDB decoder that uses a stale pointer when memory allocation fails. Attackers can trigger this vulnerability by processing malicious PDB files to cause crashes or write a single zero byte to freed memory...

6.3CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42892

phpMyFAQ before 4.1.5 applies inconsistent active=yes and publication-date filtering across its public FAQ API endpoints, allowing unauthenticated attackers to retrieve inactive draft or review-only FAQ content. Specifically, GET /api/v3.1/faq/categoryId/faqId returns the inactive FAQ title and...

6.9CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42885

Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can register app IDs with underscores that collide with other tenants' dotted app IDs, causing preview...

6.4CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42886

Capgo before 12.128.2 contains an authorization bypass vulnerability where write-scoped API keys can directly mutate protected channel configuration fields through PostgREST by exploiting a null authentication check in the immutability trigger. Attackers with write API keys can modify sensitive...

7.1CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42888

ImageMagick before 7.1.2-18 contains a memory leak vulnerability in the META reader when processing APP1JPEG input paths. Attackers can trigger this memory leak by providing specially crafted APP1JPEG image files, causing denial of service through resource exhaustion...

4.8CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42890

Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches...

9.8CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago4 views

EUVD-2026-42891

phpMyFAQ before 4.1.5 contains a potential authenticated path traversal vulnerability in the concatenatePaths function within src/phpMyFAQ/Export/Pdf/Wrapper.php. A user with FAQ editing privileges can store HTML containing crafted image paths that are processed during PDF generation. The path...

5.1CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago4 views

EUVD-2026-42875

Dell Unisphere for PowerMax, versions 10.3.0.5 and prior contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access...

5.3CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42879

In @capgo/capacitor-updater Cap-go/capgo before 12.128.2, the end-to-end encryption scheme distributes the private key to each device that downloads the app. Because the public key can be derived from the private key, an attacker performing a man-in-the-middle attack or compromising the Capgo...

8.3CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42883

Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, allowing plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbitrary attachments using upload-scoped API keys that bypass plan checks, persist outside normal bund...

5.4CVSS6.2AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42882

Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. Attackers with temporary session access can exploit this flaw to permanently lock out legitimate...

8.7CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42906

Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads...

8.2CVSS6.3AI score
Exploits1References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42907

The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an...

8.1CVSS6.1AI score
Exploits0References4
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42884

Capgo before 12.128.2 contains an improper validation vulnerability in the acceptinvitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...

6.9CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42874

Dell Unisphere for PowerMax, versions 10.3.0.5 and prior, contains a Deserialization of Untrusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges...

8.8CVSS6.3AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42880

Crawl4AI before 0.8.7 contains a server-side request forgery SSRF vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, o...

9.2CVSS6.1AI score
Exploits0References4
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42881

Capgo before 12.128.2 contains an information disclosure vulnerability in the getorgsv7userid RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users' organization membership, roles,...

8.7CVSS6.2AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42908

The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID DID, Terminal Private Key identifier TPK, MAC address, and exact firmwa...

8.7CVSS6.1AI score
Exploits0References4
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42929

9Router is an AI router & token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host before fetching, but open-sse/translator/concerns/image.js performs the later server-side image fetch with a separate DNS resolution. An authenticated attacker with access to the LLM proxy ca...

7.4CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42927

A flaw was found in the filetype content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition XSD string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file...

9.3CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 2 hours ago3 views

EUVD-2026-42925

A vulnerability has been found in Eleveo Call Recording Software 9.7.0. This impacts an unknown function of the file /callrec/usersldap.jsp of the component LDAP User Interface. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed ...

5.3CVSS5.6AI score
Exploits0References5
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42924

MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chatpipeline/step/chatstep/impl/basechatstep.py do not consistently validate MCP transport type, allowing an...

8.8CVSS6.2AI score
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42923

A flaw has been found in Eleveo Call Recording Software 9.7.0. This affects an unknown function of the file /callrec/roleAddAction.do of the component Group Interface. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been...

6.5CVSS6.3AI score
Exploits0References5
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42922

A user with Editor permissions can craft a dashboard whose table TableNG panel contains a malicious field name that executes as a script in the browser of any user who views the dashboard stored cross-site scripting...

6.8CVSS6AI score
Exploits0References1
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42921

An unauthenticated attacker can repeatedly call Grafana's OAuth login route with unique values, causing unbounded memory growth that can eventually exhaust memory and crash the Grafana instance denial of service...

5.3CVSS6.1AI score
Exploits0References1
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42920

Several Grafana API endpoints, some of them unauthenticated, do not limit the size of the request body before processing it. An attacker can send very large payloads that force excessive memory allocation, potentially exhausting memory and causing a denial of service...

7.5CVSS6.1AI score
Exploits0References1
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42919

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the processes table targeting a maliciously crafted process, due to uncheck...

7CVSS6.2AI score
Exploits0References4
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-42918

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, on Windows, a local unprivileged attacker can cause a heap buffer out-of-bounds write if there is a query of the authenticode table targeting a maliciously crafted binary, due to...

7CVSS6.2AI score
Exploits0References4
Total number of security vulnerabilities418769