Lucene search
K

364067 matches found

NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-5922

The IP phone might use malicious input stored in configuration parameters and render it as content for the WebUI’s webpage...

5.9CVSS
Exploits0References1
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-55878

Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map, and because Path::isRelative accepts paths like ../../../etc, a crafted or...

7.8CVSS
Exploits0References4
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-5923

Malicious use of a stolen cookie might allow modifications to the contents of the IP phone’s webpage...

6CVSS
Exploits0References1
NVD
NVD
•added 58 minutes ago•3 views

CVE-2026-51535

In OpENer 2.3.0 commit 76b95cf, a resource exhaustion Denial of Service vulnerability exists in its network processing loop...

Exploits0References2
NVD
NVD
•added 58 minutes ago•5 views

CVE-2026-55830

RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Prior to 8.3, checkfunctionargumentnames rejected protected guard hook names for regular, variadic, and keyword-only arguments but omitted...

8.3CVSS
Exploits0References2
NVD
NVD
•added 58 minutes ago•3 views

CVE-2026-55849

@cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects. From 2.1.0 before 5.0.0, the CLI passes user-supplied --workspace values to a subshell without proper sanitization when npmexecpath is unset or empty, allowing arbitrary OS command execution with the privileg...

8.5CVSS
Exploits0References4
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-52200

An issue in Generic OEM UZ801v2.1 4G LTE Router V3.4.3 allows a remote attacker to execute arbitrary code via the /ajax web management API endpoint in MifiService.apk...

Exploits0References2
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-54777

CoreWCF is a port of the service side of Windows Communication Foundation WCF to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF NetNamedPipe transport accepts attachment to a pre-existing named pipe instance, allowing local interception of NetNamedPipe traffic when an attacker races NamedPipeListen...

6.5CVSS
Exploits0References5
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-55470

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, the fix for CVE-2026-45367 incompletely patched the DSTU2 module, leaving FHIRPathEngine.matches in org.hl7.fhir.dstu2/utils/FHIRPathEngine.java to call raw String.matchessw...

7.5CVSS
Exploits0References3
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-55471

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, org.hl7.fhir.utilities.XsltUtilities saxonTransform... overloads instantiated a bare net.sf.saxon.TransformerFactoryImpl without ACCESSEXTERNALDTD or ACCESSEXTERNALSTYLESHEET...

8.7CVSS
Exploits0References3
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-55877

Symfony UX is a JavaScript ecosystem for Symfony. From 2.17.0 before 2.36.1 and from 3.0.0 before 3.2.0, the uxicon Twig function is marked issafe='html' and Icon::toHtml inlines SVG source verbatim, allowing unsanitized local SVG files or Iconify on-demand JSON body responses containing nested...

6.1CVSS
Exploits0References4
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-39178

A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the search parameter of the allContactSearch endpoint...

Exploits0References2
NVD
NVD
•added 58 minutes ago•5 views

CVE-2026-44024

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the $tag placeholder, and insufficient validation of $tag in file configurations such as the path...

9.8CVSS
Exploits0References4
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-44025

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's Monitor Agent plugin inmonitoragent exposes internal metrics and plugin information via a REST API, and responses from /api/plugins.json and related...

7.5CVSS
Exploits0References4
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-48492

Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, the GET /api/v1/object/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web...

7.1CVSS0.00018EPSS
Exploits0References2
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-39179

A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the newPassword parameter in the password change functionality...

Exploits0References2
NVD
NVD
•added 58 minutes ago•5 views

CVE-2026-44160

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's inhttp and inforward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as bodysizelimit and...

7.5CVSS
Exploits0References4
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-44161

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd outhttp output plugin allows placeholders such as $tag in the endpoint configuration parameter, and if a placeholder value is derived from untrusted...

7.2CVSS
Exploits0References4
NVD
NVD
•added 58 minutes ago•5 views

CVE-2026-35552

In CAXperts UPVWebServices 2.4.2212.603 through 2.7.6 and UDiTH Portal 2026.0.0 through 2026.2.0, an authenticated remote user can invoke an administrative API endpoint intended for privileged users. Due to missing authorization checks, this allows the attacker to deactivate the application's...

Exploits0References2
NVD
NVD
•added 58 minutes ago•4 views

CVE-2026-31309

Improper authorization in the /tequilapi/config/user endpoint of Mysterium Node before v1.36.0 allows unauthenticated attackers to arbitrarily overwrite the node's configuration and achieve a full node takeover via supplying a crafted POST request...

Exploits0References7
NVD
NVD
•added 58 minutes ago•5 views

CVE-2026-15168

BLF file parser in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows possible information disclosure...

2.5CVSS
Exploits0References2
NVD
NVD
•added 58 minutes ago•5 views

CVE-2026-10037

A sandbox escape vulnerability exists in the OpenJDK packages provided in Ubuntu. The .jar MIME handlers installed by these packages execute files marked as executable when the mailcap package is installed. A compromised or malicious sandboxed application with access to the OpenURI portal via...

8.8CVSS
Exploits0References1
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-6896

GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary scripts in another user's browser...

8.7CVSS
Exploits0References3
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-8472

GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to...

4.3CVSS
Exploits0References3
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-7492

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls...

4.3CVSS
Exploits0References3
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-58525

Improper access control in Microsoft Edge Chromium-based allows an unauthorized attacker to bypass a security feature over a network...

8.2CVSS
Exploits0References1
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-58494

Wasmtime is a runtime for WebAssembly. Prior to 24.0.11, 36.0.12, 45.0.3, and 46.0.1, wasmtime-wasi hard-link creation and renaming check directory permissions but not matching FilePerms on source and destination preopens, allowing a WASI guest with a read-only source file capability to overwrite...

6.5CVSS
Exploits0References9
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-59818

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the...

6.5CVSS
Exploits0References9
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-60105

Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obta...

8.6CVSS
Exploits0References2
NVD
NVD
•added 1 hour ago•4 views

CVE-2026-6352

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with auditor-level access to modify compliance violation records due to improper...

2.7CVSS
Exploits0References3
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-58191

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate...

6.5CVSS
Exploits0References1
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-58192

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.joinstorageRoot, name and fs.rimraf witho...

8.6CVSS
Exploits0References4
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-58207

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests could crash the server by supplying Connz pagination Offset and Limit values that overflowed internal...

7.7CVSS
Exploits0References5
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-58208

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a WebSocket listener could route requests for the MQTT-over-WebSocket path into MQTT handling even when MQTT was not configured, allowing an unauthenticated client with...

6.8CVSS
Exploits0References5
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-58211

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client could be registered as the configured noauthuser through a parser path used when the first client operation was not CONNECT, bypassing user-level connection...

5.4CVSS
Exploits0References1
NVD
NVD
•added 1 hour ago•4 views

CVE-2026-57481

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber'...

2.3CVSS
Exploits0References7
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-55596

Plate is a rich-text editor with AI and shadcn/ui. From 53.0.0 until 53.1.4, the media embed renderer trusts serialized provider or sourceUrl metadata in useMediaState and skips parseMediaUrl protocol validation, allowing a crafted Plate document to set a known video provider while keeping url as...

8.7CVSS
Exploits0References4
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-55778

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type,...

2.1CVSS
Exploits0References7
NVD
NVD
•added 1 hour ago•4 views

CVE-2026-56669

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to 1.4.29, Elysia uses getAll in form data normalization for multipart/form-data endpoints, causing the amount of work to grow quadratically with the number of...

7.5CVSS
Exploits0References4
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-55542

Snipe-IT is an IT asset/license management system. Prior to version 8.6.1, Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns...

5.3CVSS
Exploits0References2
NVD
NVD
•added 1 hour ago•4 views

CVE-2026-57480

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.12 and 8.6.82, deeply nested $or, $and, and $nor query condition operators in the REST API or LiveQuery query handling could trigger exponential-time processing in the...

8.7CVSS
Exploits0References7
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-49866

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to 16.0.0, @libp2p/gossipsub defaultDecodeRpcLimits set maxIhaveMessageIDs and maxIwantMessageIDs to Infinity, allowing oversized IHAVE and IWANT control message arrays in message/decodeRpc.ts and gossipsub.ts to synchronousl...

7.5CVSS
Exploits0References4
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-54590

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Version 2.23.0 contains an incomplete fix for CVE-2026-45309 in SSHServerConfig.settokens that blocks /, , and .. before %u substitution in...

5.9CVSS
Exploits0References3
NVD
NVD
•added 1 hour ago•4 views

CVE-2026-54528

JupyterLab Git is a Git extension for JupyterLab. Prior to 0.54.0, jupyterlab-git uses fnmatch.fnmatchcase in GitHandler.prepare in jupyterlabgit/handlers.py to enforce excludedpaths, allowing an authenticated user on a case-insensitive filesystem to vary URL path casing and read excluded...

7.1CVSS
Exploits0References3
NVD
NVD
•added 1 hour ago•4 views

CVE-2026-55206

py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, PackInfo.read in archiveinfo.py used an On^2 cumulative sum pattern for attacker-controlled numstreams values parsed from archive headers, allowing a crafted...

8.7CVSS
Exploits0References3
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-54527

JupyterLab Git is a Git extension for JupyterLab. From 0.30.0b3 before 0.54.0, the PlainTextDiff.ts createHeader method passes Git filenames directly to innerHTML when rendering renamed files in commit history, allowing a crafted filename to execute JavaScript when a victim views the rename diff ...

9.3CVSS
Exploits1References3
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-54591

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework. Prior to 2.23.1, a malicious SSH server can write arbitrary files on the asyncssh SCP client's filesystem by sending filenames containing ../...

8.1CVSS
Exploits0References3
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-55195

py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, py7zr's Worker.decompress extracted archive entries without tracking total decompressed size, allowing a crafted .7z file such as a 15.6 KB archive that expan...

8.7CVSS
Exploits0References3
NVD
NVD
•added 1 hour ago•3 views

CVE-2026-15172

FMP/NOTIFY protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service...

5.5CVSS
Exploits0References2
NVD
NVD
•added 1 hour ago•4 views

CVE-2026-35210

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGEKNUPDATE permission to bypass Confidence Level validation and Object Marking...

7.1CVSS
Exploits0References4
Total number of security vulnerabilities364067