Lucene search
K

364744 matches found

NVD
NVD
added 13 minutes ago1 views

CVE-2026-42952

Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack...

8.7CVSS
Exploits0References3
NVD
NVD
added 13 minutes ago1 views

CVE-2026-44383

Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend...

8.7CVSS
Exploits0References3
NVD
NVD
added 13 minutes ago1 views

CVE-2026-55175

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pod...

7.5CVSS
Exploits0References11
NVD
NVD
added 13 minutes ago1 views

CVE-2026-14286

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

Exploits0
NVD
NVD
added 13 minutes ago1 views

CVE-2026-14480

OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy web UI program‑upload workflow. The application stores an attacker‑supplied filename progfile directly into the Programs.File database field and later uses this value as the destination path for an...

9.9CVSS
Exploits0References2
NVD
NVD
added 13 minutes ago1 views

CVE-2026-15086

vulnerability in Drupal Raw Formatter Meta Tag Formatter allows . This issue affects Raw Formatter Meta Tag Formatter versions:...

Exploits0References1
NVD
NVD
added 13 minutes ago1 views

CVE-2026-15087

vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions:...

Exploits0References1
NVD
NVD
added 13 minutes ago1 views

CVE-2026-15089

vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions:...

Exploits0References1
NVD
NVD
added 13 minutes ago1 views

CVE-2026-20744

The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation...

9.8CVSS
Exploits0References3
NVD
NVD
added 13 minutes ago1 views

CVE-2026-11913

vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions:...

Exploits0References1
NVD
NVD
added 13 minutes ago1 views

CVE-2026-11914

vulnerability in Drupal Composer allows . This issue affects Composer versions:...

Exploits0References1
NVD
NVD
added 13 minutes ago1 views

CVE-2026-11915

vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions:...

Exploits0References1
NVD
NVD
added 1 hour ago3 views

CVE-2026-58590

Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0...

Exploits0References1
NVD
NVD
added 1 hour ago4 views

CVE-2026-58589

Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0...

Exploits0References1
NVD
NVD
added 1 hour ago2 views

CVE-2026-58588

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting XSS. This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1...

Exploits0References1
NVD
NVD
added 1 hour ago4 views

CVE-2026-58591

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Colorbox allows Cross-Site Scripting XSS. This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0...

Exploits0References1
NVD
NVD
added 1 hour ago3 views

CVE-2026-59155

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud...

6.9CVSS
Exploits0References3
NVD
NVD
added 1 hour ago3 views

CVE-2026-55882

Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memor...

8.3CVSS
Exploits0References4
NVD
NVD
added 1 hour ago4 views

CVE-2026-55883

Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websockettoken endpoint and the upgrader accepts clients that omit an Origin...

8.3CVSS
Exploits0References4
NVD
NVD
added 1 hour ago4 views

CVE-2026-58503

Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the resetpassword endpoint. This issue is fixed in versions 16.16.0 and 15.106.0...

6.9CVSS
Exploits0References7
NVD
NVD
added 1 hour ago3 views

CVE-2026-57584

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier /., and the same construct is produced by the /:params placeholder and the CLI...

8.7CVSS
Exploits0References4
NVD
NVD
added 1 hour ago4 views

CVE-2026-55884

Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can...

9.2CVSS
Exploits0References4
NVD
NVD
added 1 hour ago3 views

CVE-2026-58587

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting XSS. This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1...

Exploits0References1
NVD
NVD
added 1 hour ago4 views

CVE-2026-55187

Mailpit is an email testing tool and API for developers. Prior to 1.30.2, the remediation shipped for CVE-2026-27808 is incomplete because the tools.IsInternalIP deny-list in internal/tools/net.go relies on Go's standard library classification helpers and does not block IPv6 transition mechanisms...

5.8CVSS
Exploits0References3
NVD
NVD
added 1 hour ago4 views

CVE-2026-55807

Server-Side Request Forgery SSRF vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0., from 0.0.0 to 11.1...

Exploits0References1
NVD
NVD
added 1 hour ago4 views

CVE-2026-55806

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0., from 0.0.0 to 11.1...

Exploits0References1
NVD
NVD
added 1 hour ago3 views

CVE-2026-55809

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2...

Exploits0References1
NVD
NVD
added 1 hour ago2 views

CVE-2026-55803

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.,...

Exploits0References1
NVD
NVD
added 1 hour ago3 views

CVE-2026-55804

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.,...

Exploits0References1
NVD
NVD
added 1 hour ago4 views

CVE-2026-55808

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Drupal core allows Cross-Site Scripting XSS. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0....

Exploits0References1
NVD
NVD
added 1 hour ago4 views

CVE-2026-55852

Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0...

8.6CVSS
Exploits0References9
NVD
NVD
added 1 hour ago4 views

CVE-2026-55810

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. This issue affects Plotly.js Graphing versions: from 0.0.0 to 3.0.2...

Exploits0References1
NVD
NVD
added 1 hour ago3 views

CVE-2026-47422

Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2...

5.3CVSS
Exploits0References1
NVD
NVD
added 1 hour ago3 views

CVE-2026-48127

Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as addattachments. This issue is fixed in versions 16.20.0 and 15.110.0...

5.3CVSS
Exploits0References9
NVD
NVD
added 1 hour ago3 views

CVE-2026-49394

Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the updatepage endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0...

7.1CVSS
Exploits0References6
NVD
NVD
added 1 hour ago3 views

CVE-2026-54736

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first...

8.2CVSS
Exploits0References5
NVD
NVD
added 1 hour ago2 views

CVE-2026-49844

Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0. The fix for CVE-2026-34481 did not cover all code paths: wh...

6.3CVSS
Exploits0References4
NVD
NVD
added 1 hour ago4 views

CVE-2026-49213

TypeBot is a chatbot builder tool. Prior to 3.17.2, Typebot's shared SSRF validator in packages/lib/src/ssrf/validateHttpReqUrl.ts can be bypassed with the IPv6 unspecified address :: because validateIPAddress blocks local, metadata, and private ranges but does not block :: or its expanded form. ...

8.1CVSS
Exploits0References4
NVD
NVD
added 1 hour ago3 views

CVE-2026-52747

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser in libmodsecurity silently removes embedded line breaks from non-file form-field values before exporting them to ARGS and...

8.6CVSS
Exploits0References3
NVD
NVD
added 1 hour ago3 views

CVE-2026-52761

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. From 3.0.0 through 3.0.15, the t:utf8toUnicode transformation in src/actions/transformations/utf8tounicode.cc produces wrong output on i386 architecture because snprintf uses sizeof on a...

5.8CVSS
Exploits0References3
NVD
NVD
added 1 hour ago4 views

CVE-2026-15083

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4...

Exploits0References1
NVD
NVD
added 1 hour ago3 views

CVE-2026-42219

Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via downloadbackups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0...

6.9CVSS
Exploits0References9
NVD
NVD
added 1 hour ago4 views

CVE-2026-44795

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3, unsafe YAML processing bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking. The use of a non-safe constructor allows arbitrary loading...

8.8CVSS
Exploits0References4
NVD
NVD
added 1 hour ago3 views

CVE-2026-41482

Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3...

7.1CVSS
Exploits0References6
NVD
NVD
added 1 hour ago3 views

CVE-2026-15084

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal UI Patterns SDC in Drupal UI allows Stored XSS. This issue affects UI Patterns SDC in Drupal UI versions: from 2.0.0 to 2.0.17...

Exploits0References1
NVD
NVD
added 1 hour ago4 views

CVE-2026-15085

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. This issue affects AI SEO/GEO Analyzer versions: from 0.0.0 to 1.1.3...

Exploits0References1
NVD
NVD
added 1 hour ago3 views

CVE-2026-47199

Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, checksafesqlquery permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in...

2.3CVSS
Exploits0References7
NVD
NVD
added 1 hour ago3 views

CVE-2026-13239

Missing Authorization vulnerability in Drupal WissKI allows Forceful Browsing. This issue affects WissKI versions: from 0.0.0 to 4.2.0...

Exploits0References1
NVD
NVD
added 1 hour ago2 views

CVE-2026-13241

Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0...

Exploits0References1
NVD
NVD
added 1 hour ago4 views

CVE-2026-15082

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Siteimprove Analytics allows Cross-Site Scripting XSS. This issue affects Siteimprove Analytics versions: from 0.0.0 to 2.0.1...

Exploits0References1
Total number of security vulnerabilities364744