Lucene search
K
OsvMost viewed

907650 matches found

OSV
OSV
added 2021/07/01 12:0 a.m.61 views

ASB-A-143230980

In queryInternal of CallLogProvider.java, there is a possible permission bypass due to improper input validation. This could lead to local information disclosure of voicemail metadata with User execution privileges needed. User interaction is not needed for exploitation...

3.3CVSS3.6AI score0.00149EPSS
Exploits0References1
OSV
OSV
added 2021/06/16 5:47 p.m.61 views

GHSA-QJWC-V72V-FQ6R HTTP request smuggling in Undertow

A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS...

4.8CVSS6.2AI score0.01119EPSS
Exploits0References4
OSV
OSV
added 2021/06/02 4:15 p.m.61 views

PYSEC-2021-137

An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2kugrayala...

9.1CVSS2.3AI score0.02876EPSS
Exploits0References4
OSV
OSV
added 2021/05/10 12:0 a.m.61 views

DLA-2653-1 libxml2 - security update

Bulletin has no description...

8.8CVSS7.4AI score0.0828EPSS
Exploits1
OSV
OSV
added 2021/05/06 3:45 p.m.61 views

GHSA-79JW-6WG7-R9G4 Use of Potentially Dangerous Function in mixme

Impact In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate and merge functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denia...

7.1CVSS7.7AI score0.01955EPSS
Exploits0References3
OSV
OSV
added 2020/11/03 12:26 p.m.61 views

RLSA-2020:4676 Moderate: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update

Kernel-based Virtual Machine KVM offers a full virtualization solution for Linux on numerous hardware platforms. The virt:Rocky Linux module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting wi...

8.8CVSS7.5AI score0.04027EPSS
Exploits2References27
OSV
OSV
added 2019/01/12 2:29 a.m.61 views

CVE-2018-20699

Docker Engine before 18.09 allows attackers to cause a denial of service dockerd memory consumption via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemonunix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go...

4.9CVSS6.5AI score
Exploits0References3
OSV
OSV
added 2017/10/04 1:29 a.m.61 views

CVE-2017-12617

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted...

8.1CVSS7AI score0.99988EPSS
Exploits23References45
OSV
OSV
added 2016/12/01 12:0 a.m.61 views

DLA-728-1 tomcat6 - security update

Bulletin has no description...

9.8CVSS7.7AI score0.90338EPSS
Exploits12
OSV
OSV
added 2015/04/26 12:0 a.m.61 views

DSA-3237-1 linux - security update

Bulletin has no description...

9.3CVSS6.8AI score0.10108EPSS
Exploits1
OSV
OSV
added 2014/06/05 12:0 a.m.61 views

DSA-2950-1 openssl - security update

Bulletin has no description...

7.4CVSS7.2AI score0.99977EPSS
Exploits13
OSV
OSV
added 2011/09/29 12:0 a.m.61 views

DSA-2313-1 iceweasel - several

Bulletin has no description...

10CVSS9.6AI score0.05368EPSS
Exploits1
OSV
OSV
added 2009/08/26 12:0 a.m.61 views

DSA-1871-2 wordpress - regression fix

Bulletin has no description...

10CVSS8.7AI score0.10503EPSS
Exploits21
OSV
OSV
added 2008/03/28 12:0 a.m.61 views

DSA-1534-1 iceape

Bulletin has no description...

9.3CVSS9.8AI score0.06055EPSS
Exploits3
OSV
OSV
added 2006/07/23 12:0 a.m.61 views

DSA-1120 mozilla-firefox - several vulnerabilities

Bulletin has no description...

9.3CVSS6.8AI score0.07251EPSS
Exploits0
OSV
OSV
added 2003/04/17 12:0 a.m.61 views

DSA-288 openssl - several vulnerabilities

Bulletin has no description...

7.5CVSS8.4AI score0.06393EPSS
Exploits0
OSV
OSV
added 2026/05/19 3:40 p.m.60 views

GHSA-XMPW-2VMM-P4P6 Malicious code in guardrails-ai 0.10.1 (supply chain compromise)

Impact On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai 0.10.1 to PyPI. Affected: any user who installed guardrails-ai==0.10.1 from PyPI on May 11, 2026. Security researchers identified the malicious package within approximately 2 hours ...

9.6CVSS5.8AI score0.00276EPSS
Exploits0References6
OSV
OSV
added 2026/05/12 12:19 a.m.60 views

MAL-2026-3435 Malicious code in @squawk/airport-data (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a12035131eafd29a07572751653f857706ac1b113fcbd498a70f54d96d5276cc The package @squawk/airport-data was found to contain malicious code. Source: ghsa-malware...

5.8AI score
Exploits0References6
OSV
OSV
added 2026/05/11 6:6 p.m.60 views

EEF-CVE-2026-43969 Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1

Summary Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cowcookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value...

2.1CVSS6AI score0.00145EPSS
Exploits0References3
OSV
OSV
added 2024/09/11 3:31 p.m.60 views

GHSA-8259-2X72-2GVC Eclipse Dataspace Components's ConsumerPullTransferTokenValidationApiController doesn't check for token validit

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity expiry, not-before, issuance date, which can allow an attacker to bypass the check for token expiration. The issue requires to have ...

7.3CVSS8.1AI score0.00407EPSS
Exploits0References7
OSV
OSV
added 2024/08/30 8:0 a.m.60 views

OPENSUSE-SU-2024:0269-1 Security update for trivy

trivy was updated to fix the following issues: Update to version 0.54.1: fixflag: incorrect behavior for deprected flag --clear-cache backport: release/v0.54 7285 fixjava: Return error when trying to find a remote pom to avoid segfault backport: release/v0.54 7283 fixplugin: do not call GitHub...

8.8CVSS7.6AI score0.00973EPSS
Exploits1References6
OSV
OSV
added 2024/08/21 4:3 p.m.60 views

GO-2022-0986 Netmaker vulnerable to Insufficient Granularity of Access Control in github.com/gravitl/netmaker

Netmaker vulnerable to Insufficient Granularity of Access Control in github.com/gravitl/netmaker...

8.8CVSS8.6AI score0.00702EPSS
Exploits0References3
OSV
OSV
added 2024/05/06 1:4 p.m.60 views

RLSA-2024:1782 Important: bind and dhcp security update

The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS protocols. BIND includes a DNS server named; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server is operating correctly. The Dynamic Hos...

7.5CVSS7.4AI score0.99995EPSS
Exploits1References4
OSV
OSV
added 2024/04/01 2:15 a.m.60 views

CVE-2024-31033

JJWT aka Java JWT through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey method within the DefaultJwtParser class and the signWith method within the DefaultJwtBuilder class. NOTE: the vendor disputes thi...

6.8CVSS7AI score
Exploits0References4
OSV
OSV
added 2024/03/06 10:51 a.m.60 views

BIT-ELASTICSEARCH-2023-31418 Elasticsearch uncontrolled resource consumption

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elastic Engineering and...

7.5CVSS7.3AI score0.01232EPSS
Exploits0References4
OSV
OSV
added 2024/03/05 12:0 a.m.60 views

ALSA-2024:1141 Moderate: mysql security update

MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon mysqld and many client programs and libraries. Security Fixes: mysql: InnoDB unspecified vulnerability CPU Apr 2023 CVE-2023-21911 mysql: Server: DDL unspecified vulnerability CPU Apr 2023...

7.5CVSS6.5AI score0.01782EPSS
Exploits0References152
OSV
OSV
added 2024/01/25 7:15 p.m.60 views

CVE-2023-6267

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed deserialized prior to the security constraints being evaluated and applied. This does not happen with configuration based security...

9.8CVSS9.3AI score0.00719EPSS
Exploits0References4
OSV
OSV
added 2023/11/03 2:15 p.m.60 views

CVE-2023-5088

A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead potentially overwriting the VM's boot code. This could be used, for example, by L2 guests with a virtual disk vdiskL2 stored on a virtual disk of an L1 vdiskL1...

7CVSS6.7AI score0.00231EPSS
Exploits0References8
OSV
OSV
added 2023/10/23 6:29 a.m.60 views

BIT-2023-5561

The Popup Builder WordPress plugin through 4.1.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.3CVSS5.8AI score0.03862EPSS
Exploits4References2Affected Software1
OSV
OSV
added 2023/08/18 9:50 p.m.60 views

GHSA-68XG-GQQM-VGJ8 Puma HTTP Request/Response Smuggling vulnerability

Impact Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. The following vulnerabilities are addressed by this advisory: Incorrect parsing of trailing fields in...

9.8CVSS8.5AI score0.00738EPSS
Exploits0References9
OSV
OSV
added 2023/07/11 6:44 p.m.60 views

GO-2023-1733 Timing attack from non-constant time scalar arithmetic in github.com/bnb-chain/tss-lib

Timing attack from non-constant time scalar arithmetic in github.com/bnb-chain/tss-lib...

7.5CVSS7.4AI score0.00864EPSS
Exploits0References1
OSV
OSV
added 2023/04/24 9:30 a.m.60 views

GHSA-4R6H-8V6P-XVW6 Prototype Pollution in sheetJS

All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files for example, exporting data to spreadsheet files are unaffected. A non-vulnerable version cannot be found via npm, as the repository...

7.8CVSS7.8AI score0.00988EPSS
Exploits1References7
OSV
OSV
added 2023/03/17 6:24 p.m.60 views

GHSA-GQ6W-Q6WH-JGGC PHAR deserialization allowing remote code execution

Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the fileexists function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitra...

9.8CVSS9.9AI score0.0276EPSS
Exploits2References11
OSV
OSV
added 2023/03/09 8:18 p.m.60 views

CVE-2023-27483 fieldpath's Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime

crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. An out of memory panic vulnerability has been discovered in affected versions. Applications that use the Paved type's SetValue method with user provided input without proper...

5.9CVSS7.3AI score0.00798EPSS
Exploits0References4
OSV
OSV
added 2023/02/07 9:30 p.m.60 views

GHSA-26F8-X7CC-WQPC Apache Kafka Connect vulnerable to Deserialization of Untrusted Data

A possible security vulnerability has been identified in Apache Kafka Connect API. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka...

8.8CVSS8.7AI score0.95302EPSS
Exploits8References6
OSV
OSV
added 2022/10/17 12:0 a.m.60 views

DLA-3152-1 glibc - security update

Bulletin has no description...

9.8CVSS6.9AI score0.05223EPSS
Exploits6
OSV
OSV
added 2022/09/21 11:15 a.m.60 views

CVE-2022-38178

By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources...

7.5CVSS2.1AI score0.02176EPSS
Exploits0References9
OSV
OSV
added 2022/08/11 1:15 a.m.60 views

CVE-2022-38150

In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible to cause the Varnish Server to assert and automatically restart through forged HTTP/1 backend responses. An attack uses a crafted reason phrase of the backend response status line. This is fixed in 7.0.3 and 7.1.1...

7.5CVSS6.6AI score
Exploits0References4
OSV
OSV
added 2022/06/26 12:0 a.m.60 views

DSA-5169-1 openssl - security update

Bulletin has no description...

10CVSS9.1AI score0.95764EPSS
Exploits1
OSV
OSV
added 2022/06/21 8:7 p.m.60 views

GHSA-Q559-8M2M-G699 Change in port should be considered a change in origin

Impact Authorization and Cookie headers on requests are sensitive information. On making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the Authorization and Cookie headers from the request, before containing. Previously, we...

7.7CVSS7.4AI score0.0138EPSS
Exploits0References7
OSV
OSV
added 2022/06/20 9:8 p.m.60 views

MAL-2022-6354 Malicious code in superset-websocket (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 71368c8e29fe057fcc95335932ec6248b0a21541c5be1c4f54aa8fa03167a152 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
OSV
OSV
added 2022/05/14 1:10 a.m.60 views

GHSA-87W9-X2C3-HRJJ Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, .jspx, .tagx, or .tld XML document containing an external entity declaration ...

4.3CVSS7.9AI score0.09487EPSS
Exploits1References29
OSV
OSV
added 2022/05/13 1:12 a.m.60 views

GHSA-H6C8-X5R3-PM88 Apache Tomcat Unrestricted file upload vulnerability

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file...

6.8CVSS8.5AI score0.1399EPSS
Exploits0References12
OSV
OSV
added 2022/05/13 12:0 a.m.60 views

DLA-3001-1 libgoogle-gson-java - security update

Bulletin has no description...

7.7CVSS7.8AI score0.1158EPSS
Exploits0
OSV
OSV
added 2022/05/09 6:15 p.m.60 views

CVE-2022-28739

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including KernelFloat and Stringtof...

7.5CVSS3.7AI score0.04127EPSS
Exploits0References15
OSV
OSV
added 2022/05/05 12:0 a.m.60 views

DSA-5131-1 openjdk-11 - security update

Bulletin has no description...

7.5CVSS6.6AI score0.03825EPSS
Exploits0
OSV
OSV
added 2022/02/28 12:0 p.m.60 views

RUSTSEC-2022-0011 Miscomputation when performing AES encryption in rust-crypto

The following Rust program demonstrates some strangeness in AES encryption - if you have an immutable key slice and then operate on that slice, you get different encryption output than if you operate on a copy of that key. For these functions, we expect that extending a 16 byte key to a 32 byte k...

7.3AI score
Exploits0References2
OSV
OSV
added 2022/02/12 12:0 a.m.60 views

DSA-5073-1 expat - security update

Bulletin has no description...

9.8CVSS8.1AI score0.04829EPSS
Exploits2
OSV
OSV
added 2022/01/26 12:0 a.m.60 views

CVE-2022-0359 Heap-based Buffer Overflow in vim/vim

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2...

6.1CVSS7.4AI score0.01339EPSS
Exploits1References13
OSV
OSV
added 2021/12/30 12:0 a.m.60 views

DLA-2871-1 lxml - security update

Bulletin has no description...

8.2CVSS7.7AI score0.02456EPSS
Exploits0
Total number of security vulnerabilities5000