368499 matches found
CVE-2026-47896
The CVE-2026-47896 entry concerns Apache Lucene.Net.Replicator. Affected versions are 4.8.0-beta00005 through 4.8.0-beta00017, with a fix in 4.8.0-beta00018. The root cause is an improper limitation of a pathname to a restricted directory, i.e., a path traversal vulnerability. The CVE record on C...
CVE-2026-47897
CVE-2026-47897 is a path traversal vulnerability in Apache Lucene.Net.Replicator. Affected: Lucene.Net.Replicator library (versions from 4.8.0-beta00005 up to, but before, 4.8.0-beta00018). Root cause: improper limitation of a pathname to a restricted directory, enabling potential access to restr...
CVE-2026-47898
CVE-2026-47898 is an XXE vulnerability in Apache Lucene.Net, specifically in the Lucene.Net.Analysis.Common library. Affected versions are 4.8.0-beta00005 up to before 4.8.0-beta00018. The root cause is improper restriction of XML External Entity references. Successful exploitation could arise fr...
CVE-2026-8804
The CVE concerns Puppet’s resource_api (bundled with Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x). A vulnerability exists where the sensitive flag on parameters defined via the resource-api is not preserved, causing values such as passwords to be stored in cleartext in the agent’s l...
CVE-2026-14544
CVE-2026-14544 concerns HPLIP (HP Linux Imaging and Printing Software) with an integer overflow in the hpcups processing path when handling specially crafted print data. This is described as an incomplete fix for CVE-2026-8631. The vulnerability may allow a remote attacker to escalate privileges ...
CVE-2026-9148
The Comments – wpDiscuz plugin for WordPress (affected: versions up to 7.6.56) is vulnerable to Stored XSS via the guest commenter field Website. The root cause is insufficient output escaping in getCommentAuthor(), which interpolates the stored comment_author_url directly into single-quoted HTML...
CVE-2026-9230
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress
CVE-2026-8351
CVE-2026-8351 concerns the RTMKit plugin for WordPress, vulnerable up to version 2.0.7. The flaw is a Stored Cross-Site Scripting in the Advanced Heading widget via the 'Background Text' parameter. The render() function concatenates the value directly into an HTML attribute without applying esc_a...
CVE-2026-51535
Technical details for CVE-2026-51535 are not publicly available in the provided documents. No affected products, versions, or fixes are listed. Monitor for updates.
CVE-2026-9547
CVE-2026-9547 describes an SSH host-validation flaw in libcurl: when a libcurl-based application uses SCP/SFTP with CURLOPT_SSH_KEYFUNCTION, a host key type mismatch may be silently accepted, allowing a connection to succeed without warning and enabling potential man-in-the-middle attacks. The is...
CVE-2026-9546
CVE-2026-9546 details (libcurl): A vulnerability causes the HTTP Referer header to persist after CURLOP_REFERER is set to NULL, due to failure to clear internal per-handle state. As a result, the previous referrer can be reused in subsequent requests, potentially leaking sensitive data to uninten...
CVE-2026-9545
CVE-2026-9545 describes an information-disclosure in curl/libcurl when using HTTP/3 early data with a cached SSL session. In the scenario, a site is initially served by a legitimate HTTP/3 server, but on a second transfer to the same hostname the connection is constructed to a counterfeit host (i...
CVE-2026-9080
CVE-2026-9080 is a use-after-free in libcurl triggered when curl_easy_pause() is called from a socket callback (CURLMOPT_SOCKETFUNCTION). The event-path code re-enters the eviction/assessment flow and may free the associated sh_entry; the fix added a post-callback re-fetch of that entry in mev_sh...
CVE-2026-9079
CVE-2026-9079 concerns libcurl: when instructed to clear proxy authentication credentials, it failed to do so, leaving the old credentials in place and potentially reused in subsequent transfers that should not know or use them. The description across multiple sources consistently states this cre...
CVE-2026-8932
libcurl (client library) is affected by CVE-2026-8932 due to incomplete mTLS config matching in the connection reuse logic. The vulnerability arises because TLS settings related to client certificates, notably the private key, were omitted from the configuration match checks, allowing a previousl...
CVE-2026-8927
CVE-2026-8927 affects libcurl: when reusing a handle for sequential transfers driven by environment-variable proxies, the proxy authentication state is not cleared between requests, causing leakage of the Proxy-Authorization header from an initial proxy (proxyA) to a subsequent proxy (proxyB). Af...
CVE-2026-8926
Curl 8.x is affected by CVE-2026-8926: when using a .netrc file to locate credentials and specifying a URL containing a username (without a password), curl could leak the password for another user configured in the same host’s .netrc file if there is no exact user match. The vulnerability concern...
CVE-2026-8925
The CVE-2026-8925 issue in curl is a SASL double-free where the GSASL context can be freed twice due to cleanup without clearing the pointer in between. This is specifically tied to curl’s SASL authentication path and can lead to a denial of service or arbitrary code execution in affected builds....
CVE-2026-8924
CVE-2026-8924 affects curl due to a flaw in its cookie parsing logic. A malicious HTTP server can set “super cookies” that bypass the Public Suffix List, allowing an attacker-controlled origin to inject cookies that curl scopes and transmits to unrelated third-party domains. The connected documen...
CVE-2026-8458
CVE-2026-8458 affects libcurl. A logical error can cause a reused connection to the same server that was authenticated under a different service when performing Negotiate-authenticated requests. The issue arises from libcurl’s connection pool reusing “recent connections” and failing to ensure mat...