VYPR

CVEs

345,054 total · page 47 of 6,902

  • CVE-2026-56079Jun 19, 2026
    risk 0.00cvss epss 0.00

    Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs. Attackers can query the webhooks and webhook_deliveries endpoints to…

  • CVE-2026-56073Jun 19, 2026
    risk 0.00cvss epss 0.00

    Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark…

  • CVE-2026-55650Jun 19, 2026
    risk 0.00cvss epss

    ## Summary A Stored Cross-Site Scripting (XSS) issue previously existed in the Text Widget in Board of Outerbase Studio where unsanitized HTML could be rendered using `dangerouslySetInnerHTML` ### Steps to Reproduce 1. Create a new dashboard. 2. Add a **Text widget**. 3.…

  • CVE-2026-55447criJun 19, 2026
    risk 0.52cvss epss 0.00

    ### Summary All components based on `BaseFileComponent` are vulnerable to the following vulnerability: 1. Docling (`DoclingInlineComponent`) 2. Docling Serve (`DoclingRemoteComponent`) 3. Read File (`FileComponent`) 4. NVIDIA Retriever Extraction (`NvidiaIngestComponent`) 5.…

  • CVE-2026-55446higJun 19, 2026
    risk 0.38cvss epss 0.00

    ### Summary An attacker can send a `/api/v1/files/upload/` request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time. ### Details…

  • CVE-2026-55423Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Summary The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. ### Details Not in auto login mode. Hosted on localhost. `access_token_lf` remains present in both Local Storage and Cookies. `refresh_token_lf`…

  • CVE-2026-55255criKEVJun 19, 2026
    risk 0.64cvss epss 0.01

    ## Summary Insecure Direct Object Reference (IDOR) vulnerability in `/api/v1/responses` endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. ## Details The vulnerability exists in the…

  • CVE-2026-55206Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Summary PackInfo._read() uses an O(n^2) cumulative sum pattern where numstreams is read directly from the archive header. A crafted .7z archive with a large numstreams value causes excessive CPU consumption during SevenZipFile.__init__() — no extraction is needed.…

  • CVE-2026-55195Jun 19, 2026
    risk 0.00cvss epss 0.00

    py7zr's `Worker.decompress()` extracts archive entries without tracking total decompressed size. A crafted `.7z` file can exhaust disk or memory before the extraction completes. Measured: 15.6 KB archive → 100 MB output (6,556:1 ratio). **Proof of concept:** ```python…

  • CVE-2026-55187Jun 19, 2026
    risk 0.00cvss epss 0.00

    ## Summary The remediation shipped in mailpit v1.29.2 for [GHSA-mpf7-p9x7-96r3](https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3) (CVE-2026-27808) is incomplete. The `tools.IsInternalIP` deny-list relies on Go's stdlib classification helpers…

  • CVE-2026-55185Jun 19, 2026
    risk 0.00cvss epss

    ### Summary The URL restrictions in `miniflux-v2` can be bypassed by attackers, leading to an open redirect vulnerability. ### Details Normally, the redirect URL needs to be validated using `IsRelativePath`. <img width="1728" height="1386" alt="QQ20260526-175356-26-1"…

  • CVE-2026-54762Jun 19, 2026
    risk 0.00cvss epss 0.00

    ## Summary There is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported `nginx.ingress.kubernetes.io/auth-type` and…

  • CVE-2026-55847Jun 19, 2026
    risk 0.00cvss epss

    ## Summary The `ansi.js` Handlebars helper in allure-generator passes user-controlled `statusMessage` and `statusTrace` values from test result files through the `ansi-to-html` library and wraps the output in Handlebars `SafeString` without HTML escaping. Since `ansi-to-html`…

  • CVE-2026-55846Jun 19, 2026
    risk 0.00cvss epss

    ## Summary The built-in HTTP server started by `allure serve` and `allure open` is vulnerable to path traversal. The server resolves request URI paths directly against the report directory without normalizing or validating that the resolved path stays within the report…

  • CVE-2026-55837Jun 19, 2026
    risk 0.00cvss epss

    ## Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens ### Summary The local OAuth helper FastAPI server bundled with `dbt-mcp` exposes the `GET /dbt_platform_context` endpoint without any form of authentication or host-origin validation. After a user completes…

  • CVE-2026-55828Jun 19, 2026
    risk 0.00cvss epss

    ### Impact The go.qbee.io/transport library is affected by a symlink-chain path traversal vulnerability in its extractTar routine. The library's path validation is strictly lexical and fails to account for on-disk symlinks created earlier in the extraction process.…

  • CVE-2026-55660higJun 19, 2026
    risk 0.38cvss epss 0.00

    TinaCMS registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source, and post messages using non-specific…

  • CVE-2026-55795Jun 19, 2026
    risk 0.00cvss epss

    ### Summary The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided. ### Details When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate…

  • CVE-2026-55791criJun 19, 2026
    risk 0.52cvss epss 0.00

    **1. Overview** Craft CMS is vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the `/actions/app/resource-js` endpoint. By exploiting the default permissive `trustedHosts` configuration, an attacker can poison the `Host` or…

  • CVE-2026-54074higJun 19, 2026
    risk 0.38cvss epss 0.00

    ## Description ### Summary `@tinacms/cli` contains a Remote Code Execution vulnerability in its Forestry-to-Tina migration command. The internal helper `addVariablesToCode` unquotes any value matching the marker `"__TINA_INTERNAL__:::(.*?):::"` inside the stringified…

  • CVE-2026-55691higJun 19, 2026
    risk 0.38cvss epss

    ### Summary The user supplied class value is fed directly into the sprintf call that creates HTML. You can add a quote to escape the class and then inject arbitrary html/javascript to the final output. ### Details The template [here](https://github.com/StarCitizenWiki/mediawiki-…

  • CVE-2026-55690higJun 19, 2026
    risk 0.38cvss epss

    ### Summary When passing an unknown service name to embedvideo, an error message is rendered containing the invalid service name. The service name is not sanitized and can contain HTML. ### Details There is a hardcoded list of allowed services in a switch statement inside…

  • CVE-2026-55091higJun 19, 2026
    risk 0.38cvss epss

    ### Summary `convert()` builds the nested tree by using each flat record's `id` and `parent` field values directly as object keys, with no guard against `__proto__` / `constructor` / `prototype`. A record whose `parent` is the string `"__proto__"` makes `temp[parent]` resolve…

  • CVE-2026-55849higJun 19, 2026
    risk 0.38cvss epss 0.00

    ## Summary A command injection vulnerability exists in `@cyclonedx/cyclonedx-npm` when the CLI is invoked with the `--workspace ` option while the environment variable `npm_execpath` is unset or empty. User‑supplied `--workspace` values are passed to a subshell…

  • CVE-2026-54911Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Summary `ujson.dumps()` (or `ujson.dump()` or `ujson.encode()`) have a `reject_bytes=False` option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input…

  • CVE-2026-54906lowJun 19, 2026
    risk 0.00cvss epss 0.00

    ### Summary `Concurrent::ReadWriteLock#release_write_lock` does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section…

  • CVE-2026-54905lowJun 19, 2026
    risk 0.00cvss epss 0.00

    ### Summary `Concurrent::ReentrantReadWriteLock` can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is…

  • CVE-2026-54904higJun 19, 2026
    risk 0.38cvss epss 0.00

    ### Summary `Concurrent::AtomicReference#update` can enter a permanent busy retry loop when the current value is `Float::NAN`. The issue is caused by the interaction between: - `AtomicReference#update`, which retries until `compare_and_set(old_value, new_value)` succeeds. -…

  • CVE-2026-54903higJun 19, 2026
    risk 0.45cvss epss 0.00

    ### Summary `Oj.load` is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in `buf_append_string` (`buf.h:61`) converts the string length to a large negative `size_t`, causing `memcpy` to copy an astronomically large amount of data…

  • CVE-2026-54902higJun 19, 2026
    risk 0.45cvss epss 0.00

    ### Summary `Oj::Parser` in SAJ mode does not protect cached object keys (≥ 35 bytes) from garbage collection. A Ruby callback that triggers GC inside `hash_end` can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to…

  • CVE-2026-54901higJun 19, 2026
    risk 0.45cvss epss 0.00

    ### Summary `Oj::Parser` in usual mode does not mark `array_class` and `hash_class` references during garbage collection. If GC runs after the class is assigned but before a parse, the class object is reclaimed, leaving the parser holding a dangling VALUE. The subsequent…

  • CVE-2026-54900higJun 19, 2026
    risk 0.45cvss epss 0.00

    ### Summary `Oj::Parser#parse` in usual mode with `create_id` enabled is vulnerable to heap corruption via a negative-size `memcpy`. When a JSON object key is exactly 65,535 bytes long, an integer truncation in `form_attr` (`usual.c:63`) converts the length to `-1` before…

  • CVE-2026-54784higJun 19, 2026
    risk 0.38cvss epss 0.00

    ### Impact When the proof key recovered from the RSTR can be observed by a party that is not the legitimate client, that party can impersonate the authenticated Windows principal for the lifetime of the SCT (default ~10 hours) and decrypt or forge any subsequent…

  • CVE-2026-54783higJun 19, 2026
    risk 0.38cvss epss 0.00

    ### Impact The attacker, with one captured signed SOAP envelope from a victim and no other privileges, can invoke arbitrary operations on the service as the victim principal for the lifetime of the captured signing key. There is no rate limit on replays. The DetectReplays…

  • CVE-2026-54782criJun 19, 2026
    risk 0.52cvss epss 0.00

    ### Impact Full impersonation of any principal the trusted STS could have issued an assertion for — including administrative principals when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0. #### Preconditions Relying-party service is hosted…

  • CVE-2026-54781higJun 19, 2026
    risk 0.38cvss epss 0.00

    ### Impact The relying application is given a ClaimsPrincipal for a subject whose authority over the assertion the sender never proved. There are two distinct exploit shapes: - Holder-of-key downgrade. An attacker who obtains a holder-of-key SAML assertion that was issued…

  • CVE-2026-54780lowJun 19, 2026
    risk 0.00cvss epss 0.00

    ### Impact CoreWCF’s WS-Security 1.0 receive pipeline validates the `SignatureMethod` of an incoming `ds:SignedInfo` against the configured `SecurityAlgorithmSuite`, but does not validate the `DigestMethod` declared on each `ds:Reference`. As a result, a sender can populate…

  • CVE-2026-54779Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Impact When enabling DetectReplayedTokens, a token can be replayed and will be detected despite it being reused. ### Patches Fixed in CoreWCF v1.8.1 and v1.9.1 ### Workarounds Provide your own implementation of `ITokenReplayCache` with the correct behavior.

  • CVE-2026-54778Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Impact Race condition in POSIX peer identity resolution may attribute one connection’s identity to another (getpwuid/getgrgid non-reentrant) and may crash the host process under contention. ### Patches Fixed in CoreWCF v1.8.1 and v1.9.1 ### Workarounds Restrict UDS…

  • CVE-2026-54777Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Impact CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance, allowing local interception of NetNamedPipe traffic. NetNamedPipe creates a shared memory object based on the listening url, then generated a unique GUID for the named pipe it will be…

  • CVE-2026-54776Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Impact A CoreWCF service hosted on Unix Domain Sockets with the PosixIdentity client credential type (UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and Security.Transport.ClientCredentialType = PosixIdentity) does not require the client to perform the…

  • CVE-2026-54775Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Impact A CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic. #### Preconditions The attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits…

  • CVE-2026-54774higJun 19, 2026
    risk 0.38cvss epss 0.00

    ### Impact When a service is configured to validate SAML tokens using a method other than X.509 certificate signing, the final signature verification is skipped. #### Preconditions The service is configured to authenticate using SAML tokens and an out of band token resolver…

  • CVE-2026-54773Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Impact An unauthenticated remote attacker who can place a SOAP header lexically before `wsse:Security` can embed a `ds:Signature` of their choosing inside that header and cause the server to verify the attacker-supplied signature instead of the one carried in the security…

  • CVE-2026-54772higJun 19, 2026
    risk 0.38cvss epss 0.00

    ### Impact An unauthenticated remote attacker can pin one server thread‑pool worker at 100 % CPU per connection. With a few connections, the CPU usage can be exhausted. #### Preconditions An attacker being able to reach a service which is exposing an endpoint using one of…

  • CVE-2026-55865Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Impact Given a malformed `{% case %}` tag without associated `{% when %}` or `{% else %}` block, and no terminating `{% endcase %}` tag, Python Liquid hangs in an infinite loop at parse time. This allows malicious template authors to craft templates for a denial of service…

  • CVE-2026-47645Jun 19, 2026
    risk 0.00cvss epss 0.00

    Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network.

  • CVE-2026-48582Jun 19, 2026
    risk 0.00cvss epss 0.00

    Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.

  • CVE-2026-50519Jun 19, 2026
    risk 0.00cvss epss 0.01

    Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

  • CVE-2026-48584Jun 19, 2026
    risk 0.00cvss epss 0.01

    Execution with unnecessary privileges in Azure Synapse allows an authorized attacker to elevate privileges over a network.