Search

Search Results (365177 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-54736 1 Phalcon 1 Cphalcon 2026-07-13 N/A
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first differing byte. This observable timing discrepancy can allow an attacker to recover a valid tag byte-by-byte and attach it to a chosen IV and ciphertext so that decrypt() accepts tampered encrypted content as authentic. This issue is fixed in version 5.14.1.
CVE-2026-57584 1 Phalcon 1 Cphalcon 2026-07-13 N/A
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier (/.), and the same construct is produced by the /:params placeholder and the CLI router. Phalcon\Mvc\Router::handle() matches this pattern against the attacker-controlled request URI on every request, so a crafted path such as one containing repeated slashes followed by decoded newlines can trigger catastrophic backtracking and cause CPU exhaustion or route-matching failure. This issue is fixed in version 5.15.0.
CVE-2026-55884 1 Tilt-dev 1 Tilt 2026-07-13 N/A
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined resources, tamper with Tiltfile arguments, read full engine state including the session token, and invoke apiserver resources through the token-attaching /proxy handler. This issue is fixed in version 0.37.4.
CVE-2026-55882 1 Tilt-dev 1 Tilt 2026-07-13 N/A
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memory through /debug/pprof/heap and /debug/pprof/goroutine, including session and apiserver tokens, and degrade performance through /debug/pprof/profile or /debug/pprof/trace. This issue is fixed in version 0.37.4.
CVE-2026-55883 1 Tilt-dev 1 Tilt 2026-07-13 N/A
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websocket_token endpoint and the upgrader accepts clients that omit an Origin header. When the HUD is network-exposed, an attacker who can reach the listener can open the HUD WebSocket and receive the full view stream, including session state, Tiltfile contents, resource statuses, and continued updates. This issue is fixed in version 0.37.4.
CVE-2026-10768 1 Drupal 1 Localgov Workflows 2026-07-13 N/A
Missing Authorization vulnerability in Drupal LocalGov Workflows allows Forceful Browsing. This issue affects LocalGov Workflows versions: from 0.0.0 to 1.6.0.
CVE-2026-10769 1 Drupal 1 Commerce Core 2026-07-13 N/A
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Commerce Core allows Stored XSS. This issue affects Commerce Core versions: from 3.3.0 to 3.3.6.
CVE-2026-11909 1 Drupal 1 Examples For Developers 2026-07-13 N/A
Missing Authorization vulnerability in Drupal Examples for Developers allows Forceful Browsing. This issue affects Examples for Developers versions: from 0.0.0 to 4.0.6.
CVE-2026-12535 1 Drupal 1 Formatter Field 2026-07-13 N/A
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Formatter Field allows Object Injection. This issue affects Formatter Field versions: from 0.0.0 to 2.0.0.
CVE-2026-55809 1 Drupal 1 Flag Attendance Field 2026-07-13 N/A
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2.
CVE-2026-55810 1 Drupal 1 Plotly.js Graphing 2026-07-13 N/A
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. This issue affects Plotly.js Graphing versions: from 0.0.0 to 3.0.2.
CVE-2026-13231 1 Drupal 1 Advanced Content Feedback (aka Admin Feedback) 2026-07-13 N/A
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Advanced Content Feedback (aka admin_feedback) allows Stored XSS. This issue affects Advanced Content Feedback (aka admin_feedback) versions: from 0.0.0 to 2.8.0.
CVE-2026-13232 1 Drupal 1 Advanced Content Feedback (aka Admin Feedback) 2026-07-13 N/A
Incorrect Authorization vulnerability in Drupal Advanced Content Feedback (aka admin_feedback) allows Forceful Browsing. This issue affects Advanced Content Feedback (aka admin_feedback) versions: from 0.0.0 to 2.8.0.
CVE-2026-13233 1 Drupal 1 Openai Provider 2026-07-13 N/A
Server-Side Request Forgery (SSRF) vulnerability in Drupal OpenAI Provider allows Server Side Request Forgery. This issue affects OpenAI Provider versions: from 0.0.0 to 1.1.1, from 1.2.0 to 1.2.2.
CVE-2026-13236 1 Drupal 1 Ai Agents 2026-07-13 N/A
Missing Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1.
CVE-2026-13237 1 Drupal 1 Ai Agents 2026-07-13 N/A
Incorrect Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1.
CVE-2026-13238 1 Drupal 1 Commerce Realex / Global Payments 2026-07-13 N/A
Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing. This issue affects Commerce Realex / Global Payments versions: from 0.0.0 to 3.0.2.
CVE-2026-13239 1 Drupal 1 Wisski 2026-07-13 N/A
Missing Authorization vulnerability in Drupal WissKI allows Forceful Browsing. This issue affects WissKI versions: from 0.0.0 to 4.2.0.
CVE-2026-13240 1 Drupal 1 Paragraphs 2026-07-13 N/A
Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0.
CVE-2026-13241 1 Drupal 1 Paragraphs 2026-07-13 N/A
Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0.