Cybersecurity & Regolamentazione UE

News & Sicurezza

Aggiornamenti da ENISA, NVD e le principali fonti di cybersecurity europee. Tutto quello che un Responsabile Tecnico deve sapere.

24544 risultati

VulnerabilitàAlta
CVE-2026-56379 - ImageMagick - Command Injection via SVG Decoder

CVE ID :CVE-2026-56379 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering. Severity: 0.0 | NONE Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56371 - ImageMagick - Memory Leak in TXT File Processing via Texture Attribute

CVE ID :CVE-2026-56371 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :ImageMagick before 7.1.2-15 and 6.9.13-40 contains a memory leak in coders/txt.c when processing TXT files with texture attributes: the texture object allocated via ReadImage is not released when GetTypeMetrics fails, leaking memory each time a crafted TXT file with a texture attribute is processed. Severity: 0.0 | NONE Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56376 - ImageMagick - Heap Use-After-Free in Meta Coder

CVE ID :CVE-2026-56376 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap use-after-free in the meta coder: when memory allocation fails, a single byte is written to a stale pointer. Remote attackers can trigger it by processing specially crafted image files, causing a denial of service. Severity: 6.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56322 - Capgo - Information Disclosure via Unauthenticated /updates defaultChannel Parameter

CVE ID :CVE-2026-56322 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions, allowing attackers to enumerate private channels and leak version/config state. Unauthenticated attackers can probe private channel names and distinguish valid channels from nonexistent ones based on response differences, revealing assigned bundle versions and platform-specific configuration details. Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56315 - picklescan - Remote Code Execution via Unblocked Standard Library Modules

CVE ID :CVE-2026-56315 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked modules to achieve remote code execution while bypassing picklescan's safety validation entirely. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56301 - Nuxt - Arbitrary File Read via World-Connectable vite-node IPC Socket on Linux

CVE ID :CVE-2026-56301 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server (nuxt dev) on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit the unprotected module request handler to read arbitrary files such as .env and SSH keys through the SSR plugin pipeline. Production builds are unaffected, as the IPC server runs only in development. Severity: 6.8 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56275 - Flowise - Server-Side Request Forgery via Execute Flow Base URL

CVE ID :CVE-2026-56275 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :Flowise before 3.1.0 contains a server-side request forgery vulnerability in the Execute Flow node that allows attackers to bypass security validation by providing intranet addresses through the base URL field. Attackers can initiate HTTP requests to internal network addresses, access cloud metadata, and enumerate internal services by exploiting the missing secureFetch verification in httpSecurity.ts. Severity: 6.0 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56263 - Crawl4AI - Stored Cross-Site Scripting in Monitor Dashboard

CVE ID :CVE-2026-56263 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :Crawl4AI before 0.8.7 contains a stored cross-site scripting vulnerability in the monitor dashboard that renders crawl URLs and error messages via innerHTML without escaping. An attacker can submit a crafted crawl request with malicious markup that executes in an operator's browser when viewing the dashboard. Severity: 6.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56274 - Flowise - Remote Code Execution via MCP Security Bypass in validateCommandFlags and validateArgsForLocalFileAccess

CVE ID :CVE-2026-56274 Published : June 23, 2026, 12:13 p.m. | 3 hours, 31 minutes ago Description :Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions for chatflows, can configure a malicious MCP server to bypass the validateCommandFlags blocklist (for example, 'docker build' is not blocked, and 'npx --yes' is not blocked while only '-y' is) and the validateArgsForLocalFileAccess checks, resulting in execution of arbitrary commands on the Flowise host. Severity: 9.9 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56258 - Crawl4AI - Arbitrary File Write via output_path Symlink and TOCTOU

CVE ID :CVE-2026-56258 Published : June 23, 2026, 12:12 p.m. | 3 hours, 31 minutes ago Description :Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use (TOCTOU) attacks on the output_path parameter. Remote attackers can exploit insufficient path validation and symlink following to achieve arbitrary file write and potential code execution on systems where the runtime user has write access to executable or cron locations. Severity: 9.2 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56248 - Capgo - Unauthenticated Denial-of-Service via audit_logs RLS Policy

CVE ID :CVE-2026-56248 Published : June 23, 2026, 12:12 p.m. | 3 hours, 31 minutes ago Description :Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection, unfiltered queries to the public.audit_logs endpoint using the public anon key consistently trigger statement timeouts (PostgREST error 57014). Under concurrency, this exhausts database resources and causes cascading HTTP 500 failures on unrelated endpoints (e.g. /orgs), resulting in an application-layer denial of service. Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026
VulnerabilitàAlta
CVE-2026-56243 - Capgo - Hashed API Key Enforcement Bypass via PostgREST/RLS Plane

CVE ID :CVE-2026-56243 Published : June 23, 2026, 12:12 p.m. | 1 hour, 31 minutes ago Description :Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to the PostgREST/RLS plane to access protected resources. Severity: 8.6 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE23 giu 2026

Pagina 127 di 2046

Resta aggiornato sulla cybersecurity

Iscriviti a CodersRegistry per ricevere gli aggiornamenti più importanti su regolamentazione EU e vulnerabilità critiche.