Cybersecurity & Regolamentazione UE

News & Sicurezza

Aggiornamenti da ENISA, NVD e le principali fonti di cybersecurity europee. Tutto quello che un Responsabile Tecnico deve sapere.

24867 risultati

VulnerabilitàAlta
CVE-2026-12772 - BerriAI litellm PROXY_ADMIN database API Key Generator login_utils.py authenticate_user session expiration

CVE ID :CVE-2026-12772 Published : June 21, 2026, 2 a.m. | 11 hours, 43 minutes ago Description :A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authenticate_user of the file litellm/proxy/auth/login_utils.py of the component PROXY_ADMIN database API Key Generator. Performing a manipulation results in session expiration. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE21 giu 2026
VulnerabilitàAlta
CVE-2026-12771 - BerriAI litellm M2M JWT user_api_key_auth.py improper authorization

CVE ID :CVE-2026-12771 Published : June 21, 2026, 1 a.m. | 12 hours, 43 minutes ago Description :A vulnerability was identified in BerriAI litellm up to 1.82.2. This affects an unknown function of the file litellm/proxy/auth/user_api_key_auth.py of the component M2M JWT Handler. Such manipulation leads to improper authorization. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure. Severity: 5.0 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE21 giu 2026
VulnerabilitàAlta
CVE-2026-12770 - BerriAI litellm Admin Key key_management_endpoints.py improper authorization

CVE ID :CVE-2026-12770 Published : June 21, 2026, 12:15 a.m. | 13 hours, 28 minutes ago Description :A vulnerability was determined in BerriAI litellm up to 1.63.1. The impacted element is an unknown function of the file litellm/proxy/management_endpoints/key_management_endpoints.py of the component Admin Key Handler. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure. Severity: 5.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE21 giu 2026
VulnerabilitàAlta
CVE-2026-56355 - GNU Savannah Savane Authorization Bypass

CVE ID :CVE-2026-56355 Published : June 20, 2026, 8:08 p.m. | 17 hours, 35 minutes ago Description :GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization. Severity: 3.7 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56345 (CVSS 8.1)

AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user including admin. Attackers can obtain the Meet shared secret through path-traversal vulnerabilities or timing attacks against checkToken.json.php, then POST a crafted file to uploadRecordedVideo.json.php with a filename like '1-anything.mp4' to hijack admin sessions and gain full account takeover.

NVD (NIST)20 giu 2026
VulnerabilitàAlta
CVE-2026-56341 (CVSS 7.5)

AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints.

NVD (NIST)20 giu 2026
VulnerabilitàAlta
CVE-2026-56340 (CVSS 8.8)

vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed (negative or out-of-bounds) tensor indices, when the prompt-embeds feature is enabled, to trigger crashes or resource exhaustion (denial of service), with potential for out-of-bounds/write-what-where memory corruption. This continues CVE-2025-62164, whose prior fix only disabled the feature by default rather than addressing the root cause.

NVD (NIST)20 giu 2026
VulnerabilitàAlta
CVE-2026-56347 - AVideo TopMenu Plugin - Stored Cross-Site Scripting via Unescaped Menu Item Fields

CVE ID :CVE-2026-56347 Published : June 20, 2026, 6:27 p.m. | 19 hours, 16 minutes ago Description :AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site visitors, potentially stealing session cookies or performing unauthorized actions. Severity: 6.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56345 - AVideo - Arbitrary User Session Hijacking via Meet Plugin uploadRecordedVideo Endpoint

CVE ID :CVE-2026-56345 Published : June 20, 2026, 6:27 p.m. | 15 hours, 16 minutes ago Description :AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target users_id from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload with a filename containing an arbitrary users_id to invoke passwordless User->login() and establish an authenticated session as any user including admin. Attackers can obtain the Meet shared secret through path-traversal vulnerabilities or timing attacks against checkToken.json.php, then POST a crafted file to uploadRecordedVideo.json.php with a filename like '1-anything.mp4' to hijack admin sessions and gain full account takeover. Severity: 9.2 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56346 - AVideo - Unauthenticated PGP Message Decryption via decryptMessage.json.php Endpoint

CVE ID :CVE-2026-56346 Published : June 20, 2026, 6:27 p.m. | 15 hours, 16 minutes ago Description :AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credentials, exposing key material to logs and enabling resource exhaustion attacks. Severity: 6.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56342 - AVideo - Server-Side Request Forgery in Live/test.php via statsURL Parameter

CVE ID :CVE-2026-56342 Published : June 20, 2026, 6:27 p.m. | 15 hours, 16 minutes ago Description :AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL() validation and accepts requests to private IP ranges and cloud metadata endpoints. Attackers can exploit this by crafting requests to internal services, cloud metadata endpoints like 169.254.169.254, and localhost to retrieve sensitive information including IAM credentials, internal service responses, and network configuration details. Severity: 6.8 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56341 - AVideo - Unauthenticated Access to Payment Log DataTables Endpoints via list.json.php

CVE ID :CVE-2026-56341 Published : June 20, 2026, 6:27 p.m. | 15 hours, 16 minutes ago Description :AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including agreement IDs, user financial records, and API responses via direct GET requests to vulnerable endpoints. Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026

Pagina 178 di 2073

Resta aggiornato sulla cybersecurity

Iscriviti a CodersRegistry per ricevere gli aggiornamenti più importanti su regolamentazione EU e vulnerabilità critiche.