Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
Filter and search through 206,471 vulnerabilities
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE-2026-35449 | ## Summary The `install/test.php` diagnostic script has its CLI-only access guard disabled by commenting out the `die()` statement. The script remain... | 0.0 | 0 | Neutral | No |
| No |
| CVE-2026-35448 | ## Summary The BlockonomicsYPT plugin's `check.php` endpoint returns payment order data for any Bitcoin address without requiring authentication. The... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35442 | ### Summary Aggregate functions (`min`, `max`) applied to fields with the `conceal` special type incorrectly return raw database values instead of th... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35441 | ### Summary Directus' GraphQL endpoints (`/graphql` and `/graphql/system`) did not deduplicate resolver invocations within a single request. An authe... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35413 | ## Summary When `GRAPHQL_INTROSPECTION=false` is configured, Directus correctly blocks standard GraphQL introspection queries (`__schema`, `__type`).... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35412 | ## Summary Directus' TUS resumable upload endpoint (`/files/tus`) allows any authenticated user with basic file upload permissions to overwrite arbit... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35411 | ### Summary Directus is vulnerable to an Open Redirect via the redirect query parameter on the `/admin/tfa-setup` page. When an administrator who has... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35410 | ### Summary An open redirect vulnerability exists in the login redirection logic. The `isLoginRedirectAllowed` function fails to correctly identify c... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35409 | ### Summary A Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35408 | ## Summary Directus's Single Sign-On (SSO) login pages lacked a `Cross-Origin-Opener-Policy` (COOP) HTTP response header. Without this header, a mali... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35405 | ### Summary The`libp2p-rendezvous` server has no limit on how many namespaces a single peer can register. A malicious peer can repeatedly register un... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2026-35394 | ### Summary The `mobile_open_url` tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, all... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2026-35393 | ### Summary * POST multipart upload directory not sanitized | `httpserver/updown.go:71-174` This finding affect the default configuration, no flags o... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35392 | ### Summary * PUT upload has no path sanitization | `httpserver/updown.go:20-69` This finding affects the default configuration, no flags or authenti... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-3524 | Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenti... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35213 | All versions of `@hapi/content` through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three reg... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2026-35209 | ### Impact Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) ... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2026-35200 | ### Impact A file can be uploaded with a filename extension that passes the file extension allowlist (e.g., `.txt`) but with a `Content-Type` header ... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35187 | ## Vulnerability Details **CWE-918**: Server-Side Request Forgery (SSRF) The `parse_urls` API function in `src/pyload/core/api/__init__.py` (line 55... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35181 | **Severity:** Medium **CWE:** CWE-352 (Cross-Site Request Forgery) ## Summary The player skin configuration endpoint at `admin/playerUpdate.json.php... | 0.0 | 0 | Neutral | No | No |