Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
Filter and search through 206,452 vulnerabilities
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE-2026-35464 | ## Summary The fix for CVE-2026-33509 (GHSA-r7mc-x6x7-cqxx) added an `ADMIN_ONLY_OPTIONS` set to block non-admin users from modifying security-critic... | 0.0 | 0 | Neutral | No |
| No |
| CVE-2026-35463 | ### Summary The `ADMIN_ONLY_OPTIONS` protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy crede... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35459 | ## Summary The fix for CVE-2026-33992 (GHSA-m74m-f7cr-432x) added IP validation to `BaseDownloader.download()` that checks the hostname of the initia... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35457 | ### Summary The rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue `DISCOVER` requests and force... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2026-35454 | # Zip Slip Path Traversal in coder/code-marketplace ## Summary A Zip Slip (CWE-22) vulnerability in `coder/code-marketplace` ≤ v2.4.1 allowed a mali... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2026-35452 | ## Summary The `plugin/CloneSite/client.log.php` endpoint serves the clone operation log file without any authentication. Every other endpoint in the... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35450 | ## Summary The `plugin/API/check.ffmpeg.json.php` endpoint probes the FFmpeg remote server configuration and returns connectivity status without any ... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35449 | ## Summary The `install/test.php` diagnostic script has its CLI-only access guard disabled by commenting out the `die()` statement. The script remain... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35448 | ## Summary The BlockonomicsYPT plugin's `check.php` endpoint returns payment order data for any Bitcoin address without requiring authentication. The... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35442 | ### Summary Aggregate functions (`min`, `max`) applied to fields with the `conceal` special type incorrectly return raw database values instead of th... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35441 | ### Summary Directus' GraphQL endpoints (`/graphql` and `/graphql/system`) did not deduplicate resolver invocations within a single request. An authe... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35413 | ## Summary When `GRAPHQL_INTROSPECTION=false` is configured, Directus correctly blocks standard GraphQL introspection queries (`__schema`, `__type`).... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35412 | ## Summary Directus' TUS resumable upload endpoint (`/files/tus`) allows any authenticated user with basic file upload permissions to overwrite arbit... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35411 | ### Summary Directus is vulnerable to an Open Redirect via the redirect query parameter on the `/admin/tfa-setup` page. When an administrator who has... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35410 | ### Summary An open redirect vulnerability exists in the login redirection logic. The `isLoginRedirectAllowed` function fails to correctly identify c... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35409 | ### Summary A Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35408 | ## Summary Directus's Single Sign-On (SSO) login pages lacked a `Cross-Origin-Opener-Policy` (COOP) HTTP response header. Without this header, a mali... | 0.0 | 0 | Neutral | No | No |
| CVE-2026-35405 | ### Summary The`libp2p-rendezvous` server has no limit on how many namespaces a single peer can register. A malicious peer can repeatedly register un... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2026-35394 | ### Summary The `mobile_open_url` tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, all... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2026-35393 | ### Summary * POST multipart upload directory not sanitized | `httpserver/updown.go:71-174` This finding affect the default configuration, no flags o... | 0.0 | 0 | Neutral | No | No |