Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.9

    MEDIUM
    CVE-2016-10535

    csrf-lite is a cross-site request forgery protection library for framework-less node sites. csrf-lite uses `===`, a fail first string comparison, instead of a time constant string comparison This enables an attacker to guess the secret in no more than (16... Read more

    Affected Products : csrf-lite
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 5.9

    MEDIUM
    CVE-2016-10534

    electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages. along with Electron. The `--strict-ssl` command line option in electron-packager >= 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2 defaults to false if not ex... Read more

    Affected Products : electron-packager
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2016-10533

    express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models. express-restify-mongoose 2.4.2 and earlier and 3.0.X through 3.0.1 allows a malicious user to send a request for `GET /User?distinct=password` and get all... Read more

    Affected Products : express-restify-mongoose
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 10.0

    HIGH
    CVE-2016-10532

    console-io is a module that allows users to implement a web console in their application. A malicious user could bypass the authentication and execute any command that the user who is running the console-io application 2.2.13 and earlier is able to run. T... Read more

    Affected Products : console-io
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2016-10531

    marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `java... Read more

    Affected Products : marked
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 5.9

    MEDIUM
    CVE-2016-10530

    The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept ... Read more

    Affected Products : airbrake
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2016-10529

    Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious ... Read more

    Affected Products : droppy
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 4.9

    MEDIUM
    CVE-2016-10528

    restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web. Restafary before 1.6.1 is able to set up a root path, which should only allow it to run inside of that root path it specified.... Read more

    Affected Products : restafary
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2016-10527

    The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions.... Read more

    Affected Products : riot-compiler
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 8.6

    HIGH
    CVE-2016-10526

    A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logg... Read more

    Affected Products : grunt-gh-pages
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2016-10525

    When attempting to allow authentication mode `try` in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication.... Read more

    Affected Products : hapi-auth-jwt2
    • Published: May. 29, 2018
    • Modified: Nov. 21, 2024

  • 8.2

    HIGH
    CVE-2016-10524

    i18n-node-angular is a module used to interact between i18n and angular without using additional resources. A REST API endpoint that is used for development in i18n-node-angular before 1.4.0 was not disabled in production environments a malicious user cou... Read more

    Affected Products : i18n-node-angular
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2016-10523

    MQTT before 3.4.6 and 4.0.x before 4.0.5 allows specifically crafted MQTT packets to crash the application, making a DoS attack feasible with very little bandwidth.... Read more

    Affected Products : mqtt-packet
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2016-10522

    rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by ... Read more

    Affected Products : rails_admin
    • Published: Jul. 05, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2016-10521

    jshamcrest is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in to the emailAddress validator.... Read more

    Affected Products : jshamcrest
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2016-10520

    jadedown is vulnerable to regular expression denial of service (ReDoS) when certain types of user input is passed in.... Read more

    Affected Products : jadedown
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2016-10519

    A security issue was found in bittorrent-dht before 5.1.3 that allows someone to send a specific series of messages to a listening peer and get it to reveal internal memory.... Read more

    Affected Products : bittorrent-dht
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2016-10518

    A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping f... Read more

    Affected Products : ws
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 10.0

    HIGH
    CVE-2016-10502

    While generating trusted application id, An integer overflow can occur giving the trusted application an invalid identity in Snapdragon Mobile and Snapdragon Wear in versions MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 835 and SDA660.... Read more

    • Published: Dec. 10, 2018
    • Modified: Nov. 21, 2024

  • 10.0

    HIGH
    CVE-2016-10501

    In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile, Snapdragon Wear, and Small Cell SoC FSM9055, MDM9206, MDM9607, MDM9635M, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 615... Read more

    • Published: Apr. 18, 2018
    • Modified: Nov. 21, 2024
Showing 20 of 293328 Results