CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added yesterday•8 views

CVE-2026-56780

Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/pk/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin...

7.7CVSS

EUVD•added yesterday•5 views

EUVD-2026-40155

7.7CVSS5.8AI score

CVE•added yesterday•8 views

CVE-2026-56780

Modoboa prior to version 2.9.0 contains an insecure direct object reference in the PUT /api/v1/accounts/{pk}/password/ API. This flaw allows domain administrators to bypass object‑level access controls and change any user’s password, enabling full account takeover by resetting superadmin password...

7.7CVSS5.8AI score

Nuclei•added 2 days ago•93 views

FlatnuX CMS - Directory Traversal

A path traversal vulnerability in controlcenter.php in FlatnuX CMS 2011 08.09.2 allows remote administrators to read arbitrary files via a full pathname in the dir parameter in a contents/Files action. id: CVE-2012-4878 info: name: FlatnuX CMS - Directory Traversal author: daffainfo severity:...

5CVSS6AI score0.08761EPSS

Exploits1References5

NVD•added 2 days ago•9 views

CVE-2026-58054

MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group gid 4 and its datahandler's verifyusergroup unconditionally returns true. An admin holding only the delegated user-management...

8.6CVSS0.00272EPSS

EUVD•added 2 days ago•8 views

EUVD-2026-39974

8.6CVSS5.8AI score0.00272EPSS

Cvelist•added 2 days ago•32 views

CVE-2026-58054 MyBB - Privilege Escalation from Limited ACP User Management to Administrator

8.6CVSS0.00272EPSS

CVE•added 2 days ago•18 views

CVE-2026-58054

MyBB 1.8.40 is affected: the limited Admin Control Panel user management can assign the Administrators group (gid 4) because verify_usergroup() unconditionally returns true. This enables escalation from delegated user-management to full Administrator permissions. The issue comes from the user mod...

8.6CVSS5.8AI score0.00272EPSS

NVD•added 4 days ago•7 views

CVE-2026-50767

A stored cross-site scripting XSS vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field checkinmsg...

5.4CVSS0.00215EPSS

Cvelist•added 4 days ago•31 views

CVE-2026-57628 WordPress WP All Import plugin <= 4.0.1 - SQL Injection vulnerability

Administrator SQL Injection in WP All Import = 4.0.1 versions...

7.6CVSS0.00279EPSS

Cvelist•added 5 days ago•27 views

CVE-2026-55439 Halo: Path Traversal in Backup Download Leads to Arbitrary File Read

Halo is an open source website building tool. Prior to 2.24.3, a path traversal vulnerability in the backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem. The backup download endpoint GET...

5.5CVSS0.00337EPSS

ATTACKERKB•added 5 days ago•5 views

CVE-2026-55439

5.5CVSS6AI score0.00337EPSS

Exploits0References3Affected Software1

CVE•added 6 days ago•16 views

CVE-2026-10753

CVE-2026-10753 concerns Site Kit by Google for WordPress prior to 1.176.0. A REST API write endpoint is not properly restricted to administrators, allowing lower-privileged users (e.g., Editors with dashboard sharing access) to modify a site-wide setting that should be admin-only. Impact: potenti...

2.7CVSS5.8AI score0.00168EPSS

EUVD•added 6 days ago•6 views

EUVD-2026-38695

The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access such as Editors to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0...

2.7CVSS5.8AI score0.00168EPSS

NVD•added 2026/06/23 1:16 p.m.•12 views

CVE-2026-56222

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/rolebindings that fails to verify appid ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by...

8.6CVSS0.00356EPSS

CVE•added 2026/06/22 12:31 p.m.•14 views

CVE-2026-56446

MISP is affected by CVE-2026-56446 where an authenticated site administrator could configure an arbitrary filesystem path for the NDJSON error log via JsonLogTool. Logged data can contain attacker-controlled content, enabling direction of log output to a web-accessible PHP file and potentially in...

8.7CVSS6.6AI score0.00383EPSS

Exploits0References1Affected Software1

CVE•added 2026/06/22 2:0 a.m.•15 views

CVE-2026-8918

The CVE concerns ASUS Armoury Crate. A permissive input validation allows a local administrator to bypass checks and perform arbitrary memory read/write or trigger a system crash (BSOD). Affected software is ASUS Armoury Crate; the underling issue is permissive input validation in the input handl...

7.1CVSS6AI score0.00224EPSS

NVD•added 2026/06/20 7:16 p.m.•12 views

CVE-2026-56342

AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL validation and accepts requests to private IP ranges and cloud metadata...

6.8CVSS0.00236EPSS