Lucene search
+L

125551 matches found

Cvelist
Cvelist
added 3 hours ago9 views

CVE-2026-63309 SurrealDB < 3.1.5 Information Disclosure via ORDER BY

SurrealDB before 3.1.5 fail to apply field-level SELECT permissions to ORDER BY clauses, allowing authenticated users to leak the relative ordering of restricted field values. Attackers can issue ORDER BY queries on indexed restricted fields to recover the hidden values' sort order across records...

5.3CVSS
Exploits0References3
CVE
CVE
added 3 hours ago6 views

CVE-2026-63309

CVE-2026-63309 affects SurrealDB prior to 3.1.5. The issue occurs because field-level SELECT permissions are not applied to ORDER BY clauses, allowing authenticated users to infer the relative ordering of restricted-field values. Attackers can issue ORDER BY queries on indexed restricted fields t...

5.3CVSS5.3AI score
Exploits0References3
CVE
CVE
added 6 hours ago11 views

CVE-2024-23575

The vulnerability CVE-2024-23575 affects HCL Aftermarket EPC, where the application returns detailed error messages that reveal server-side processing details. This information leakage can aid an attacker in crafting more focused attacks. The available sources do not specify affected versions, ex...

5.3CVSS5.3AI score
Exploits0References1
Nuclei
Nuclei
added 15 hours ago21 views

Open WebUI < 0.9.5 - Information Disclosure

Open WebUI 0.9.5 contains an information disclosure vulnerability caused by unauthenticated access to GET /api/v1/retrieval/ endpoint, letting remote attackers retrieve live RAG pipeline configuration without authorization, exploit requires no authentication. id: CVE-2026-45397 info: name: Open...

5.3CVSS5.7AI score0.0072EPSS
Exploits1References3
Nuclei
Nuclei
added 15 hours ago11 views

LearnPress < 4.3.7 - Information Disclosure

LearnPress WordPress plugin 4.3.7 contains an information disclosure vulnerability caused by missing capability checks on a REST endpoint, letting unauthenticated visitors retrieve sensitive user role and capability data via crafted requests. id: CVE-2026-8383 info: name: LearnPress 4.3.7 -...

5.3CVSS5.2AI score0.00424EPSS
Exploits0References2
Nuclei
Nuclei
added 15 hours ago16 views

Dgraph <= 25.3.2 - Admin Token Disclosure

Dgraph = 25.3.2 contains an information disclosure caused by unauthenticated access to the /debug/vars endpoint , which publishes the cmdline variable including the --security token= flag, letting unauthenticated remote attackers retrieve the admin token and access admin-only endpoints, exploit...

9.8CVSS5.3AI score0.02187EPSS
Exploits1References2
Nuclei
Nuclei
added 15 hours ago8 views

Piwigo < 16.3.0 - Unauthenticated Information Disclosure via History API

Piwigo = 16.3.0 contains an information disclosure vulnerability caused by the pwg.history.search API method lacking adminonly restriction, letting unauthenticated users access full browsing history, exploit requires no authentication id: CVE-2026-27833 info: name: Piwigo 16.3.0 - Unauthenticated...

7.5CVSS5.2AI score0.01522EPSS
Exploits1References2
Nuclei
Nuclei
added 15 hours ago10 views

W3 Total Cache < 2.8.2 - Log File Exposure

The plugin is vulnerable to Information Exposure through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For example, the log file may contain nonce values that can be used in further CSRF...

7.5CVSS8.2AI score0.02169EPSS
Exploits0References3
Nuclei
Nuclei
added 15 hours ago14 views

WP Go Maps < 10.0.10 - Unauthenticated Marker Information Disclosure

WP Go Maps WordPress plugin 10.0.10 contains an information disclosure vulnerability caused by lack of approval-state filtering on the public single-marker REST endpoint, letting unauthenticated users access unapproved marker records including PII and geographic coordinates, exploit requires no...

5.3CVSS5.2AI score0.00225EPSS
Exploits0References2
Nuclei
Nuclei
added 15 hours ago165 views

My Calendar WordPress Plugin - Information Disclosure

My Calendar WordPress plugin = 3.7.6 contains an injection vulnerability caused by unvalidated user input passed to parsestr in mcajaxmcjsaction endpoint, letting unauthenticated attackers access or crash sites via switchtoblog, exploit requires WordPress Multisite or Single Site setup. id:...

8.8CVSS5.2AI score0.00932EPSS
Exploits0References2
Nuclei
Nuclei
added 15 hours ago29 views

IP2Location Country Blocker < 2.38.9 - Unauthenticated Information Disclosure

IP2Location Country Blocker plugin for WordPress up to version 2.38.8 contains a regular information exposure caused by missing capability checks on admininit, letting unauthenticated attackers view plugin settings, exploit requires no special conditions. id: CVE-2025-1361 info: name: IP2Location...

7.5CVSS8.3AI score0.01278EPSS
Exploits0References3
Nuclei
Nuclei
added 15 hours ago35 views

Blinko <= 1.8.3 - User Information Leak

Blinko = 1.8.4 contains an information disclosure caused by a publicly accessible endpoint exposing user information including usernames, roles, and account creation dates, letting remote attackers access sensitive user data, exploit requires no special privileges. id: CVE-2026-23486 info: name:...

6.9CVSS5.3AI score0.00711EPSS
Exploits0References3
Nuclei
Nuclei
added 15 hours ago32 views

WordPress Widgets for Social Photo Feed <= 1.8 - Information Disclosure

Widgets for Social Photo Feed WordPress plugin = 1.8 contains a broken access control caused by missing capability checks on specific REST API endpoints, letting unauthenticated attackers access and modify plugin settings remotely. id: CVE-2025-14726 info: name: WordPress Widgets for Social Photo...

6.5CVSS5.2AI score0.0083EPSS
Exploits0References3
Nuclei
Nuclei
added 15 hours ago31 views

Uptime-Kuma < v1.23.0 - Improper Access Control

Uptime-Kuma before v1.23.0 is vulnerable to an information disclosure issue due to missing authorization on the /api/badge/1/ping/24 endpoint. An unauthenticated attacker can access this endpoint to leak ping statistics, such as average ping and ping history, for existing monitors without needing...

5.3CVSS5.3AI score0.00905EPSS
Exploits1References2
Nuclei
Nuclei
added 15 hours ago14 views

WordPress AudioIgniter <= 2.0.2 - Unauthenticated IDOR

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. The handleplaylistendpoint function accepted a user-controlled playlist ID and returned track data without authentication. id: CVE-2026-8679 info: name: WordPress...

7.5CVSS5.2AI score0.01508EPSS
Exploits0References3
Nuclei
Nuclei
added 15 hours ago13 views

Glances - Information Disclosure

Glances 4.5.1 contains an information disclosure vulnerability caused by unfiltered exposure of sensitive configuration data via the /api/4/config REST API endpoint, letting remote attackers access credentials, exploit requires API access. id: CVE-2026-30928 info: name: Glances - Information...

8.7CVSS7.7AI score0.01657EPSS
Exploits1References2
Nuclei
Nuclei
added 15 hours ago31 views

Glances - Information Disclosure

Glances 4.5.2 contains an information disclosure vulnerability caused by the web server running without authentication by default, letting remote attackers access sensitive system information including credentials, exploit requires no special privileges. id: CVE-2026-32596 info: name: Glances -...

8.7CVSS7.8AI score0.0155EPSS
Exploits1References2
Nuclei
Nuclei
added 15 hours ago53 views

Mail Mint < 1.19.5 - Unauthenticated Email Disclosure

Mail Mint WordPress plugin 1.19.5 contains an information disclosure vulnerability caused by lack of authorization in a REST API endpoint, letting unauthenticated users retrieve email addresses of blog users, exploit requires no authentication. id: CVE-2026-2025 info: name: Mail Mint 1.19.5 -...

7.5CVSS5.2AI score0.01379EPSS
Exploits0References3
Nuclei
Nuclei
added 15 hours ago39 views

Nginx UI < 2.3.3 - Information Disclosure

Nginx UI 2.3.3 contains an information disclosure vulnerability caused by unauthenticated access to /api/backup endpoint exposing encryption keys in X-Backup-Security header, letting unauthenticated attackers download and decrypt full system backups. id: CVE-2026-27944 info: name: Nginx UI 2.3.3 ...

9.8CVSS7.5AI score0.22162EPSS
Exploits13References3
Nuclei
Nuclei
added 15 hours ago11 views

TOTOLINK/Realtek Routers - Information Disclosure

A certain router administration interface using Realtek APMIB e.g., on TOTOLINK models allows unauthenticated remote attackers to disclose the entire router configuration, including sensitive credentials, via accessing the "config.dat" file. Affected devices include TOTOLINK A3002RU through 2.0.0...

7.5CVSS7.3AI score0.08669EPSS
Exploits3References2
Rows per page
Query Builder