Lucene search
+L

50435 matches found

Cvelist
Cvelist
added 1 hour ago5 views

CVE-2026-9734 W3SC Elementor to Zoho CRM <= 2.2.0 - Cross-Site Request Forgery to Settings Update

The W3SC Elementor to Zoho CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the storeInfo function. This makes it possible for unauthenticated attackers to modify the plugin's...

4.3CVSS
Exploits0References4
The Hacker News
The Hacker News
added yesterday8 views

New wp2shell WordPress Core Flaw Lets Unauthenticated Attackers Run Code

Updated July 18, 2026: the two flaws now carry CVE IDs, the full mechanism has been published, a persistent-object-cache condition has surfaced, and a working proof-of-concept is public. The story below reflects all of it. An anonymous HTTP request can run code on a WordPress site. The bug is in...

9.8CVSS6.2AI score
Exploits8
NVD
NVD
added yesterday7 views

CVE-2026-8505

IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses API key validation when the WEBHOOKAUTHENABLE configuration is set to False which is the default...

9.8CVSS
Exploits0References1
EUVD
EUVD
added yesterday6 views

EUVD-2026-45308

IBM Langflow OSS 1.0.0 through 1.10.1 Lanflow OSS contains an unauthenticated remote code execution vulnerability in the public flow build endpoint /api/v1/buildpublictmp/flowid/flow . The vulnerability stems from an incomplete denylist in the validatepublicflownocodeexecution function that fails...

8.1CVSS6.3AI score
Exploits0References1
NVD
NVD
added yesterday4 views

CVE-2026-9103

IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/autologin endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTOLOGIN configuration is enabl...

9.8CVSS
Exploits0References1
NVD
NVD
added yesterday3 views

CVE-2026-49835

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an...

5.9CVSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-8505

IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses API key validation when the WEBHOOKAUTHENABLE configuration is set to False which is the default...

9.8CVSS6.1AI score
Exploits0References2Affected Software1
EUVD
EUVD
added yesterday6 views

EUVD-2026-45272

IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses API key validation when the WEBHOOKAUTHENABLE configuration is set to False which is the default...

9.8CVSS6.1AI score
Exploits0References1
CVE
CVE
added yesterday14 views

CVE-2026-8505

CVE-2026-8505 affects Langflow OSS 1.0.0–1.10.0. A flaw in the webhook authentication logic bypasses API key validation when WEBHOOK_AUTH_ENABLE is False (default), allowing unauthenticated remote execution of any flow and potentially RCE/DoS. IBM’s bulletin confirms the vulnerability and that th...

9.8CVSS6.1AI score
Exploits0References1
Cvelist
Cvelist
added yesterday13 views

CVE-2026-9103 Unauthenticated Superuser Token Issuance via Auto-Login Endpoint

IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/autologin endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTOLOGIN configuration is enabl...

9.8CVSS
Exploits0References1
CVE
CVE
added yesterday17 views

CVE-2026-9103

CVE-2026-9103 affects Langflow OSS 1.0.0–1.10.0. The root cause is improper authentication in the /api/v1/login/auto_login endpoint, which issues long‑lived superuser tokens when AUTO_LOGIN is enabled (default). Combined with permissive CORS, this can expose tokens to unintended origins and enabl...

9.8CVSS5.5AI score
Exploits0References1
EUVD
EUVD
added yesterday7 views

EUVD-2026-45258

IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/autologin endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTOLOGIN configuration is enabl...

9.8CVSS5.5AI score
Exploits0References1
Patchstack
Patchstack
added yesterday7 views

WordPress Core <= 7.0.1 - Unauthenticated REST API Batch Request Handler Confusion

Unauthenticated REST API Batch Request Handler Confusion vulnerability discovered by Adam Kues in WordPress core versions = 7.0.1...

5.3AI score
Exploits0References1Affected Software1
Patchstack
Patchstack
added yesterday9 views

WordPress Core <= 7.0.1 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by TF1T, dtro, and haongo in WordPress core versions = 7.0.1...

5.9AI score
Exploits0References1Affected Software1
NVD
NVD
added yesterday8 views

CVE-2026-9202

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to create unlimited user accounts on any Langflow instance; when NEWUSERISACTIVE=true documented deployment option, newly created accounts are immediately active and can authenticate to reach RCE endpoints, bypassing the need...

9.8CVSS
Exploits0References1
Cvelist
Cvelist
added yesterday12 views

CVE-2026-9198 Unauthenticated Remote Code Execution via Auto-Login Bypass and Code Validation

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/autologin mints SUPERUSER tokens to any network caller with /api/v1/validate/code executes user code via exec to achieve full RCE on default Langflow deployments...

9.8CVSS
Exploits0References1
NVD
NVD
added yesterday6 views

CVE-2026-60024

The Joomla extension Events Booking prior version 5.8.0 did by default allow unauthenticated users to upload media assets...

Exploits0References1
Vulnrichment
Vulnrichment
added yesterday5 views

CVE-2026-49211 Symfony UX: Information exposure via unescaped LIKE wildcards in EntitySearchUtil

Symfony UX is a JavaScript ecosystem for Symfony. From 2.2.0 until 2.36.0 and 3.1.0, Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %...% without escaping SQL LIKE wildcards %...

6.9CVSS5.6AI score
Exploits0References4
Vulnrichment
Vulnrichment
added yesterday6 views

CVE-2026-9585 Unauthenticated Reflected Cross-Site Scripting (XSS) in Switchvox SMB Web Portal

An unauthenticated reflected cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition version 8.3 104997. The application fails to properly sanitize the portal parameter supplied to the invalidbrowser and invalidbrowserlogin handlers. User-supplied data is reflected into...

8.6CVSS5.3AI score
Exploits0References2
Cvelist
Cvelist
added yesterday13 views

CVE-2026-63101 Open Event Server 1.19.1 Unauthenticated Member Roster Export via CSV Export Endpoint

Open Event Server through 1.19.1 contains a missing authentication vulnerability that allows unauthenticated attackers to export the complete member roster of any group, including email addresses, names, join dates, and roles, by submitting requests to the group followers CSV export endpoint whic...

8.7CVSS
Exploits0References2
Rows per page
Query Builder