Lucene search
+L

258886 matches found

packetstormnews
packetstormnews
added 2026/09/10 12:0 a.m.220 views

IServ Schoolserver User Enumeration

IServ Schoolserver suffers from a user enumeration vulnerability. The vendor does not feel this is an issue...

5.8AI score
Exploits0
euvd
euvd
added 2 hours ago3 views

EUVD-2026-44875

The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile...

6.1AI score
Exploits0References2
cve
cve
added 3 hours ago5 views

CVE-2026-15103

The CVE affects the WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell WordPress plugin. All versions up to 3.12.8 are vulnerable to privilege escalation via an insecure update_settings() REST callback that does not validate the group_id path parameter against an allowlis...

8.8CVSS6.1AI score
Exploits0References6
cve
cve
added 3 hours ago7 views

CVE-2026-15727

The CVE-2026-15727 entry concerns the WP Bulk Delete WordPress plugin. Affected: WP Bulk Delete (plugins bundle) up to version 1.4.2. Vulnerability: generic SQL Injection via the delete_user_roles parameter, caused by insufficient escaping of user-supplied input and inadequate preparation in the ...

4.9CVSS6.1AI score
Exploits0References10
cve
cve
added 3 hours ago11 views

CVE-2026-15021

The wpForo Forum plugin for WordPress is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the 'location' Profile Field across all versions up to 3.1.1. The issue stems from insufficient input sanitization and output escaping; sanitize_text_field() at input does not encode double q...

6.4CVSS6.2AI score
Exploits0References8
cve
cve
added 3 hours ago12 views

CVE-2026-13741

The CVE-2026-13741 entry concerns the Digits: WordPress Mobile Number Signup and Login plugin for WordPress, vulnerable in all versions up to and including 9.1.0.5. The root cause is missing authorization and role validation in the dig_update_wpwc_custom_fields() function, allowing authenticated ...

8.8CVSS6AI score
Exploits0References2
cve
cve
added 3 hours ago7 views

CVE-2026-15106

The WPBot – AI ChatBot for Live Support WordPress plugin is vulnerable to an authorization bypass in all versions up to 8.5.6. The issue allows unauthenticated attackers to delete arbitrary chat session records from wpbot_user andwpbot_conversation by supplying a crafted userid value, indicating ...

5.3CVSS6.2AI score
Exploits0References8
cve
cve
added 5 hours ago6 views

CVE-2026-12525

CVE-2026-12525 affects the Redux Framework WordPress plugin prior to 4.5.13. The vulnerability arises because the plugin does not restrict which user meta keys can be written when saving custom profile fields, allowing a user with at least the Subscriber role to escalate to Administrator by submi...

6.1AI score
Exploits0References1
euvd
euvd
added 11 hours ago4 views

EUVD-2026-44823

PlaywrightCapture stored capture-specific configuration and runtime data as mutable class-level variables rather than instance-level variables. Consequently, multiple Capture objects running within the same Python process could share state, including HTTP headers, cookies, browser storage, HTTP...

7.1CVSS6.1AI score
Exploits0References2
cve
cve
added 11 hours ago32 views

CVE-2026-1609

CVE-2026-1609 affects Keycloak: when the JWT authorization grant preview feature is enabled and a user is disabled, Keycloak may not validate the user’s disabled status during JWT grant processing. A remote, low-privilege attacker can present an assertion token from an external IdP to obtain a JW...

8.1CVSS6.1AI score
Exploits0References4
cve
cve
added yesterday12 views

CVE-2026-55445

Qinglong vulnerability CVE-2026-55445: Before 2.20.1, the init guard in back/loaders/express.ts checked /api/user/init but not /open/user/init. After a subsequent rewrite of /open/* to /api/$1 (post-auth), an unauthenticated attacker could issue PUT /open/user/init to reset the administrator cred...

9.3CVSS6.1AI score
Exploits0References3
cve
cve
added yesterday9 views

CVE-2026-53445

CVE-2026-53445 (Wekan) : Affected component is Wekan’s copyBoard DDP publication (server/publications/boards.js). Before version 9.32, the copy operation copied a board by caller-supplied boardId without validating this.userId, membership, or admin access, enabling any authenticated user to copy ...

7.1CVSS6.1AI score0.00041EPSS
Exploits0References3
nvd
nvd
added yesterday5 views

CVE-2026-45737

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From 3.2.0 until 3.2.12, 3.3.10, and 3.4.2, Argo CD ServerSideDiff can expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation because HideSecretDatatarget, live, ... does...

6.3CVSS0.00034EPSS
Exploits0References8
cve
cve
added yesterday12 views

CVE-2026-52887

NocoBase before version 2.0.61 is affected by CVE-2026-52887 due to a SQL injection in the in-app notification plugin. The flaw occurs in GET /api/myInAppChannels:list where filter[latestMsgReceiveTimestamp][$lt] is interpolated into a Sequelize.literal() without escaping or parameter binding, en...

10CVSS6.2AI score0.00048EPSS
Exploits0References3
nvd
nvd
added yesterday6 views

CVE-2026-62355

TDengine is an open source, time-series database optimized for Internet of Things devices. Prior to 3.4.1.15, a Data Reader adminuser on a TDengine Cloud DB instance could run create udf even though standard users should have read-only permissions for non-database objects and show dnodes and crea...

5.4CVSS
Exploits0References1
cve
cve
added yesterday7 views

CVE-2026-62350

TDengine (open-source time-series DB) -- vulnerability CVE-2026-62350 allows a user with create_udf privilege to upload a crafted shared library, install it as a UDF (e.g., eval), and execute arbitrary C code on the server via queries. Root cause: improper validation of UDF loading/execution lead...

7.2CVSS6.3AI score
Exploits0References1
cve
cve
added yesterday6 views

CVE-2026-62355

TDengine (TDengine Cloud DB) prior to 3.4.1.15 had a permission issue where a Data Reader admin_user could run create udf and access non-database objects, despite read-only intent for standard users. The vulnerability impact is limited to unauthorized creation of user-defined functions and relate...

5.4CVSS6.1AI score
Exploits0References1
nvd
nvd
added yesterday5 views

CVE-2026-61643

FastGPT is a knowledge-based AI application platform. From 4.14.17 until 4.15.0-beta5, an authenticated FastGPT user can save a workflow node that points to another user's private HTTP toolset by using a crafted saved tool id such as http-/. The normal toolset routes deny access, but the workflow...

5.9CVSS
Exploits0References2
nvd
nvd
added yesterday6 views

CVE-2026-45337

Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the deviceAuthorization plugin treats any authenticated session as the owner of any pending device code because GET /device does not claim the row and POST /device/approve and POST /device/deny...

7.6CVSS0.00017EPSS
Exploits0References4
nvd
nvd
added yesterday5 views

CVE-2026-20296

In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.7, 10.3.2512.16, 10.2.2510.18, and 10.1.2507.24, an attacker could trick a user that holds a role with the listdeploymentserver capability into running arbitrary...

8.3CVSS
Exploits0References1
Rows per page
Query Builder