Lucene search
K

134001 matches found

nvd
nvd
added 11 hours ago4 views

CVE-2026-12273

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

4.3CVSS
Exploits0References1
ossf
ossf
added 11 hours ago4 views

Malicious code in @ica-gaming/slot-engine (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 504d38d63d27d90e825007078cde3c381daa6cfa73a8009797c60f3e889c44d0 The package presents itself as a deterministic WASM slot-math engine, but slotengine.wasm embeds obfuscated Node.js modules and Emscripten JS shim...

6.5AI score
Exploits0References1
ossf
ossf
added 11 hours ago2 views

Malicious code in path-addon-extend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b383636076e2701a372675c281ee82463d97529ed7d8db027276aa8a8b68b966 path-addon-extend presents itself as a copy of Node's built-in path module. On module load, path.js issues an HTTPS GET to a base64-obscured URL that...

6.5AI score
Exploits0References3
redhatcve
redhatcve
added 11 hours ago2 views

CVE-2026-58252

A flaw was found in NATS Server. An authenticated user could bypass configured access restrictions and receive messages on subjects that were explicitly denied. This occurs when a wildcard subscription overlaps with a wildcard deny rule but is not a direct subset, or when queue subscriptions...

6.5CVSS6AI score0.00465EPSS
Exploits0References10
ossf
ossf
added 11 hours ago3 views

Malicious code in env-stream (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5d06b9a9a214d1e08fd459bd98442bad75e003177590786d876b948a7329f11 Package publishes under the name env-stream but its package.json homepage, README, log tag dotenv-flow@$version, exported API, and env/CLI prefixes...

6.6AI score
Exploits0References2
ossf
ossf
added 11 hours ago4 views

Malicious code in trinity-scheme (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5d576c0487668f599137a479e17ddc1335935fdec631f7d5adfa9e73049d7652 On npm install, the package's preinstall lifecycle reads a hex-encoded command string from preinstall.json, decodes it via Buffer.from..., 'hex', and...

6.1AI score
Exploits0References1
ossf
ossf
added 11 hours ago3 views

Malicious code in terminal-mascot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3fdf1ac60d0060cb78970c884bcfa7bb5360d9f700c0f8992b66af09cce22ae [email protected] ships a postinstall script install-check.cjs that resolves a bundle URL from a remote JSON config at...

6.3AI score
Exploits0References1
ossf
ossf
added 11 hours ago3 views

Malicious code in async-chain-dom (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f2ce6eed4ea7607d2f12f602b43b354b91ceba4cabdc761f569c3e1dc29b6f6 On require, index.js spawns a detached, unref'd node lib/vcall.js child process. lib/vcall.js fetches JavaScript from...

6.5AI score
Exploits0References1
ossf
ossf
added 11 hours ago3 views

Malicious code in chain-js-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a928356b1418a88bc30f460c42b1d9f3050ca3e67deb674307269a8c752d1d8 The package impersonates pino ships pino's docs and headers, exports a pino alias but its actual runtime is an Express middleware factory in file.js...

6.2AI score
Exploits0References1
ossf
ossf
added 11 hours ago3 views

Malicious code in note-utilities (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4f093c8536c89f9d6c524ae212051fc45a5244d910afd8ee3abe30698f15b75d The package masquerades as a pino-style logger keywords fast/logger/stream/json; lib/ contents copied from pinojs/pino but ships an additional loader...

6.1AI score
Exploits0References1
ossf
ossf
added 11 hours ago3 views

Malicious code in cookie-phase (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 17bfab347de8288575bca9677b9eb7652b0024cdbffc1efebe387378c243299c The package presents itself as the popular pino logger README badges, exported module.exports.pino = middleware but its name and metadata are...

6.5AI score
Exploits0References1
ossf
ossf
added 11 hours ago4 views

Malicious code in timmytuffknuckles3 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ca256e52e28fe9f7cfdd4c0b42e699f1b29c5e141df2ad73d7737f522fc7c85 The package ships twelve heavily obfuscated JavaScript files under assets/ e.g. assets/3oruu3por5.js, assets/6y4sp7rdhb.js, assets/wlaswqv83p.js, eac...

6.1AI score
Exploits0References2
redhatcve
redhatcve
added 12 hours ago2 views

CVE-2026-58251

A flaw was found in NATS Server, a high-performance messaging system. An authenticated user with specific permissions could bypass security rules designed to deny access to certain message subjects. This bypass occurs when a queue subscription is used, allowing the user to access information that...

6.5CVSS6AI score0.00488EPSS
Exploits0References10
attackerkb
attackerkb
added 12 hours ago3 views

CVE-2026-12273

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

6.2AI score
Exploits0References1
cvelist
cvelist
added 12 hours ago6 views

CVE-2026-12273 Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

Exploits0References1
vulnrichment
vulnrichment
added 12 hours ago3 views

CVE-2026-12273 Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

6.2AI score
Exploits0References1
cve
cve
added 12 hours ago7 views

CVE-2026-12273

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

4.3CVSS6.2AI score
Exploits0References1
githubexploit
githubexploit
added 12 hours ago24 views

Exploit for CVE-2026-5118

CVE-2026-5118 — Divi Form Builder ≤ 5.1.2 Unauthenticated Pr...

9.8CVSS6.1AI score0.00487EPSS
Exploits5
thn
thn
added 12 hours ago4 views

iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days

The U.S. Cybersecurity and Infrastructure Security Agency CISA has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities KEV catalog, following reports of zero-day exploitation in the wild. The vulnerabilities, both...

10CVSS7.1AI score0.80425EPSS
Exploits26
nuclei
nuclei
added 13 hours ago291 views

OpenMetadata - Authentication Bypass

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The JwtFilter handles the API authentication by requiring and verifying JWT tokens. When a new request comes in, the request...

9.8CVSS7.1AI score0.73255EPSS
Exploits5References5
Rows per page
Query Builder