Lucene search
+L

122208 matches found

EUVD
EUVD
added 5 days ago5 views

EUVD-2026-43290

The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated users with subscriber-level access to enroll in paid or...

7.1CVSS6.2AI score0.00171EPSS
Exploits0References2
NVD
NVD
added 5 days ago4 views

CVE-2026-10106

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a private channel to trigger interactive post actions on posts in th...

6.5CVSS0.00174EPSS
Exploits0References1
Cvelist
Cvelist
added 5 days ago37 views

CVE-2026-10106 Unauthorized users can trigger interactive post actions in private channels via action cookie channel mismatch in Mattermost

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to verify that the channel referenced in an action cookie matches the channel of the target post, which allows an authenticated user without access to a private channel to trigger interactive post actions on posts in th...

6.5CVSS0.00174EPSS
Exploits0References1
CVE
CVE
added 5 days ago14 views

CVE-2026-10106

Mattermost vulnerable versions: 11.7.x ≤ 11.7.2, 11.6.x ≤ 11.6.4, and 10.11.x ≤ 10.11.19. The issue stems from failing to verify that the channel referenced in an action cookie matches the target post’s channel, enabling an authenticated user without access to a private channel to trigger interac...

6.5CVSS6.1AI score0.00174EPSS
Exploits0References1Affected Software1
NVD
NVD
added 5 days ago5 views

CVE-2026-12397

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level self-registerable account to read other employers' private account email addresses by enumerating job...

4.3CVSS0.00162EPSS
Exploits0References1
NVD
NVD
added 5 days ago5 views

CVE-2026-12275

The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated users with subscriber-level access to enroll in paid or...

7.1CVSS0.00171EPSS
Exploits0References1
Cvelist
Cvelist
added 5 days ago30 views

CVE-2026-12275 Tutor LMS < 3.9.13 - Subscriber+ Unauthorized Course Enrollment and Private Course Content Disclosure via Droip/Kirki Integration

The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated users with subscriber-level access to enroll in paid or...

0.00171EPSS
Exploits0References1
CVE
CVE
added 5 days ago15 views

CVE-2026-12275

Affected software: Tutor LMS WordPress plugin (before 3.9.13) with Droip and Kirki page-builder integrations. What is vulnerable: The core course handler does not perform enrollment, purchase, and private-course capability checks when using Droip/Kirki integrations, permitting authenticated users...

7.1CVSS6.2AI score0.00171EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago10 views

Malicious code in babel-preset-lib-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4274de0136aa69f8b0f4eba03412c7809a1b8c2446bb3ed7f6de1333475aa4c4 index.js, the package main, runs a load-time IIFE that collects OS platform and architecture, hostname, username, private and public IP via...

6.1AI score
Exploits0References5
NVD
NVD
added 6 days ago7 views

CVE-2026-56281

Capgo before 12.128.2 contains a sql injection vulnerability in the POST /private/adminstats endpoint where the limit parameter is destructured from unvalidated request body and interpolated directly into Cloudflare Analytics Engine SQL queries via template literals. An attacker with platform adm...

5.1CVSS0.00197EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago10 views

Malicious code in jupiter-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f8e0901ca45da110106c60f288b0166fc51c348a44569d7e7ff22af3d19deafe On import jupitersdk, the package's top-level init.py fetches a payload over HTTPS from a public IPFS gateway...

6.6AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago9 views

Malicious code in metemask-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a99855c93b46f7b996a005065c319bbb24c9d1f497d05dfd38fc83d1b21facdd metemask-sdk is a typosquat of the legitimate metamask-sdk package. On import, the top-level init.py performs an outbound HTTP fetch to...

6.3AI score
Exploits0References3
Snyk
Snyk
added last week7 views

Directory Traversal

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

9.9CVSS6.6AI score0.00538EPSS
Exploits0References2
NVD
NVD
added 2026/07/10 9:16 p.m.5 views

CVE-2026-55880

OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.updatewidget an...

7.1CVSS0.00195EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/10 8:54 p.m.32 views

CVE-2026-57575 Misskey: SSRF bypass in URL Preview

Misskey is an open source, federated social media platform. Prior to 2026.6.0, Misskey contains a Server-Side Request Forgery SSRF vulnerability in URL preview functionality in UrlPreviewService. Due to missing network restrictions before establishing outbound connections, a remote attacker can...

6.9CVSS0.00347EPSS
Exploits0References3
CVE
CVE
added 2026/07/10 8:54 p.m.13 views

CVE-2026-57575

Misskey (open source federated social platform) contains a Server-Side Request Forgery (SSRF) vulnerability in the UrlPreviewService prior to version 2026.6.0. The issue arises from insufficient network restrictions before outbound requests, allowing an attacker to trigger the Misskey server to i...

6.9CVSS6.1AI score0.00347EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/10 8:42 p.m.2 views

CVE-2026-55880

OpenReplay is a self-hosted session replay suite. In 1.27.0 and earlier, three dashboard and note mutation functions ran their SQL without the ownership predicate that their sibling read and edit functions use: notes.delete filtered only on note id and project id, while dashboards.updatewidget an...

7.1CVSS6.1AI score0.00195EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/07/10 5:17 p.m.7 views

CVE-2026-59154

Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination...

4.3CVSS0.00208EPSS
Exploits0References3
The Hacker News
The Hacker News
added 2026/07/10 4:29 p.m.11 views

Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages

Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases. The compromised version, @injectivelabs/[email protected] , came embedded wi...

6.1AI score
Exploits0
NVD
NVD
added 2026/07/10 4:16 p.m.7 views

CVE-2026-46388

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not...

4.4CVSS0.00094EPSS
Exploits0References4
Rows per page
Query Builder