CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Github Security Blog•added 2026/04/03 9:42 p.m.•5 views

LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service)

Summary The LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send repeated requests with unique nonces to gradually exhaust server memory, causing a...

5.9CVSS5.9AI score0.00329EPSS

Exploits0References4Affected Software1

OSV•added 2026/04/03 9:42 p.m.•3 views

GHSA-8MXQ-7XR7-2FXJ LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service)

5.9CVSS5.9AI score0.00329EPSS

NVD•added 2026/04/03 8:16 a.m.•5 views

CVE-2026-4350

The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 2.5.9.1. This is due to the PMCS::actionhandler method processing the $GET'delete' parameter without any sanitization, authorization check, or nonce verification...

8.1CVSS0.00658EPSS

Exploits1References2

Positive Technologies•added 2026/04/03 12:0 a.m.•2 views

PT-2026-30253

LTI JupyterHub Authenticator is a JupyterHub authenticator for LTI. Prior to version 1.6.3, the LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send...

5.9CVSS5.8AI score0.00329EPSS

RedhatCVE•added 2026/04/02 5:4 a.m.•4 views

CVE-2026-4668

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL Injection via the sort parameter in the payments listing endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied sort parameter and lack of...

6.5CVSS6AI score0.0036EPSS

Exploits0References1

RedhatCVE•added 2026/04/01 5:3 p.m.•5 views

CVE-2026-3191

The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minifyhtmlmenuoptions' function. This makes it possible for unauthenticated attackers to update plugin settin...

EUVD•added 2026/04/01 12:31 a.m.•3 views

Exploits0References1

EUVD-2026-17727

6.5CVSS6AI score0.0036EPSS

Exploits0References6

ATTACKERKB•added 2026/03/31 11:25 p.m.•3 views

CVE-2026-4668

6.5CVSS6AI score0.0036EPSS

Exploits0References6

EUVD•added 2026/03/31 12:31 p.m.•3 views

EUVD-2026-17367

NVD•added 2026/03/31 12:16 p.m.•3 views

CVE-2026-3191

5.4CVSS0.00154EPSS

ATTACKERKB•added 2026/03/31 11:18 a.m.•1 views

CVE-2026-3191

Cvelist•added 2026/03/31 11:18 a.m.•25 views

CVE-2026-3191 Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update

5.4CVSS0.00154EPSS

Vulnrichment•added 2026/03/31 11:18 a.m.•1 views

CVE-2026-3191 Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update

CVE•added 2026/03/31 11:18 a.m.•10 views

CVE-2026-3191

The CVE-2026-3191 entry describes a CSRF vulnerability in the WordPress Minify HTML plugin up to version 2.1.12, caused by missing or incorrect nonce validation in minify_html_menu_options. This allows unauthenticated attackers to update plugin settings via forged requests if a site administrator...

NVD•added 2026/03/31 6:16 a.m.•5 views

CVE-2026-1877

The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.84. This is due to missing nonce validation on the 'apsoptionspage' function. This makes it possible for unauthenticated attackers to update settings and inject malicio...

6.1CVSS0.00198EPSS

Vulnrichment•added 2026/03/31 5:28 a.m.•2 views

CVE-2026-1877 Auto Post Scheduler <= 1.84 - Cross-Site Request Forgery to Stored Cross-Site Scripting via aps_options_page

6.1CVSS5.8AI score0.00198EPSS

Positive Technologies•added 2026/03/31 12:0 a.m.•11 views

PT-2026-29196

The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.84. This is due to missing nonce validation on the 'aps options page' function. This makes it possible for unauthenticated attackers to update settings and inject...

6.1CVSS5.8AI score0.00198EPSS

Positive Technologies•added 2026/03/31 12:0 a.m.•9 views

PT-2026-29225

The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify html menu options' function. This makes it possible for unauthenticated attackers to update plugin...