CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

ATTACKERKB•added 2026/05/14 6:44 a.m.•8 views

CVE-2026-5365

4.3CVSS5.8AI score0.00105EPSS

CVE•added 2026/05/14 6:44 a.m.•15 views

CVE-2026-5365

CVE-2026-5365 affects the WordPress LatePoint plugin up to version 5.3.2. The issue is a Cross-Site Request Forgery caused by missing nonce verification in request_cancellation(), allowing unauthenticated attackers to cancel a logged-in customer’s bookings via a forged request (requires user inte...

4.3CVSS5.8AI score0.00105EPSS

Vulnrichment•added 2026/05/14 6:44 a.m.•11 views

CVE-2026-6510 InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe'

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwarsaverecipe AJAX handler. This makes it possible for unauthenticated...

EUVD•added 2026/05/14 6:44 a.m.•10 views

EUVD-2026-30255

ATTACKERKB•added 2026/05/14 6:44 a.m.•4 views

CVE-2026-6510

CNNVD•added 2026/05/14 12:0 a.m.•10 views

WordPress plugin LatePoint 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

4.3CVSS5.7AI score0.00105EPSS

Exploits0References1

Positive Technologies•added 2026/05/14 12:0 a.m.•13 views

PT-2026-40886

The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request cancellation function. This makes it possible for unauthenticated attackers to cancel a logged-in customer's bookings...

4.3CVSS5.8AI score0.00105EPSS

Positive Technologies•added 2026/05/14 12:0 a.m.•12 views

PT-2026-40892

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwar save recipe AJAX handler. This makes it possible for unauthenticated...

RedhatCVE•added 2026/05/13 8:23 p.m.•9 views

CVE-2026-42206

Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate and includes it in the authorization request sent to the identity provider, but never...

7.1CVSS5.7AI score0.00152EPSS

Exploits0References1

NVD•added 2026/05/13 6:16 p.m.•13 views

CVE-2026-44581

Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derive...

4.7CVSS0.00222EPSS

Exploits1References1

RedhatCVE•added 2026/05/13 2:21 p.m.•11 views

CVE-2026-6710

The Skysa Text Ticker App plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the SkysaAppsAdminAppPage function. This makes it possible for unauthenticated attackers to trick a site...

4.3CVSS5.7AI score0.00128EPSS

Exploits0References1

OSV•added 2026/05/13 8:53 a.m.•5 views

CLSA-2026-1778254557 httpd: Fix of 8 CVEs

CVE-2026-24072: modrewrite/modsetenvif: use APEXPRFLAGRESTRICTED in htaccess to prevent reading server-side files via apexpr from .htaccess - CVE-2026-29169: moddavlock: NULL pointer dereference in davgenericrefreshlocks use dpscan instead of dp - CVE-2026-33006: modauthdigest: timing attack —...

8.8CVSS5.8AI score0.00654EPSS

Exploits2References1

Snyk•added 2026/05/13 1:36 a.m.•9 views

Reusing a Nonce, Key Pair in Encryption

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Reusing a Nonce, Key Pair in Encryption of server island parameters. An attacker can inject malicious HTML or script content into a...

6.3CVSS5.8AI score0.00144EPSS

CNNVD•added 2026/05/13 12:0 a.m.•10 views

Next.js 跨站脚本漏洞

Next.js is a React framework open source by Vercel. Versions of Next.js from 13.4.0 to 15.5.16, as well as versions before 16.2.5, have a cross-site scripting vulnerability. This vulnerability arises when the App Router application relies on CSP nonce. A format- incorrect nonce value is derived...

4.7CVSS5.7AI score0.00222EPSS

Exploits1References1

RedhatCVE•added 2026/05/12 10:42 a.m.•9 views

CVE-2026-6665

A flaw was found in PgBouncer, a lightweight connection pooler for PostgreSQL. A malicious backend server can exploit a vulnerability in the Salted Challenge Response Authentication Mechanism SCRAM code. By sending a specially crafted server-final-message with an excessively long nonce, the flaw...

9.8CVSS5.7AI score0.00372EPSS