Lucene search
K

3989 matches found

EUVD
EUVD
added 4 hours ago2 views

EUVD-2026-42283

A flaw was found in the TrustyAI Service Operator. When deploying services like gorch or NemoGuardrails, if a specific security setting is not enabled, these services can expose their communication channels without requiring users to prove their identity. This allows any other program within the...

6.3CVSS5.9AI score
Exploits0References2
Cvelist
Cvelist
added 13 hours ago9 views

CVE-2026-12041 Chatra Live Chat + ChatBot + Cart Saver <= 1.0.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'chatra-code' Setting

The Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS
Exploits0References3
CVE
CVE
added 13 hours ago8 views

CVE-2026-12041

Chatra Live Chat + ChatBot + Cart Saver (WordPress) is affected up to version 1.0.12. It is vulnerable to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. Authenticated attackers with Administrator+ privileges can inject scripts executed o...

4.4CVSS6AI score
Exploits0References3
Nuclei
Nuclei
added 13 hours ago58 views

The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass

The Plus Addons for Elementor plugin before version 4.1.7 allowed attackers to bypass authentication, gain admin access, and create accounts with elevated roles, even when registration was disabled and the Login widget was inactive. id: CVE-2021-24175 info: name: The Plus Addons for Elementor Pag...

9.8CVSS7.2AI score0.14462EPSS
Exploits3References2
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-49229

Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row...

8.3CVSS6AI score0.00038EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added yesterday18 views

CVE-2026-49229 Actual: Disabled OpenID users keep access through existing session tokens

Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row...

8.3CVSS0.00038EPSS
Exploits0References3
OSV
OSV
added 2 days ago3 views

OESA-2026-2799 nginx security update

NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Security Fixes: NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpproxyv2module and ngxhttpgrpcmodule modules. This vulnerability exists when the proxyhttpversion ...

9.2CVSS6.3AI score0.02838EPSS
Exploits1References3
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-41659

PHPIPAM is affected by an authenticated local file inclusion vulnerability that allows users with access to the API to execute/include arbitrary PHP files on the web server's file system. The API is not enabled by default on installations...

2.3CVSS6.1AI score0.00378EPSS
Exploits0References2
Snyk
Snyk
added 5 days ago4 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the OAuth sign-in callback process. An attacker can regain access to accounts that have been disabled by an administrator by initiating an OAuth sign-in, resulting in unauthorized re-enablement of those account...

9.8CVSS6AI score0.00343EPSS
Exploits0References2
Snyk
Snyk
added 5 days ago6 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the OAuth sign-in callback process. An attacker can regain access to accounts that have been disabled by an administrator by initiating an OAuth sign-in, resulting in unauthorized re-enablement of those account...

9.8CVSS6AI score0.00343EPSS
Exploits0References2
NVD
NVD
added 5 days ago6 views

CVE-2026-58422

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts...

9.8CVSS0.00343EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago35 views

CVE-2026-58422 Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts...

0.00343EPSS
Exploits0References4
CVE
CVE
added 5 days ago16 views

CVE-2026-58422

CVE-2026-58422 describes an access control bypass in the OAuth sign-in callback that can silently re-enable administrator-disabled accounts in affected Go-Gitea installations. Concrete technical details from connected sources identify vulnerable components as the Gitea web router package paths: r...

9.8CVSS5.9AI score0.00343EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 5 days ago8 views

CVE-2026-58422

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts...

5.9AI score0.00343EPSS
Exploits0References5
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-41439

An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemblev2incomingfragments would ignore unknown outer payloads but still store these in a fixed size array msgdigest.digestPAYLIMIT...

7.5CVSS6.4AI score0.00597EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago10 views

PT-2026-55655

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Improper authorization occurs during the OAuth sign-in callback process, which allows accounts that were previously disabled by an administrator to be silently...

5.9AI score0.00343EPSS
Exploits0References7
OSV
OSV
added 6 days ago5 views

GHSA-GF9R-M956-97QX zebrad has consensus divergence via P2SH sigop undercount in pure-Rust disabled-opcode parser

Am I affected You are affected if: 1. You run any version of zebrad up to and including v4.4.1. 2. Your node validates blocks on mainnet, testnet, or any network where both Zebra and zcashd nodes participate. All default configurations are affected. No feature flags, non-default settings, or...

9.3CVSS6AI score
Exploits0References5
Cvelist
Cvelist
added 2026/07/01 2:48 p.m.31 views

CVE-2026-58036 Users API leaks whether privileged users have their user groups disabled for lack of 2FA

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryAllUsers.Php, includes/Api/ApiQueryUsers.Php, includes/Permissions/PermissionManager.Php,...

2.1CVSS0.00239EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 1:32 p.m.19 views

CVE-2026-53347

CVE-2026-53347 affects the Linux kernel’s drm/virtio component (virtio-gpu) when built with KMS disabled. The issue: DRM atomic and modesetting aren’t initialized during driver removal/unbinding, leading to access of uninitialized data and possible kernel crash. The fix: skip shutting down the at...

5.8AI score0.00156EPSS
Exploits0References5
Debian CVE
Debian CVE
added 2026/07/01 1:32 p.m.4 views

CVE-2026-53347

In the Linux kernel, the following vulnerability has been resolved: drm/virtio: Fix driver removal with disabled KMS DRM atomic and modesetting aren't initialized if virtio-gpu driver built with disabled KMS, leading to access of uninitialized data on driver removal/unbinding and crashing kernel...

5.7AI score0.00156EPSS
Exploits0
Rows per page
Query Builder