Lucene search
K

27 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/26 8:58 p.m.9 views

CVE-2026-49869

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath.endsWith"/configs" to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match...

10CVSS6.4AI score0.00684EPSS
Exploits2References2Affected Software1
OSV
OSV
added 2026/06/26 8:58 p.m.3 views

CVE-2026-49869 Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath.endsWith"/configs" to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match...

10CVSS6.5AI score0.00684EPSS
Exploits2References3
ATTACKERKB
ATTACKERKB
added 2026/06/26 8:54 p.m.7 views

CVE-2026-53576

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API @Filter"/api/v1/" treats any request whose path ends in /configs as the public instance-config endpoint and forwards it without a credential check. kestra addresse...

10CVSS5.8AI score0.00472EPSS
Exploits2References2Affected Software1
Cvelist
Cvelist
added 2026/06/26 8:52 p.m.39 views

CVE-2026-53577 Kestra: Cross-Execution File Read via Preview Endpoint (IDOR)

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint GET /api/v1/tenant/executions/executionId/file/preview contains an access control bypass that allows any authenticated user to read output files from any other executio...

6.5CVSS0.00263EPSS
Exploits1References1
OSV
OSV
added 2026/06/26 8:52 p.m.4 views

CVE-2026-53577 Kestra: Cross-Execution File Read via Preview Endpoint (IDOR)

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint GET /api/v1/tenant/executions/executionId/file/preview contains an access control bypass that allows any authenticated user to read output files from any other executio...

6.5CVSS6.1AI score0.00263EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.15 views

PT-2026-52984

Name of the Vulnerable Software and Affected Versions Kestra versions prior to 1.0.45 Kestra versions prior to 1.3.21 Description The authentication filter for the REST API endpoint /api/v1/ incorrectly treats any request path ending in /configs as a public instance-config endpoint, allowing it t...

10CVSS5.8AI score0.00472EPSS
Exploits2References12
NVD
NVD
added 2026/04/08 9:16 a.m.9 views

CVE-2026-39679

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through = 1.3.21...

7.5CVSS0.00381EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/08 8:30 a.m.2 views

CVE-2026-39679 WordPress Freeio theme <= 1.3.21 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through = 1.3.21...

5.8AI score0.00381EPSS
Exploits0References1
CVE
CVE
added 2026/04/08 8:30 a.m.11 views

CVE-2026-39679

CVE-2026-39679 is a local file inclusion (LFI) in the WordPress Freeio/ApusTheme Freeio plugin/theme. Affected: Freeio versions up to and including 1.3.21 (and related Freeio/Freeio themes referenced in Red Hat/EUVD records and CVE listings). Root cause: improper control of filenames for include/...

7.5CVSS5.9AI score0.00381EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/08 8:30 a.m.27 views

CVE-2026-39679 WordPress Freeio theme <= 1.3.21 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through = 1.3.21...

7.5CVSS0.00381EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.7 views

PT-2026-31241

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through = 1.3.21...

5.9AI score0.00381EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2022-0927

Malicious code in bioql PyPI...

9.8CVSS9.1AI score0.01359EPSS
Exploits0References3
OSV
OSV
added 2025/05/31 12:15 p.m.3 views

CVE-2025-4691

The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'viewrequestdetails' due to missing validation on a user controlled key. This makes it...

5.3CVSS5.8AI score0.00279EPSS
Exploits0References5
CNNVD
CNNVD
added 2025/05/31 12:0 a.m.11 views

WordPress plugin eaSYNC Booking 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

5.3CVSS5.4AI score0.00279EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2025/05/22 7:10 p.m.7 views

CVE-2021-21403

In github.com/kongchuanhujiao/server before version 1.3.21 there is an authentication Bypass by Primary Weakness vulnerability. All users are impacted. This is fixed in version 1.3.21...

9.8CVSS7AI score0.01359EPSS
Exploits0References1
Patchstack
Patchstack
added 2024/11/15 9:35 p.m.7 views

WordPress Bounce Handler MailPoet 3 plugin <= 1.3.21 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Colin Xu in WordPress Plugin Bounce Handler MailPoet 3 versions = 1.3.21...

6.1CVSS6.3AI score0.0038EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2024/11/15 12:0 a.m.18 views

WordPress Bounce Handler MailPoet 3 Plugin <= 1.3.21 is vulnerable to Cross Site Scripting (XSS)

Software Bounce Handler MailPoet 3 Type Plugin Vulnerable versions = 1.3.21 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9938 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID ab6f81da0c5a Credits Colin Xu...

6.1CVSS5.9AI score0.0038EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2023/03/28 12:0 a.m.5 views

Cmder 安全漏洞

Cmder is a package created by Cmder Open Source purely out of frustration with the lack of available console emulators on Windows. A security vulnerability exists in versions of Cmder prior to 1.3.21, which stems from a report that the title of the terminal includes control characters, and can be...

9.8CVSS8.3AI score0.00866EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2023/02/13 12:0 a.m.8 views

PT-2023-15978 · WordPress · Judge.Me Product Reviews

Name of the Vulnerable Software and Affected Versions: Judge.me Product Reviews for WooCommerce WordPress plugin versions prior to 1.3.21 Description: The issue concerns the lack of validation and escaping of certain shortcode attributes, which could allow users with the contributor role and abov...

6.8CVSS5.3AI score0.00635EPSS
Exploits2References4
CNNVD
CNNVD
added 2023/02/13 12:0 a.m.7 views

WordPress plugin Judge.me Product Reviews for WooCommerce 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

6.8CVSS5.4AI score0.00635EPSS
Exploits2References2
Rows per page
Query Builder