Lucene search
K

821 matches found

Nuclei
Nuclei
added yesterday25 views

WordPress AI Engine Plugin - Token Exposure

Unauthenticated sensitive information exposure in AI Engine WordPress plugin = 3.1.3 exposes bearer tokens via REST API endpoints when No-Auth URL is enabled. id: CVE-2025-11749 info: name: WordPress AI Engine Plugin - Token Exposure author: 4m3rr0r severity: critical description: | Unauthenticat...

9.8CVSS7AI score0.75063EPSS
Exploits5References2
Nuclei
Nuclei
added yesterday17 views

CodeChecker <= 6.24.1 - Authentication Bypass

Authentication bypass occurs when the API URL ends with Authentication, Configuration or ServerInfo. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others. id: CVE-2024-10081 info:...

10CVSS6.1AI score0.38961EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday157 views

NestJS DevTools Integration - Remote Code Execution

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API...

9.4CVSS7.5AI score0.43921EPSS
Exploits4References3
Nuclei
Nuclei
added yesterday141 views

Frigate < 0.13.0 Beta 3 - Cross-Site Scripting

Frigate is an open source network video recorder. Before version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the / base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both kn...

4.7CVSS6.2AI score0.01425EPSS
Exploits1References3
NVD
NVD
added 4 days ago7 views

CVE-2026-57475

Deloitte AI Assist for Customer accepted unauthenticated POST requests through public-facing API endpoints that allowed a remote attacker to make limited additions to the configuration. These additions were not used by the system. On 2026-03-25, AI Assist for Customer restricted network access an...

6.9CVSS0.0034EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago30 views

CVE-2026-57994 phpMyFAQ - Information Disclosure of Inactive FAQ Content via Public API Endpoints

phpMyFAQ before 4.1.5 applies inconsistent active=yes and publication-date filtering across its public FAQ API endpoints, allowing unauthenticated attackers to retrieve inactive draft or review-only FAQ content. Specifically, GET /api/v3.1/faq/categoryId/faqId returns the inactive FAQ title and...

6.9CVSS0.00214EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-42722

Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands by accessing the embedded terminal API endpoints without credentials. Attackers can create a session, attach a PTY shell, and write arbitra...

9.8CVSS6.8AI score0.00928EPSS
Exploits0References5
Nuclei
Nuclei
added 6 days ago77 views

Atlassian Bitbucket - Remote Command Injection

Atlassian Bitbucket Server and Data Center is susceptible to remote command injection. Multiple API endpoints can allow an attacker with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request, thus making it possible to obtain...

8.8CVSS7.7AI score0.99077EPSS
Exploits24References5
Cvelist
Cvelist
added 2026/07/06 10:30 p.m.34 views

CVE-2026-53640 FOSSBilling missing authorization checks on read-only admin API endpoints expose sensitive staff, client, and redirect data

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, low-privileged staff accounts may read sensitive data via admin API endpoints that lack permission checks. While sibling write endpoints correctly enforce fine-grained permissions, the corresponding...

2.3CVSS0.00226EPSS
Exploits0References1
NVD
NVD
added 2026/07/06 10:16 p.m.9 views

CVE-2026-32718

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing read-scoped API tokens to perform state-changing operations such as validating cloud tokens and...

6.5CVSS0.00213EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.5 views

PT-2026-56037

Name of the Vulnerable Software and Affected Versions FOSSBilling versions 0.5.3 through 0.7.2 Description Authenticated clients can read and reset API key service secrets for orders that are not in an active state, such as suspended or canceled. This occurs due to missing order-state validation ...

8.6CVSS6AI score0.00251EPSS
Exploits0References5
NVD
NVD
added 2026/07/02 8:17 p.m.10 views

CVE-2026-58466

AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via adddefaultuser in the database user module when the users table is empt...

9.8CVSS0.00505EPSS
Exploits0References4
NVD
NVD
added 2026/07/02 3:17 p.m.8 views

CVE-2026-55113

A malicious actor with access to the network could exploit a Server-Side Request Forgery SSRF vulnerability found in UniFi Talk Application to execute a Denial of Service DoS attack and bypass authentication in certain UniFi Talk API endpoints...

7.5CVSS0.00223EPSS
Exploits0References1
NVD
NVD
added 2026/07/02 3:17 p.m.7 views

CVE-2026-54407

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Protect Application to bypass authentication in certain UniFi Protect Application API endpoints...

8.6CVSS0.00291EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/02 2:50 p.m.6 views

EUVD-2026-41394

A malicious actor with access to the network could exploit a Server-Side Request Forgery SSRF vulnerability found in UniFi Talk Application to execute a Denial of Service DoS attack and bypass authentication in certain UniFi Talk API endpoints...

7.5CVSS5.8AI score0.00223EPSS
Exploits0References1
OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-418 MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...

9.6CVSS7.7AI score0.00371EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.11 views

PT-2026-53659

Name of the Vulnerable Software and Affected Versions Gorse versions prior to 0.5.10 Description An authentication bypass exists in the HTTP API when the admin api key is left empty, which is the default configuration. This occurs because improper input validation treats an empty key as a disabli...

9.8CVSS5.8AI score0.03016EPSS
Exploits2References9
NVD
NVD
added 2026/06/26 10:16 p.m.11 views

CVE-2026-45807

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard onl...

7.7CVSS0.00386EPSS
Exploits1References1
OSV
OSV
added 2026/06/25 8:40 p.m.10 views

MAL-2026-6474 Malicious code in ref-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1e1ef3e785cf6cb007c0b33be2ed43ebe49d64f476bb4fb3a66b914b06def5e1 On npm install, the package's postinstall hook runs node test.js which invokes index.js to perform multi-stage installer compromise. 1 Credential...

5.8AI score
Exploits0References2
NVD
NVD
added 2026/06/24 9:16 p.m.9 views

CVE-2026-52808

Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter rather than reqRepoAdmin. The equivalent...

7.1CVSS0.00478EPSS
Exploits0References4
Rows per page
Query Builder