Lucene search
K

7083 matches found

Nuclei
Nuclei
added 10 hours ago73 views

ARMember < 3.4.8 - Unauthenticated Admin Account Takeover

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover even the administrator due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username. id:...

8.1CVSS7.1AI score0.0852EPSS
Exploits1References5
Nuclei
Nuclei
added 10 hours ago79 views

WWBN AVideo 11.6 - Cross-Site Scripting

A reflected XSS vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff, allowing arbitrary Javascript execution. id: CVE-2023-48728 info: name: WWBN AVideo 11.6 - Cross-Site Scripting author: ritikchaddha severity: medium...

9.6CVSS6.8AI score0.02268EPSS
Exploits1References2
Nuclei
Nuclei
added 10 hours ago71 views

Flowise <= 3.0.5 - Account Takeover

Flowise versions 3.0.5 and earlier had a vulnerability in the forgot-password endpoint, which returned valid reset tokens without authentication—allowing attackers to reset passwords and take over accounts. id: CVE-2025-58434 info: name: Flowise = 3.0.5 - Account Takeover author:...

9.8CVSS6.7AI score0.50118EPSS
Exploits14References2
Nuclei
Nuclei
added 10 hours ago36 views

WordPress Stacks Mobile App Builder <=5.2.3 - Authentication Bypass

Stacks Mobile App Builder WordPress plugin ≤ 5.2.3 suffers from an authentication bypass vulnerability via improper handling of query parameters, allowing attackers to impersonate arbitrary users. id: CVE-2024-50477 info: name: WordPress Stacks Mobile App Builder =5.2.3 - Authentication Bypass...

9.8CVSS6.2AI score0.07959EPSS
Exploits3References4
Nuclei
Nuclei
added 10 hours ago66 views

Cisco SSM On-Prem <= 8-202206 - Password Reset Account Takeover

A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem SSM On-Prem could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process...

10CVSS7.1AI score0.80635EPSS
Exploits3References5
Nuclei
Nuclei
added 10 hours ago67 views

Apache StreamPipes <= 0.93.0 - Use of Cryptographically Weak PRNG in Recovery Token Generation

Apache StreamPipes from version 0.69.0 through 0.93.0 uses a cryptographically weak Pseudo-Random Number Generator PRNG in the recovery token generation mechanism. Given a valid token it's possible to predict all past and future generated tokens. id: CVE-2024-29868 info: name: Apache StreamPipes ...

9.1CVSS6.1AI score0.05995EPSS
Exploits1References4
Nuclei
Nuclei
added 10 hours ago55 views

SysAid On-Prem <= 23.3.40 - XML External Entity

SysAid On-Prem versions = 23.3.40 are vulnerable to an unauthenticated XML External Entity XXE vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives. id: CVE-2025-2776 info: name: SysAid On-Prem = 23.3.40 - XML External Enti...

9.8CVSS7.1AI score0.72971EPSS
Exploits2References2
Nuclei
Nuclei
added 10 hours ago90 views

Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover

The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to chan...

9.8CVSS7.2AI score0.18241EPSS
Exploits3References4
Nuclei
Nuclei
added 10 hours ago66 views

ClinicCases 7.3.3 Cross-Site Scripting

ClinicCases 7.3.3 is susceptible to multiple reflected cross-site scripting vulnerabilities that could allow unauthenticated attackers to introduce arbitrary JavaScript by crafting a malicious URL. This can result in account takeover via session token theft. id: CVE-2021-38704 info: name:...

6.1CVSS6.5AI score0.03521EPSS
Exploits1References5
CVE
CVE
added yesterday13 views

CVE-2026-56308

Capgo before 12.128.2 contains an insufficient authentication flaw in the email-change endpoint: an attacker with a valid session cookie or authenticated browser can change the account email without re-authenticating the current password or verifying the existing mailbox. This can enable control ...

8.4CVSS6.1AI score
Exploits0References2
CVE
CVE
added 2 days ago7 views

CVE-2026-7655

The CVE identifies a vulnerability in the SureCart WordPress plugin up to version 4.2.3. It allows privilege escalation via account takeover by forged customer.updated webhook events because the plugin does not properly validate a user’s identity before updating details (e.g., email) during custo...

8.1CVSS6.1AI score0.00302EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2 days ago24 views

Malicious code in jscrambler (npm)

Supply-chain compromise of the official jscrambler npm client, a legitimate JavaScript obfuscation tool with roughly 60K downloads per month. Version 8.14.0 was published from the legitimate publisher account jscrambler / [email protected], which points to an account or CI compromise rather tha...

6.1AI score
Exploits0References8
Positive Technologies
Positive Technologies
added 2 days ago10 views

PT-2026-57416

Name of the Vulnerable Software and Affected Versions The Essential Addons for Elementor versions prior to 6.6.11 Description Insufficient server-side validation of a Login/Register widget setting allows authenticated attackers with Contributor-level access or higher to perform Email Header...

8.8CVSS6.1AI score0.00367EPSS
Exploits0References12
CVE
CVE
added 3 days ago7 views

CVE-2026-57574

This CVE affects Misskey, an open-source federated social platform, where the vulnerability resides in the Time-based One-Time Password (TOTP) authentication in UserAuthService. The issue results from insufficient validation of used TOTP tokens, allowing a single-use code to be reused within its ...

7.4CVSS6.1AI score0.0034EPSS
Exploits0References4
CVE
CVE
added 3 days ago4 views

CVE-2026-55879

OpenReplay (self-hosted) versions 1.24.0–1.24.x are affected by an unauthenticated stored XSS in the tracking SDK. The SDK accepts custom event names and captured page URLs from any visitor using a public project key and stores data in ClickHouse without output encoding. When rendered in the auth...

9.3CVSS6.1AI score0.00274EPSS
Exploits0References3
CVE
CVE
added 3 days ago6 views

CVE-2026-12761

Summary (CVE-2026-12761) The miniOrange Social Login and Register plugin for WordPress is vulnerable through the Profile Completion OTP flow in versions up to and including 7.7.0. The flow accepts an arbitrary email via the email_field POST parameter and does not verify that the email belongs to ...

9.8CVSS6.2AI score0.00463EPSS
Exploits0References6
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-42882

Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. Attackers with temporary session access can exploit this flaw to permanently lock out legitimate...

8.7CVSS6.1AI score0.00357EPSS
Exploits0References2
CVE
CVE
added 3 days ago5 views

CVE-2026-56305

Capgo before 12.128.2 exposes an authentication bypass in the password-change endpoint due to missing current-password validation. Attackers with temporary session access can change user passwords, potentially causing permanent user lockout and full account takeover. No official remediation detai...

8.7CVSS6.1AI score0.00357EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-57277

Name of the Vulnerable Software and Affected Versions miniOrange Social Login and Register Discord, Google, Twitter, LinkedIn versions prior to 7.7.1 Description An authentication bypass exists in the Profile Completion flow that allows for account takeover. The issue occurs because the plugin...

9.8CVSS6.2AI score0.00463EPSS
Exploits0References12
CVE
CVE
added 4 days ago7 views

CVE-2026-55207

CVE-2026-55207 affects Pimcore: an unauthenticated attacker who knows a valid admin username can hijack an admin account by abusing a malicious resetPasswordUrl in a password reset request. The server generates a real cryptographic recovery token, appends it to the attacker-controlled URL, emails...

8.8CVSS6AI score0.0035EPSS
Exploits0References5
Rows per page
Query Builder