Lucene search
K

8756 matches found

EUVD
EUVD
added 2026/07/01 2:21 p.m.7 views

EUVD-2026-41011

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/blockConnectedTempAccountsField.Vue. This issue affects...

5.8AI score0.00142EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 2:21 p.m.20 views

CVE-2026-58034

The CVE describes a stored XSS in Wikimedia Foundation CheckUser, specifically in the file modules/ext.CheckUser.TempAccounts/components/blockConnectedTempAccountsField.Vue. Affected product: CheckUser; versions from 1.46.0-rc.0 before 1.46.0 are vulnerable. Root cause: improper neutralization of...

4.8CVSS5.8AI score0.00142EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/07/01 8:16 a.m.8 views

CVE-2026-11387

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updati...

9.8CVSS0.0038EPSS
Exploits1References8
Cvelist
Cvelist
added 2026/07/01 6:0 a.m.42 views

CVE-2026-11794 Advanced Form Integration < 2.1.1 - Unauthenticated Privilege Escalation via Breakdance Form Role Mapping

The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the use...

0.00236EPSS
Exploits0References1
The Hacker News
The Hacker News
added 2026/07/01 5:46 a.m.16 views

Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts

Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface CLI, compromising dozens of accounts in the process. The activity, per Huntress, originates from an IPv6 address range 2a0a:d683::/32 controlled by...

5.8AI score
Exploits0
OSV
OSV
added 2026/06/30 11:39 p.m.4 views

BIT-GHOST-2026-53943 Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header

Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response. In affecte...

9.6CVSS5.8AI score0.00244EPSS
Exploits0References2
NVD
NVD
added 2026/06/30 11:17 p.m.5 views

CVE-2026-50110

Storage Concentrator SC & SCVM contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services,...

9.3CVSS0.00128EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/29 7:29 p.m.6 views

Authorization Bypass Through User-Controlled Key

Overview modoboa is a Mail hosting made simple Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the PUT /api/v1/accounts/pk/password/ endpoint. An attacker can gain unauthorized access to privileged accounts by bypassing object-level access...

7.7CVSS5.8AI score0.00265EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/29 5:14 p.m.7 views

EUVD-2026-40155

Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/pk/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin...

7.7CVSS5.8AI score0.00265EPSS
Exploits0References3
OSV
OSV
added 2026/06/29 11:50 a.m.8 views

PYSEC-2026-528 Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API

Summary A SQL injection vulnerability in the Oracle path of FilterEngine.createsqlaquery allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint GET /dids//dids/search. Attacker-controlled filter keys and values are interpolated...

9.9CVSS6.3AI score0.00281EPSS
Exploits0References5
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-290 BackendAI Missing Authentication for Critical Function

Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private data even when registration is disabled...

9.8CVSS5.9AI score0.00375EPSS
Exploits0References9
BDU FSTEC
BDU FSTEC
added 2026/06/29 12:0 a.m.4 views

The vulnerability of the command-line utility bin/solr auth for the Apache Solr search server allows a perpetrator to escalate their privileges and gain unauthorized access to protected information.

The vulnerability of the command-line utility bin/solr auth for the Apache Solr search server relates to the use of pre-installed user accounts. Exploiting this vulnerability allows an attacker to enhance their privileges and gain unauthorized access to protected information...

8.1CVSS7.2AI score0.00529EPSS
Exploits2References4Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/06/29 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-56115

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low- privileged users to perform administrative actions by...

8.8CVSS6AI score0.00307EPSS
Exploits1References3
Circl
Circl
added 2026/06/26 10:7 p.m.9 views

CVE-2026-32833

creationtimestamp| type| source ---|---|--- 2026-06-26 22:07:02+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3mp7xdzwprt2l 2026-06-27 00:00:26+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mpa5osysli2x...

8.8CVSS5.8AI score0.0134EPSS
Exploits0References2
NVD
NVD
added 2026/06/25 10:16 p.m.8 views

CVE-2025-71327

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API...

9.3CVSS0.0046EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/06/25 9:41 p.m.22 views

CVE-2025-71327 Flowise - Authentication Bypass via Unprotected Registration Endpoint

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API...

9.3CVSS0.0046EPSS
Exploits1References2
CVE
CVE
added 2026/06/25 9:41 p.m.28 views

CVE-2025-71327

Flowise has an authentication bypass in the unprotected /api/v1/account/register endpoint. Unauthenticated attackers can register arbitrary accounts and gain full API access without credentials. CVSS metrics are provided (v3.1: 9.1; v4.0: 9.3), indicating a critical impact on confidentiality and ...

9.3CVSS6AI score0.0046EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/06/25 8:17 p.m.15 views

CVE-2026-57520

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin...

7.1CVSS0.00354EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/06/25 7:8 p.m.20 views

CVE-2026-57520 Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin...

7.1CVSS0.00354EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/25 7:8 p.m.5 views

EUVD-2026-39541

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin...

7.1CVSS5.9AI score0.00354EPSS
Exploits1References5
Rows per page
Query Builder