CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added yesterday•7 views

EUVD-2026-39954

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activateplugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set o...

4.3CVSS5.8AI score0.00196EPSS

Nuclei•added yesterday•9 views

ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lpccaddonsactions function. This makes it possible for unauthenticated attacker...

9.8CVSS7.3AI score0.04304EPSS

Exploits1References2

RedhatCVE•added 2 days ago•8 views

CVE-2026-41523

A flaw was found in vLLM, an inference and serving engine for large language models LLMs. An unauthenticated attacker can exploit an assert-based security check during activation function loading. By publishing a malicious HuggingFace model, an attacker can achieve arbitrary code execution on the...

7.5CVSS6.4AI score0.00428EPSS

Exploits1References6

ATTACKERKB•added 2 days ago•4 views

CVE-2026-1869

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing validation checks in the confirmpayment function in all...

6.5CVSS5.8AI score0.0018EPSS

Exploits0References3

Cvelist•added 2 days ago•34 views

CVE-2026-1869 User Registration & Membership <= 5.2.0 - Missing Authorization to Unauthenticated Payment Bypass

6.5CVSS0.0018EPSS

EUVD•added 2 days ago•7 views

EUVD-2026-39639

6.5CVSS5.8AI score0.0018EPSS

OSV•added 3 days ago•4 views

MAL-2026-6445 Malicious code in base58-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c10874ae13f1937b6974bcaaec72996e54f85fc3de6bf5e53d732f6e1f37c8a3 The package presents itself as a Base58 encoder/decoder but on require arms a malicious payload that is time-gated to activate 72 hours after first...

5.9AI score

NVD•added 4 days ago•5 views

CVE-2026-52809

Gogs is an open source self-hosted Git service. Prior to 0.14.3, password-reset tokens are generated using conf.Auth.ActivateCodeLives the account-activation lifetime, not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted fr...

6.8CVSS0.00202EPSS

CVE•added 4 days ago•9 views

CVE-2026-52809

Gogs (CVE-2026-52809) generates password-reset tokens using the ActivateCodeLives lifetime, not the configured ResetPasswordCodeLives. As a result, even if an admin sets a short RESET_PASSWORD_CODE_LIVES (e.g., 10 minutes), reset tokens remain valid for the full activation lifetime (e.g., 180 min...

6.8CVSS5.9AI score0.00202EPSS

Cvelist•added 4 days ago•19 views

CVE-2026-52809 Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES

6.8CVSS0.00202EPSS

NVD•added 4 days ago•16 views

CVE-2026-12416

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravelinvoicechangepassword function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and...

9.8CVSS0.00364EPSS

Exploits1References4

Positive Technologies•added 4 days ago•7 views

PT-2026-51674

Name of the Vulnerable Software and Affected Versions Invoice Generator plugin for WordPress versions prior to 1.0.1 Description The Invoice Generator plugin for WordPress allows unauthenticated account takeover through a flaw in the password reset process. The pravel invoice change password...

9.8CVSS5.9AI score0.00364EPSS

Exploits1References10

Tenable Nessus•added 4 days ago•3 views

RHEL 9 : Red Hat Ansible Automation Platform 2.6 Product Security Update (Critical) (RHSA-2026:28377)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:28377 advisory. Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can...

9.6CVSS6AI score0.0037EPSS

Exploits0References5

NVD•added 5 days ago•4 views

CVE-2026-11807

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...

9.6CVSS0.0037EPSS

Exploits0References7

Vulnrichment•added 5 days ago•5 views

CVE-2026-11807 Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

ATTACKERKB•added 5 days ago•4 views

Exploits0References6

CVE-2026-11807

CVE•added 5 days ago•22 views

Exploits0References7

CVE-2026-11807

CVE-2026-11807 affects Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint fails to verify permissions when processing Worker messages, permitting any authenticated user to forge a message with an arbitrary activation_id and access plaintext credentials tied to tha...

Cvelist•added 5 days ago•28 views

Exploits0References7

CVE-2026-11807 Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

9.6CVSS0.0037EPSS

Exploits0References6

EUVD•added 5 days ago•6 views

EUVD-2026-38598