CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2026/04/09 12:0 a.m.•18 views

CVE-2025-70365

0.00034EPSS

Vulnrichment•added 2026/04/09 12:0 a.m.•1 views

CVE-2025-70365

5.8AI score0.00034EPSS

OSV•added 2026/04/01 10:8 p.m.•2 views

GHSA-4VXV-4XQ4-P84H CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

Summary Vulnerability: Improper Session Invalidation on Account Deletion Broken Access Control / Logic Flaw - This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly...

8.8CVSS5.8AI score0.00035EPSS

Exploits1References4

OSV•added 2026/04/01 12:9 a.m.•2 views

GHSA-V77R-XG3P-75G7 CI4MS: Methods Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via Methods Management Fields Global Persistent Payload Execution - Stored Cross-Site Scripting via Unsanitized Method Creation and Management Inputs - Automatic Execution Across All Pages Where Method Is Rendered in Navigation Description The application fai...

9.1CVSS6.3AI score0.00021EPSS

Exploits1References3

AlpineLinux•added 2026/03/26 5:38 p.m.•0 views

CVE-2026-33504

Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens ar...

7.2CVSS6.6AI score0.00015EPSS

Snyk•added 2026/03/20 8:55 p.m.•4 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection in admin APIs. An attacker can execute arbitrary SQL queries by submitting crafted pagination tokens if the secret used for token encryption is known. This is only exploitable if the attacker has access to the affected adm...

7.2CVSS6.2AI score0.00015EPSS

OSV•added 2026/03/20 8:55 p.m.•1 views

GHSA-R9W3-57W2-GCH2 Ory Hydra has a SQL injection via forged pagination tokens

Description Following Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation: - listOAuth2Clients - listOAuth2ConsentSessions - listTrustedOAuth2JwtGrantIssuers Pagination tokens are encrypted using the secret configured in secrets.pagination. If thi...

7.2CVSS6.2AI score0.00015EPSS

CVE•added 2026/02/11 2:56 p.m.•10 views

CVE-2019-25314

The CVE describes a persistent cross-site scripting (XSS) flaw in the Duplicate-Post WordPress Plugin version 3.2.3, affecting plugin settings parameters. An attacker can inject JavaScript into fields such as title prefix, suffix, menu order, and blacklist, causing code execution in admin interfa...

5.5CVSS5.5AI score0.00042EPSS

Exploits0References5

Cvelist•added 2026/01/14 2:38 p.m.•17 views

CVE-2026-22238 Administrator Account Creation Vulnerability in BLUVOYIX

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful...

10CVSS0.00228EPSS

Snyk•added 2025/12/16 4:57 a.m.•1 views

Authentication Bypass by Alternate Name

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via the ResourceSetService and PermissionTicketService modules due to...

7CVSS5.8AI score0.00015EPSS

Vulnrichment•added 2025/12/15 8:28 p.m.•1 views

CVE-2023-53880 Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces

Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScri...

4.8CVSS6AI score0.00051EPSS

CVE•added 2025/12/15 8:28 p.m.•3 views

CVE-2023-53880

CVE-2023-53880 affects Lucee 5.4.2.17, with an authenticated reflected cross-site scripting vulnerability in administrative interface parameters. The vulnerability allows an attacker to craft payloads targeting admin pages such as server.cfm and web.cfm to inject and execute arbitrary JavaScript ...

4.8CVSS6AI score0.00051EPSS

Cvelist•added 2025/12/15 8:28 p.m.•19 views

CVE-2023-53880 Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces

4.8CVSS0.00051EPSS

CVE•added 2025/11/27 11:46 a.m.•16 views

CVE-2025-59302

CVE-2025-59302 concerns Apache CloudStack where code injection is possible via admin-only APIs: quotaTariffCreate, quotaTariffUpdate, createSecondaryStorageSelector, updateSecondaryStorageSelector, updateHost, and updateStorage. The issue arises from improper control of code generation. A fix fla...

4.7CVSS7AI score0.00078EPSS

Exploits0References2Affected Software1

EUVD•added 2025/10/16 3:30 p.m.•3 views

EUVD-2025-34754

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level...

9.6CVSS6.3AI score0.00032EPSS

OSV•added 2025/10/16 1:15 p.m.•3 views

CVE-2025-9804

6.5CVSS6.5AI score

Vulnrichment•added 2025/10/16 12:33 p.m.•2 views

CVE-2025-9804 Improper Access Control in Multiple WSO2 Products via Internal SOAP Admin Services and System REST APIs

9.6CVSS6.5AI score0.00032EPSS