Lucene search
+L

206 matches found

Nuclei
Nuclei
added 18 hours ago69 views

Mongoose - NoSQL Injection

NoSQL injection vulnerability in Mongoose 8.9.5 affecting the populate function's match option. This vulnerability exists due to an incomplete fix for CVE-2024-53900. While direct $where injection is blocked, attackers can bypass this protection by nesting $where operators within logical operator...

9.8CVSS8.9AI score0.07144EPSS
Exploits3References4
CVE
CVE
added 3 days ago12 views

CVE-2026-46515

CVE-2026-46515 (Frogman) affects Frogman’s headless PBX control via MCP and HTTP API. Before version 1.6.3, a PERM_READ privilege was sufficient to call multiple endpoints (fm_list_managers, fm_list_pinsets, fm_show_context, fm_get_mcp_config, fm_backup_status, fm_whos_calling, fm_run_saved_query...

9.3CVSS6.2AI score0.00323EPSS
Exploits0References6
CVE
CVE
added 3 days ago11 views

CVE-2026-12409

Technical details about CVE-2026-12409 are not publicly available in the provided documents. No connected sources with affected products, versions, impact, or fixes are present. Monitor for updates from official feeds.

4.3CVSS6.1AI score0.00129EPSS
Exploits0References6
Cvelist
Cvelist
added 3 days ago39 views

CVE-2026-12409 Landing Page Builder <= 1.5.3.6 - Cross-Site Request Forgery to ulpb_admin_data AJAX Action

The Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.3.6. This is due to missing or incorrect nonce validation on the ulpbadminajax function. Thi...

4.3CVSS0.00129EPSS
Exploits0References6
NVD
NVD
added 4 days ago11 views

CVE-2026-54458

WWBN AVideo is an open source video platform. Versions prior to 29.0 contain a stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin. Any unauthenticated remote attacker can execute arbitrary JavaScript in the authenticated origin of every administrator currently viewing a page th...

9.6CVSS0.00303EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 2:16 p.m.21 views

CVE-2018-25437

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the downloadbackup.php endpoint. Attackers can directly access the downloadbackup.php script in the admin/datamanagement...

8.7CVSS0.00287EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/15 12:0 p.m.10 views

CVE-2018-25437 WordPress CherryFramework Themes 3.1.4 Backup File Download

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the downloadbackup.php endpoint. Attackers can directly access the downloadbackup.php script in the admin/datamanagement...

8.7CVSS5.2AI score0.00287EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/15 12:0 p.m.38 views

CVE-2018-25437 WordPress CherryFramework Themes 3.1.4 Backup File Download

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the downloadbackup.php endpoint. Attackers can directly access the downloadbackup.php script in the admin/datamanagement...

8.7CVSS0.00287EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/09 11:48 a.m.13 views

EUVD-2016-10876

Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attackers can access the admin interface and supply crafted SQL statements in the message parameter to...

7.1CVSS6AI score0.00221EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.12 views

PT-2026-47763

Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attackers can access the admin interface and supply crafted SQL statements in the message parameter to...

7.1CVSS5.9AI score0.00221EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/06/05 7:32 p.m.22 views

CVE-2026-6072

The Oliver POS – A WooCommerce Point of Sale POS plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/ REST API namespace through the oliverposrestauthentication...

6.5CVSS5.4AI score0.00475EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:30 p.m.12 views

CVE-2026-42610

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user EX: Content Editor with only pages.update permissions can bypass the existing Twig sandbox restrictions by utilizing the grav'accounts' service. Attacker can programmatically load administrative user objects and extra...

6.5CVSS5.4AI score0.0029EPSS
Exploits1References1
NVD
NVD
added 2026/05/29 5:16 a.m.19 views

CVE-2026-2128

The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the wordpressloggedin cookie in the inc/cache/execute-cache.php file when the "Cache Logged-in Users"...

5.3CVSS0.00273EPSS
Exploits0References7
NVD
NVD
added 2026/05/28 9:16 a.m.18 views

CVE-2026-8689

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages and uploadData functions, where the wpajaxvisualizer-create-chart an...

4.3CVSS0.00242EPSS
Exploits0References8
NVD
NVD
added 2026/05/26 4:16 p.m.27 views

CVE-2026-38587

An Insecure Direct Object Reference IDOR vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions User or Guest to retrieve sensitive information, such as the Owner's unique...

4.3CVSS0.00221EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.14 views

DocSpace 安全漏洞

DocSpace is an open-source document collaboration and sharing platform developed by ONLYOFFICE. Versions of DocSpace prior to 3.2.1 contained security vulnerabilities. These vulnerabilities were caused by insecure direct object references, which could allow users with low privileges to access...

4.3CVSS5.8AI score0.00221EPSS
Exploits0References2
NVD
NVD
added 2026/05/20 2:16 a.m.19 views

CVE-2026-6072

The Oliver POS – A WooCommerce Point of Sale POS plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/ REST API namespace through the oliverposrestauthentication...

6.5CVSS0.00475EPSS
Exploits0References11
EUVD
EUVD
added 2026/05/20 1:25 a.m.11 views

EUVD-2026-31036

The Oliver POS – A WooCommerce Point of Sale POS plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/ REST API namespace through the oliverposrestauthentication...

6.5CVSS5.7AI score0.00475EPSS
Exploits0References11
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.8 views

CVE-2026-6072

The Oliver POS – A WooCommerce Point of Sale POS plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/ REST API namespace through the oliverposrestauthentication...

6.5CVSS5.7AI score0.00475EPSS
Exploits0References12
Vulnrichment
Vulnrichment
added 2026/05/20 1:25 a.m.11 views

CVE-2026-6072 Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header

The Oliver POS – A WooCommerce Point of Sale POS plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/ REST API namespace through the oliverposrestauthentication...

6.5CVSS5.7AI score0.00475EPSS
Exploits0References11
Rows per page
Query Builder