Lucene search
+L

1483 matches found

Cvelist
Cvelist
added 2026/05/12 8:43 p.m.39 views

CVE-2026-44403 Wing FTP Server < 8.1.3 Authenticated Remote Code Execution via Session Serialization

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session...

8.6CVSS0.02643EPSS
Exploits5References2
ATTACKERKB
ATTACKERKB
added 2026/05/12 7:6 p.m.12 views

CVE-2026-44861

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into...

7.2CVSS6.2AI score0.00315EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/12 7:6 p.m.7 views

CVE-2026-44861 Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into...

7.2CVSS6.2AI score0.00315EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/12 2:21 a.m.6 views

CVE-2026-40135

An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of...

6.5CVSS6AI score0.01398EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.10 views

Fortinet FortiDeceptor 参数注入漏洞

Fortinet FortiDeceptor is a network threat detection platform developed by the American company Fortinet. This platform primarily exploits deceptive techniques to uncover network threats. Versions of Fortinet FortiDeceptor, ranging from 6.0.0 to 6.0.2, 5.3.0 to 5.3.3, 5.2.0 to 5.2.1, all versions...

6.5CVSS5.8AI score0.00241EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.17 views

Wing FTP Server 代码注入漏洞

Wing FTP Server is an open-source, cross-platform FTP server software developed by Wing FTP Server. Version 8.1.2 of Wing FTP Server has a code injection vulnerability. This vulnerability stems from the session serialization mechanism, where the mydirectory field for domain administrators allows...

8.6CVSS6.1AI score0.02643EPSS
Exploits5References2
EUVD
EUVD
added 2026/05/11 5:30 p.m.11 views

EUVD-2026-29166

Open edX Platform enables the authoring and delivery of online learning at any scale. The syncproviderdata endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadataurl POST parameter. This URL is passed directly to requests.get in...

8.5CVSS6AI score0.00374EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.14 views

Grav 代码注入漏洞

Grav is a scalable content management system CMS developed by the Grav open-source community, suitable for use in personal blogs, small content publishing platforms, and single-page product displays. Versions of Grav prior to 2.0.0-beta.2 contained a code injection vulnerability. This vulnerabili...

9.1CVSS6AI score0.03934EPSS
Exploits4References2
ATTACKERKB
ATTACKERKB
added 2026/05/08 9:59 p.m.8 views

CVE-2026-44987

SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled non-default, they can res...

3.8CVSS5.7AI score0.00162EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/08 8:21 p.m.10 views

CVE-2026-41936

Vvveb before version 1.0.8.2 contains an XML external entity XXE injection vulnerability in the admin Tools/Import feature that allows authenticated siteadmin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to...

8.6CVSS5.9AI score0.00271EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/08 7:16 p.m.12 views

EUVD-2026-28818

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address...

6.7CVSS5.7AI score0.00247EPSS
Exploits0References2
CVE
CVE
added 2026/05/08 7:16 p.m.21 views

CVE-2026-42176

CVE-2026-42176 affects Scoold prior to version 1.67.0. A forged Bearer token can modify the admins setting via /api/config/set/admins, allowing an attacker to persist admin access after a restart by writing their email to scoold.admins. The change is loaded at startup, enabling administrator priv...

6.7CVSS5.7AI score0.00247EPSS
Exploits0References2
OSV
OSV
added 2026/05/08 7:16 p.m.3 views

CVE-2026-42176 Scoold: Persistent Admin Takeover by Overwriting the admins Configuration Setting via Forged JWT (missing `jti` validation)

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address...

6.7CVSS5.9AI score0.00247EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.15 views

PT-2026-39187

Name of the Vulnerable Software and Affected Versions Scoold versions prior to 1.67.0 Description Scoold allows the modification of the admins configuration value via the "/api/config/set/admins" endpoint using a forged Bearer token that is accepted as an admin API token. This action writes a...

6.7CVSS5.8AI score0.00247EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/07 6:50 p.m.48 views

CVE-2026-43510 CISA manage.get.gov insecure portfolio administrative privileges

manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30...

5.9CVSS0.00398EPSS
Exploits0References7
EUVD
EUVD
added 2026/05/07 6:30 p.m.15 views

EUVD-2026-28396

An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution...

7.2CVSS6.2AI score0.34454EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/06 6:27 p.m.9 views

CVE-2026-41936 Vvveb < 1.0.8.2 XML External Entity Injection via Import

Vvveb before version 1.0.8.2 contains an XML external entity XXE injection vulnerability in the admin Tools/Import feature that allows authenticated siteadmin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to...

8.6CVSS5.9AI score0.00271EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/06 4:15 p.m.7 views

CVE-2026-20193 Cisco Identity Services Engine Authentication Bypass Vulnerability

A vulnerability in the RADIUS Policy API endpoints of Cisco ISE could allow an authenticated, remote attacker with read-only Administrator privileges to gain unauthorized access to sensitive information on an affected device. This vulnerability is due to improper role-based access control RBAC...

4.3CVSS5.8AI score0.00221EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/06 12:0 a.m.11 views

Zabbix 跨站脚本漏洞

Zabbix is a set of open-source monitoring systems developed by Zabbix Inc. This system supports network monitoring, server monitoring, cloud monitoring, and application monitoring. Zabbix has a cross-site scripting vulnerability. This vulnerability arises because non-super administrators who have...

7.3CVSS5.8AI score0.00285EPSS
Exploits0References1
OSV
OSV
added 2026/05/05 2:26 a.m.4 views

CVE-2026-5247 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the futureaction shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The...

5.5CVSS6.1AI score0.00274EPSS
Exploits0References6
Rows per page
Query Builder