106 matches found
CVE-2026-8206
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...
CVE-2026-8206 Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...
CVE-2026-25602
Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component:...
CVE-2026-43880 WWBN AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Allows Phishing from Site's Legitimate From Address
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated...
PT-2026-37296
Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.0 Description An issue exists in the 'objects/sendEmail.json.php' endpoint where the absence of the contactForm parameter allows unauthenticated users to send emails to arbitrary recipients. When this parameter is...
plunk 注入漏洞
Plunk is an open-source email sending and management platform developed by Plunk. Versions of Plunk prior to 0.8.0 had a vulnerability related to injection attacks. This vulnerability stemmed from the CRLF header injection in the SESService.ts file, which could allow authenticated API users to...
GHSA-4F9R-X588-PP2H Fleet's user account creation via invite does not enforce invited email address
Summary Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address whi...
EUVD-2026-16797
Fleet's user account creation via invite does not enforce invited email address...
Fleet's user account creation via invite does not enforce invited email address
Summary Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address whi...
CVE-2026-34389
Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...
CVE-2026-34389 Fleet's user account creation via invite does not enforce invited email address
Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...
CVE-2026-34389 Fleet's user account creation via invite does not enforce invited email address
Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...
CVE-2026-0495
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application...
WordPress Booking Plugin for WordPress Appointments – Time Slot plugin <= 1.4.7 - Unauthenticated Arbitrary Email Sending vulnerability
Unauthenticated Arbitrary Email Sending vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Time Slot versions = 1.4.7...
CVE-2025-12469
CVE-2025-12469 affects FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce. A Missing Authorization flaw in the bwfan_test_email AJAX handler, with the nonce exposed via frontend localization, allows authenticated attackers with Subscriber+ rights to send arbitr...
EUVD-2025-34742
Mattermost has a Missing Authorization vulnerability...
EUVD-2021-11828
Malware in sbrugna...
EUVD-2021-18860
Malware in sbrugna...
EUVD-2018-7539
Malware in sbrugna...
EUVD-2018-7538
Malware in sbrugna...