Lucene search
K

114 matches found

NVD
NVD
added 5 days ago5 views

CVE-2026-12761

The miniOrange Social Login and Register Discord, Google, Twitter, LinkedIn plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the...

9.8CVSS0.00463EPSS
Exploits0References6
CVE
CVE
added 5 days ago9 views

CVE-2026-12761

Summary (CVE-2026-12761) The miniOrange Social Login and Register plugin for WordPress is vulnerable through the Profile Completion OTP flow in versions up to and including 7.7.0. The flow accepts an arbitrary email via the email_field POST parameter and does not verify that the email belongs to ...

9.8CVSS6.2AI score0.00463EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.5 views

PT-2026-56299

Name of the Vulnerable Software and Affected Versions Better Auth versions prior to 1.6.11 Better Auth versions 1.6.14 and later Description An issue exists in the organization plugin where the acceptInvitation, rejectInvitation, getInvitation, and listUserInvitations endpoints do not sufficientl...

7.7CVSS6.1AI score0.00016EPSS
Exploits0References7
CVE
CVE
added 2026/07/02 8:33 a.m.16 views

CVE-2026-12472

The CVE-2026-12472 entry concerns the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin. It states an authorization bypass in all versions up to 6.0.11, enabling unauthenticated attackers to send arbitrary HTML-injected emails via the site’s mail server, potentially phi...

5.3CVSS5.9AI score0.00283EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/01 7:53 a.m.39 views

CVE-2026-11387 SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updati...

9.8CVSS0.0038EPSS
Exploits1References8
NVD
NVD
added 2026/06/12 10:16 p.m.14 views

CVE-2026-53868

Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 3...

8.7CVSS0.00258EPSS
Exploits0References2
NVD
NVD
added 2026/06/02 4:17 a.m.20 views

CVE-2026-8206

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...

9.8CVSS0.0126EPSS
Exploits5References8
Vulnrichment
Vulnrichment
added 2026/06/02 3:28 a.m.35 views

CVE-2026-8206 Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...

9.8CVSS5.9AI score0.0126EPSS
Exploits5References8
NVD
NVD
added 2026/05/20 11:16 a.m.23 views

CVE-2026-25602

Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component:...

4.4CVSS0.00089EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/11 8:37 p.m.35 views

CVE-2026-43880 WWBN AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Allows Phishing from Site's Legitimate From Address

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated...

5.3CVSS0.00229EPSS
Exploits0References2
OSV
OSV
added 2026/05/11 8:37 p.m.2 views

CVE-2026-43880 WWBN AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Allows Phishing from Site's Legitimate From Address

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated...

5.3CVSS6AI score0.00229EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.13 views

PT-2026-37296

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.0 Description An issue exists in the 'objects/sendEmail.json.php' endpoint where the absence of the contactForm parameter allows unauthenticated users to send emails to arbitrary recipients. When this parameter is...

5.3CVSS5.9AI score0.00229EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.11 views

plunk 注入漏洞

Plunk is an open-source email sending and management platform developed by Plunk. Versions of Plunk prior to 0.8.0 had a vulnerability related to injection attacks. This vulnerability stemmed from the CRLF header injection in the SESService.ts file, which could allow authenticated API users to...

8.5CVSS5.9AI score0.00194EPSS
Exploits2References1
EUVD
EUVD
added 2026/03/30 7:29 p.m.4 views

EUVD-2026-16797

Fleet's user account creation via invite does not enforce invited email address...

7.1CVSS5.8AI score0.00184EPSS
Exploits0References2
OSV
OSV
added 2026/03/30 7:29 p.m.3 views

GHSA-4F9R-X588-PP2H Fleet's user account creation via invite does not enforce invited email address

Summary Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address whi...

7.1CVSS6AI score0.00184EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/30 7:29 p.m.10 views

Fleet's user account creation via invite does not enforce invited email address

Summary Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address whi...

7.1CVSS6AI score0.00184EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/03/27 8:16 p.m.9 views

CVE-2026-34389

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

7.1CVSS0.00184EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/27 7:18 p.m.21 views

CVE-2026-34389 Fleet's user account creation via invite does not enforce invited email address

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

7.1CVSS0.00184EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/27 7:18 p.m.1 views

CVE-2026-34389 Fleet's user account creation via invite does not enforce invited email address

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

7.1CVSS6AI score0.00184EPSS
Exploits0References1
NVD
NVD
added 2026/01/13 2:15 a.m.9 views

CVE-2026-0495

SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application...

5.1CVSS0.0015EPSS
Exploits0References2
Rows per page
Query Builder