Lucene search
+L

2550 matches found

nuclei
nuclei
added 7 hours ago21 views

Formidable Form Builder < 2.05.03 - Unauthenticated Information Disclosure

The Formidable Form Builder plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.05.03 via the frmformspreview AJAX action. This makes it possible for unauthenticated attackers to export all of the form entries for a given form. id: CVE-2017-20194 info...

5.3CVSS6.1AI score0.01098EPSS
Exploits1References3
cvelist
cvelist
added yesterday27 views

CVE-2026-45313 Sandboxie-Plus: Sandboxie APC Injection Sandbox Escape

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. Prior to 1.17.6, GuiServer::WndHookRegisterSlave in Sandboxie/core/svc/GuiServer.cpp stores attacker-supplied hthread and hproc fields from a GUIWNDHOOKREGISTER request without validating that the thread belongs to the...

7.7CVSS0.00014EPSS
Exploits0References2
cve
cve
added 2 days ago27 views

CVE-2026-49853

Tornado before 6.5.6 exposed an Authorization header across cross-origin redirects in SimpleAsyncHTTPClient: when following 3xx redirects, the client shallow-copies the request and rewrites the URL without clearing Authorization (and related) headers if the origin changes. The issue is fixed in T...

7.7CVSS6.1AI score0.00486EPSS
Exploits0References4
cve
cve
added 2 days ago11 views

CVE-2026-62392

CVE-2026-62392 is an OS Command Injection vulnerability in Apache Kylin, affecting versions 4 through 5.0.3. The issue arises when the backend API may pass job configuration parameters to the OS command line, allowing potentially unauthorized command execution. The vulnerability is rated with hig...

9.8CVSS6.1AI score0.01828EPSS
Exploits0References2Affected Software1
redhat
redhat
added 2 days ago6 views

kernel: net: atm: fix crash due to unvalidated vcc pointer in sigd_send()

A flaw was found in the Linux kernel's Asynchronous Transfer Mode ATM networking component. A local attacker, by acting as a malicious signaling daemon, could send a specially crafted message containing an unvalidated pointer. This unvalidated pointer would be directly used by the kernel, leading...

5.5CVSS6.1AI score0.00131EPSS
Exploits0References5
redhat
redhat
added 2 days ago10 views

kernel: net: atm: fix crash due to unvalidated vcc pointer in sigd_send()

A flaw was found in the Linux kernel's Asynchronous Transfer Mode ATM networking component. A local attacker, by acting as a malicious signaling daemon, could send a specially crafted message containing an unvalidated pointer. This unvalidated pointer would be directly used by the kernel, leading...

5.5CVSS6.1AI score0.00131EPSS
Exploits0References5
nvd
nvd
added 5 days ago7 views

CVE-2026-12103

The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

4.3CVSS0.00286EPSS
Exploits0References10
cve
cve
added 5 days ago12 views

CVE-2026-12103

CVE-2026-12103 affects the Wallet for WooCommerce WordPress plugin (

4.3CVSS6.2AI score0.00286EPSS
Exploits0References10
nvd
nvd
added 5 days ago7 views

CVE-2026-3552

The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajaximport410 function in all versions up to 2.6.0. This is due to a missing capability check currentusercan and missing nonce verification...

4.3CVSS0.00213EPSS
Exploits0References8
euvd
euvd
added 5 days ago6 views

EUVD-2026-43134

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wpajax and wpajaxnopriv hooks, as the base...

5.3CVSS6.1AI score0.00297EPSS
Exploits0References12
ptsecurity
ptsecurity
added 5 days ago11 views

PT-2026-57398

Name of the Vulnerable Software and Affected Versions AI Chatbot & Workflow Automation by AIWU versions prior to 1.4.13 Description The plugin contains a missing authorization flaw resulting from the absence of capability checks and nonce verification on AJAX actions registered under wp ajax and ...

5.3CVSS6.1AI score0.00297EPSS
Exploits0References15
vulnrichment
vulnrichment
added 6 days ago6 views

CVE-2026-22660 FlaskBB Logic Flaw Authorization Group Deletion via Bulk AJAX Endpoint

FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares...

8.6CVSS6AI score0.00328EPSS
Exploits0References3
cvelist
cvelist
added 6 days ago36 views

CVE-2026-9857 Invoice123 <= 1.7.0 - Missing Authorization to Authenticated (Subscriber+) Setting Modification via s123_submit_api_key & s123_submit_invoice_settings AJAX actions

The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access...

4.3CVSS0.00288EPSS
Exploits0References12
nvd
nvd
added 6 days ago7 views

CVE-2026-1946

The GW AI Website Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gwaiwebugravitywritedisconnecthandler function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with...

4.3CVSS0.00222EPSS
Exploits0References6
cvelist
cvelist
added 6 days ago33 views

CVE-2026-9838 ICS Calendar <= 12.0.9 - Reflected Cross-Site Scripting via 'htmltagtitle' Parameter

The ICS Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'htmltagtitle' parameter in all versions up to, and including, 12.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

6.1CVSS0.00296EPSS
Exploits0References10
cvelist
cvelist
added 6 days ago30 views

CVE-2026-12276 LA-Studio Element Kit for Elementor < 1.6.1 - Unauthenticated Open Registration

The LA-Studio Element Kit for Elementor WordPress plugin before 1.6.1 does not check whether user registration is enabled on the site before creating an account through one of its unauthenticated AJAX actions, allowing unauthenticated attackers to register new accounts even when registration has...

0.00182EPSS
Exploits0References1
fedora
fedora
added 6 days ago7 views

[SECURITY] Fedora 44 Update: c-ares-1.34.7-1.fc44

c-ares is a C library that performs DNS requests and name resolves asynchronously. c-ares is a fork of the library named 'ares', written by Greg Hudson at MIT...

5.9AI score
Exploits0
euvd
euvd
added 2026/07/08 4:30 a.m.10 views

EUVD-2026-42161

The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widgetlogicvisualcheckvisibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action...

8.8CVSS6.3AI score0.00516EPSS
Exploits0References4
nvd
nvd
added 2026/07/06 9:16 p.m.7 views

CVE-2026-25271

Memory Corruption when processing asynchronous input parameters due to improper handling of modified values between check and use...

7.8CVSS0.00052EPSS
Exploits0References1
euvd
euvd
added 2026/07/06 8:9 p.m.4 views

EUVD-2026-41933

Memory Corruption when processing asynchronous input parameters due to improper handling of modified values between check and use...

7.8CVSS6AI score0.00052EPSS
Exploits0References1
Rows per page
Query Builder