Lucene search
K

1192 matches found

NVD
NVD
added 2026/05/06 5:16 p.m.11 views

CVE-2026-20219

A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed...

5.4CVSS0.00168EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/05 12:31 p.m.7 views

EUVD-2023-60572

ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exporte...

8.8CVSS6.2AI score0.00352EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/30 12:0 a.m.30 views

CVE-2026-36765

An XML external entity XXE vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload...

0.00334EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/28 1:11 p.m.3 views

CVE-2026-6706

Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0...

5.2AI score0.00201EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/22 7:32 p.m.10 views

CVE-2026-3673

An authenticated attacker can store a crafted tag value in usertags and trigger JavaScript execution when a victim opens the list/report view where tags are rendered. The vulnerable renderer interpolates tag content into HTML attributes and element content without escaping. This issue affects...

4.6CVSS5.9AI score0.00201EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/04/22 3:32 a.m.33 views

CVE-2026-6833

CVE-2026-6833 concerns the a+HRD product developed by aEnrich, described across multiple sources as a SQL Injection vulnerability. The issue affects the application’s ability to read database contents via arbitrary SQL commands when authenticated remotely. Official metrics indicate CVSS v3.1 base...

7.1CVSS6AI score0.00278EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/21 9:0 p.m.5 views

CVE-2026-40933 Flowise: Authenticated RCE Via MCP Adapters

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerabilit...

9.9CVSS6.6AI score0.01987EPSS
Exploits1References3
CVE
CVE
added 2026/04/21 5:0 p.m.15 views

CVE-2026-21571

Bamboo Data Center is affected by CVE-2026-21571, a critical OS Command Injection that allows an authenticated attacker to execute remote commands. The vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0 and 12.1.0. It has a CVSS v4 base score of 9.4, wi...

9.4CVSS6AI score0.0127EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/21 5:0 p.m.31 views

CVE-2026-21571

This Critical severity OS Command Injection vulnerability was introduced in versions 9.6.0, 10.0.0, 10.1.0, 10.2.0, 11.0.0, 11.1.0, 12.0.0, and 12.1.0 of Bamboo Data Center. This RCE Remote Code Execution vulnerability, with a CVSS Score of 9.4 and a CVSS Vector of...

9.4CVSS0.0127EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.14 views

PT-2026-34015

Name of the Vulnerable Software and Affected Versions Bamboo Data Center versions 9.6.0 through 9.6.24 Bamboo Data Center versions 10.0.0 through 10.2.17 Bamboo Data Center versions 11.0.0 through 12.1.5 Description An OS Command Injection issue allows an authenticated attacker to achieve Remote...

9.4CVSS6.2AI score0.0127EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/04/20 7:57 p.m.5 views

CVE-2026-6249

Vvveb CMS 1.0.8.2 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious...

8.8CVSS6.7AI score0.00624EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/04/20 7:9 p.m.31 views

CVE-2026-6257 Vvveb CMS < v1.0.8.2 Remote Code Execution via Media Management

Vvveb CMS v1.0.8.2 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this logic flaw by firs...

9.2CVSS0.00633EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/19 12:0 a.m.10 views

WordPress plugin EMC – Easily Embed Calendarly Scheduling Features 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is a...

6.4CVSS5.9AI score0.00194EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2026/04/18 9:5 a.m.112 views

Exploit for CVE-2026-4484

CVE-2026-4484 Masteriyo LMS = 2.1.6 - Missing Authorizatio...

9.8CVSS5.9AI score0.00353EPSS
Exploits1
Cvelist
Cvelist
added 2026/04/17 9:9 p.m.26 views

CVE-2026-40352 FastGPT: NoSQL Injection in updatePasswordByOld Leads to Account Takeover

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verification by injecting MongoDB query operators. This allows an attacker who has gained a low-privilege...

8.8CVSS0.0038EPSS
Exploits1References3
CVE
CVE
added 2026/04/16 7:48 p.m.19 views

CVE-2026-40899

DataEase

8.3CVSS5.9AI score0.00388EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/16 7:48 p.m.4 views

CVE-2026-40899 DataEase has an Arbitrary File Read Vulnerability

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a JDBC parameter blocklist bypass vulnerability in the MySQL datasource configuration. The Mysql class uses Lombok's @Data annotation, which auto-generates a public setter for the...

8.3CVSS5.8AI score0.00388EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/16 3:36 a.m.37 views

CVE-2026-3878 WP Docs <= 2.2.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'wpdocs_options[icon_size]'

The WP Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpdocsoptionsiconsize' parameter in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level...

6.4CVSS0.00209EPSS
Exploits0References2
CVE
CVE
added 2026/04/14 9:0 p.m.16 views

CVE-2026-33714

Chamilo LMS versions 2.0.0-RC.2 are affected by a SQL injection in the statistics AJAX endpoint (public/main/inc/ajax/statistics.ajax.php) where unsanitized parameters date_start and date_end in the users_active action interpolate into SQL. This follows an incomplete fix for CVE-2026-30881, which...

7.2CVSS6AI score0.00258EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/14 2:10 p.m.24 views

CVE-2026-4913

Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled...

5.7CVSS0.00586EPSS
Exploits0References1
Rows per page
Query Builder