Lucene search
K

14275 matches found

Cvelist
Cvelist
added 2026/07/01 7:56 a.m.36 views

CVE-2026-10538 Improper deserialization handling in Control-M Components

Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker ...

8.9CVSS0.00246EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 7:56 a.m.13 views

CVE-2026-10538

This CVE affects Control-M components (Control-M/Server and Control-M/Enterprise Manager) with a deserialization vulnerability in the messaging consumer. The issue arises from deserializing user-controlled data without strict control of allowed object types in versions 9.0.20.x and potentially ea...

8.9CVSS5.8AI score0.00246EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/01 3:43 a.m.35 views

CVE-2026-12902 Kadence Blocks <= 3.7.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary Media Attachment Creation via kadence_import_process_pattern/kadence_import_process_data AJAX Actions

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS0.00272EPSS
Exploits0References10
EUVD
EUVD
added 2026/07/01 3:43 a.m.8 views

EUVD-2026-40887

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsportseasongroupdel AJAX handler, which only...

4.3CVSS5.9AI score0.0025EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.5 views

PT-2026-54736

Name of the Vulnerable Software and Affected Versions Guardian language-system affected versions not specified Description An authenticated attacker can perform error-based SQL injection to extract database contents. The issue occurs because the application passes the id GET parameter directly in...

9.8CVSS5.8AI score0.00373EPSS
Exploits0References5
NVD
NVD
added 2026/06/30 10:16 p.m.8 views

CVE-2026-58447

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the removevideo action of the playlist endpoint...

7.1CVSS0.00225EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/30 9:39 p.m.7 views

CVE-2026-10585 Stored cross-site scripting vulnerability in GitHub Enterprise Server allowed arbitrary JavaScript execution via crafted Discussion titles in the Q&A category

A stored cross-site scripting vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to execute arbitrary JavaScript in another user's browser by injecting a crafted payload into the title of a Discussion in the Q&A category. The...

6.3CVSS6.1AI score0.00184EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/30 7:51 p.m.6 views

EUVD-2026-40400

IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery SSRF. The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3. An authenticated attacker c...

8.2CVSS5.8AI score0.00199EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/30 7:21 p.m.34 views

CVE-2026-13772 IBM WebSphere eXtreme Scale's OQL is affected by remote code execution

IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName and invokes their constructors with no allow-list at three distinct sinks SELECT NEW, enum literals, and reflection-based comparators; an authenticated remo...

7.5CVSS0.00283EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/30 11:19 a.m.3 views

CVE-2026-53691 Remote Code Execution in Redeight CMS

An Unrestricted File Upload vulnerability in Redeight CMS version 1.0 allows authenticated attackers to achieve Remote Code Execution via the POST "/admin/index.php?module=pages&mode=FileAdd" endpoint. The application fails to validate file extensions and MIME types, permitting the upload of...

8.6CVSS6.1AI score0.00488EPSS
Exploits0References1
NVD
NVD
added 2026/06/30 10:16 a.m.8 views

CVE-2025-24815

Nokia MantaRay NM is subject to an unrestricted file upload vulnerability due to insufficient file type validation. Successful exploitation could allow an authenticated attacker to upload malicious files onto the system...

7.8CVSS0.00151EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/06/30 9:46 a.m.6 views

redis: Remote code execution via use-after-free in Lua scripting

A flaw was found in Redis, an in-memory data structure store. An authenticated attacker can exploit a use-after-free vulnerability in redis-server with Lua scripting. This occurs through the master-replica synchronization mechanism on replicas where replica-read-only is disabled or can be disable...

8.8CVSS5.7AI score0.01782EPSS
Exploits0References6
CVE
CVE
added 2026/06/30 8:58 a.m.11 views

CVE-2025-24816

Technical details about CVE-2025-24816 are not publicly available in the provided documents; monitor for updates from Nokia and vulnerability databases.

6.5CVSS5.8AI score0.00276EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.8 views

PT-2026-53268

Name of the Vulnerable Software and Affected Versions FrontAccounting versions prior to 2.4.20 Description A path traversal issue exists in the attachment upload handler. Authenticated attackers can execute arbitrary code by uploading files using traversal sequences in the unique name parameter. ...

8.8CVSS6.8AI score0.00627EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/27 1:27 a.m.12 views

EUVD-2026-39931

The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menutitle' and 'menumagnifiercolor' Settings in all versions up to, and including, 5.5.15 due to insufficient input sanitization and output escaping. This makes it possible for...

4.4CVSS5.9AI score0.00251EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/06/27 1:27 a.m.8 views

CVE-2026-13331

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

6.5CVSS5.8AI score0.0028EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/06/26 6:22 p.m.35 views

CVE-2026-13372

Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name...

0.00278EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 3:16 p.m.7 views

CVE-2026-3472

Mattermost versions 10.11.x = 10.11.18, 11.6.x = 11.6.3, 11.5.x = 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled server via injecting markdown image syntax into to...

3.5CVSS0.00194EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 12:0 a.m.5 views

CVE-2026-50766

A stored cross-site scripting XSS vulnerability in the OPAC item detail page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with edititems permission to inject arbitrary web scripts via the item public notes field items.itemnotes...

5.4CVSS5.8AI score0.00196EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/06/26 12:0 a.m.5 views

CVE-2026-50765

A stored cross-site scripting XSS vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label...

5.8AI score0.0022EPSS
Exploits1References2
Rows per page
Query Builder