Lucene search
+L

265 matches found

Vulnrichment
Vulnrichment
added 2026/04/02 5:31 p.m.3 views

CVE-2026-34584 listmonk: Broken Access Control in CSV Import (Unauthorized List Assignment)

listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists which they don't have access to under different scenarios. This only affects multi-use...

5.4CVSS5.8AI score0.00171EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/22 12:30 a.m.8 views

EUVD-2026-14256

The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'saveextrauserprofilefields' function not properly restricting which user meta keys can be updated via profile fields. The...

8.1CVSS5.7AI score0.00418EPSS
Exploits1References6
NVD
NVD
added 2026/03/21 11:16 p.m.7 views

CVE-2026-3629

The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'saveextrauserprofilefields' function not properly restricting which user meta keys can be updated via profile fields. The...

8.1CVSS0.00418EPSS
Exploits1References5
ATTACKERKB
ATTACKERKB
added 2026/03/21 10:24 p.m.3 views

CVE-2026-3629

The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'saveextrauserprofilefields' function not properly restricting which user meta keys can be updated via profile fields. The...

8.1CVSS5.7AI score0.00418EPSS
Exploits1References6
Cvelist
Cvelist
added 2026/03/21 10:24 p.m.24 views

CVE-2026-3629 Import and export users and customers <= 1.29.7 - Privilege Escalation to Administrator via save_extra_user_profile_fields

The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'saveextrauserprofilefields' function not properly restricting which user meta keys can be updated via profile fields. The...

8.1CVSS0.00418EPSS
Exploits1References5
CVE
CVE
added 2026/03/21 10:24 p.m.25 views

CVE-2026-3629

CVE-2026-3629 describes a privilege-escalation flaw in the WordPress plugin “Import and export users and customers” up to version 1.29.7. The root cause is that the function save_extra_user_profile_fields does not properly restrict which user meta keys can be updated via profile fields; specifica...

8.1CVSS5.7AI score0.00418EPSS
Exploits1References5
NVD
NVD
added 2026/03/02 4:16 p.m.6 views

CVE-2025-52468

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows...

8.8CVSS0.00351EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/02 3:47 p.m.25 views

CVE-2025-52468 Chamilo: Stored XSS Vulnerability via CSV User Import

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows...

8.8CVSS0.00351EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/02 3:47 p.m.3 views

CVE-2025-52468 Chamilo: Stored XSS Vulnerability via CSV User Import

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows...

8.8CVSS5.9AI score0.00351EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/02 3:47 p.m.5 views

CVE-2025-52468

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows...

8.8CVSS5.9AI score0.00351EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/02 3:47 p.m.6 views

CVE-2025-52468 Chamilo: Stored XSS Vulnerability via CSV User Import

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows...

8.8CVSS5.9AI score0.00351EPSS
Exploits1References5
Patchstack
Patchstack
added 2026/02/10 11:37 a.m.7 views

WordPress Tune Library plugin <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import vulnerability

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting via CSV Import vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Tune Library versions = 1.6.3...

6.4CVSS5.5AI score0.00235EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/02/06 7:16 a.m.12 views

CVE-2026-1401

The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

6.4CVSS0.00235EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/02/06 6:46 a.m.30 views

CVE-2026-1401 Tune Library <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import

The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

6.4CVSS0.00235EPSS
Exploits0References5
CVE
CVE
added 2026/02/06 6:46 a.m.18 views

CVE-2026-1401

The CVE-2026-1401 issue affects the Tune Library WordPress plugin (versions up to and including 1.6.3). It is a Stored Cross-Site Scripting flaw caused by insufficient input sanitization and output escaping on user-supplied attributes during CSV import, compounded by missing authorization checks....

6.4CVSS5.6AI score0.00235EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/02/06 12:0 a.m.8 views

WordPress plugin Tune Library 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

6.4CVSS5.8AI score0.00235EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/02/04 3:15 a.m.8 views

CVE-2025-65923

A Stored Cross-Site Scripting XSS vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the...

5.4CVSS5.6AI score0.00162EPSS
Exploits0References1
NVD
NVD
added 2026/02/03 6:16 p.m.6 views

CVE-2025-65923

A Stored Cross-Site Scripting XSS vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the...

5.4CVSS0.00162EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.6 views

PT-2026-5951

Name of the Vulnerable Software and Affected Versions ERPNext versions through 15.88.1 Description A Stored Cross-Site Scripting XSS issue exists in the CSV import mechanism when the Update Existing Records option is used. An attacker can inject malicious JavaScript code into a CSV field. This co...

5.4CVSS5.6AI score0.00162EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/02/03 12:0 a.m.11 views

ERPNext 安全漏洞

ERPNext is a set of open-source enterprise resource planning solutions developed by the Indian company ERPNext. Versions of ERPNext 15.88.1 and earlier contain security vulnerabilities. These vulnerabilities stem from the CSV import mechanism’s improper handling of inputs, which may lead to...

5.4CVSS5.7AI score0.00162EPSS
Exploits0References1
Rows per page
Query Builder