Lucene search
K

539 matches found

RedhatCVE
RedhatCVE
added 2026/03/26 3:8 p.m.9 views

CVE-2026-2512

The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization function seccheckpostfields only running on the savepost hook, while WordPress allows custom fields t...

6.4CVSS6AI score0.00198EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.11 views

CVE-2026-32698

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query...

9.1CVSS6.2AI score0.00269EPSS
Exploits0References1
NVD
NVD
added 2026/03/18 10:16 p.m.5 views

CVE-2026-32698

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query...

9.1CVSS0.00269EPSS
Exploits0References1
OSV
OSV
added 2026/03/18 9:1 p.m.5 views

CVE-2026-32698 OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query...

9.1CVSS6.2AI score0.00269EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/18 9:1 p.m.22 views

CVE-2026-32698 OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query...

9.1CVSS0.00269EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/18 9:1 p.m.3 views

EUVD-2026-12966

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query...

9.1CVSS6.1AI score0.00269EPSS
Exploits0References1
CVE
CVE
added 2026/03/18 9:1 p.m.21 views

CVE-2026-32698

OpenProject contains a SQL injection via a custom field name in Cost Reports in versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1. The injected field name can be processed by the SQL query, enabling arbitrary SQL execution. The issue is compounded by another bug in the Repositories_module that...

9.1CVSS6.1AI score0.00269EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/18 9:1 p.m.6 views

CVE-2026-32698 OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query...

9.1CVSS6.1AI score0.00269EPSS
Exploits0References1
NVD
NVD
added 2026/03/18 4:16 p.m.3 views

CVE-2026-2512

The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization function seccheckpostfields only running on the savepost hook, while WordPress allows custom fields t...

6.4CVSS0.00198EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/03/18 3:28 p.m.4 views

CVE-2026-2512

The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field meta values in all versions up to, and including, 2.5.1. This is due to the plugin's sanitization function seccheckpostfields only running on the savepost hook, while WordPress allows custom fields t...

6.4CVSS6AI score0.00198EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.4 views

PT-2026-26156

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 are vulnerable to an SQL injection attack via a custom field's name. When that custom field was used in a Cost Report, the custom field's name was injected into the SQL query...

9.1CVSS6.2AI score0.00269EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/03/07 12:0 a.m.7 views

PT-2026-23811

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom fields controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custo...

5.3CVSS5.9AI score0.00262EPSS
Exploits0References5
OSV
OSV
added 2026/03/03 8:38 p.m.8 views

GHSA-7X43-MPFG-R9WJ Craft CMS has IDOR via GraphQL @parseRefs

The GraphQL directive @parseRefs, intended to parse internal reference tags e.g., user:1:email, can be abused by both authenticated users and unauthenticated guests if a Public Schema is enabled to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs...

8.7CVSS6AI score0.00447EPSS
Exploits1References4
EUVD
EUVD
added 2026/02/27 9:30 a.m.5 views

EUVD-2026-9017

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

6.4CVSS6AI score0.00197EPSS
Exploits0References5
NVD
NVD
added 2026/02/27 9:16 a.m.6 views

CVE-2026-2383

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

6.4CVSS0.00197EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/02/27 8:24 a.m.3 views

CVE-2026-2383 Simple Download Monitor <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

6.4CVSS5.9AI score0.00197EPSS
Exploits0References4
CVE
CVE
added 2026/02/27 8:24 a.m.17 views

CVE-2026-2383

CVE-2026-2383 describes a Stored Cross-Site Scripting vulnerability in the WordPress plugin Simple Download Monitor (versions up to and including 4.0.5). The issue arises from insufficient input sanitization and output escaping in a custom field, allowing authenticated attackers with at least Con...

6.4CVSS6AI score0.00197EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/02/27 8:24 a.m.22 views

CVE-2026-2383 Simple Download Monitor <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

6.4CVSS0.00197EPSS
Exploits0References4
Patchstack
Patchstack
added 2026/02/19 12:8 a.m.9 views

WordPress Image Hotspot by DevVN plugin <= 1.2.9 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Field Meta vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Custom Field Meta vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Image Hotspot by DevVN versions = 1.2.9...

6.4CVSS5.5AI score0.00181EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/01/26 7:9 a.m.7 views

WordPress User Submitted Posts - Enable Users to Submit Posts from the Front End plugin <= 20251210 - Unauthenticated Stored Cross-Site Scripting via Custom Field vulnerability

WordPress User Submitted Posts - Enable Users to Submit Posts from the Front End plugin = 20251210 - Unauthenticated Stored Cross-Site Scripting via Custom Field vulnerability discovered by Balamurugan R in WordPress Plugin User Submitted Posts versions = 20251210...

7.2CVSS5.9AI score0.00213EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder