Lucene search
K

994 matches found

CVE
CVE
added yesterday5 views

CVE-2026-58411

ChurchCRM (open-source church management system) Vulnerability: Prior to version 7.4.0, a Reflected XSS was identified due to insufficient output encoding of user-controlled request parameter names and values. The application reflects attacker-controlled input into JavaScript string contexts and ...

7CVSS6.1AI score
Exploits0References1
NVD
NVD
added 4 days ago8 views

CVE-2026-1667

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-Site Scripting in all versions up to, and including, 14.0.0 due to a leak of an API token and insufficient input sanitization and output escaping. This makes it possible for unauthenticat...

7.2CVSS0.00186EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago30 views

CVE-2026-12428 Blocks for ACF Fields <= 1.6.2 - Missing Authorization to Authenticated (Author+) Arbitrary ACF Field Value Disclosure via 'id' Parameter

The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getallvalues function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permissioncallback only verifies the...

6.5CVSS0.00285EPSS
Exploits0References8
NVD
NVD
added 6 days ago10 views

CVE-2026-10570

The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symparfereplacecontent function, which uses...

6.4CVSS0.00187EPSS
Exploits0References3
Cvelist
Cvelist
added 6 days ago34 views

CVE-2026-10570 Sympl Repeater for ACF and Elementor <= 2.3 - Authenticated (Author+) Stored Cross-Site Scripting via ACF Repeater Field Values

The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symparfereplacecontent function, which uses...

6.4CVSS0.00187EPSS
Exploits0References3
NVD
NVD
added 2026/07/07 7:16 p.m.11 views

CVE-2026-48958

An improper access check allows unauthorized users to create custom fields via webservices endpoints...

8.8CVSS0.00262EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/07 5:32 p.m.7 views

CVE-2026-48958

An improper access check allows unauthorized users to create custom fields via webservices endpoints...

6.4CVSS6AI score0.00262EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/07/07 5:32 p.m.7 views

CVE-2026-48958 Joomla! Core - [20260712] - Incorrect Access Control in com_fields webservice endpoints

An improper access check allows unauthorized users to create custom fields via webservices endpoints...

6.4CVSS6AI score0.00262EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/07 5:32 p.m.6 views

EUVD-2026-42068

An improper access check allows unauthorized users to create custom fields via webservices endpoints...

6.4CVSS6AI score0.00262EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/07 5:32 p.m.35 views

CVE-2026-48958 Joomla! Core - [20260712] - Incorrect Access Control in com_fields webservice endpoints

An improper access check allows unauthorized users to create custom fields via webservices endpoints...

6.4CVSS0.00262EPSS
Exploits0References1
CVE
CVE
added 2026/07/07 5:32 p.m.18 views

CVE-2026-48958

In Joomla! Core, the CVE-2026-48958 issue is due to improper access control in the com_fields webservice endpoints, enabling unauthorized users to create custom fields via web services. Affected versions include Joomla! 4.0.x (before 5.4.7) and 6.0.x (before 6.1.2). The underlying impact is eleva...

8.8CVSS6AI score0.00262EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/07/07 12:16 a.m.10 views

CVE-2026-53647

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest serviceapikey/getinfo API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters custom fields stored in the...

6.9CVSS0.0042EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.11 views

PT-2026-56231

Name of the Vulnerable Software and Affected Versions Joomla! Core affected versions not specified Description An improper access check allows unauthorized users to create custom fields through webservices endpoints. This issue occurs within the com fields component. Recommendations At the moment...

8.8CVSS6.1AI score0.00262EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/07/07 12:0 a.m.6 views

Joomla 4.0.x < 5.4.7 / 6.0.x < 6.1.2 Joomla 6.1.2 & 5.4.7 Security & Bugfix Release (5955-joomla-6-1-2-5-4-7-security-bugfix-release)

According to its self-reported version, the instance of Joomla! running on the remote web server is 4.0.x prior to 5.4.7 or 6.0.x prior to 6.1.2. It is, therefore, affected by a vulnerability. - An improper access check allows unauthorized users to create custom fields via webservices endpoints...

8.8CVSS6.1AI score0.00262EPSS
Exploits0References14
Cvelist
Cvelist
added 2026/07/06 11:10 p.m.35 views

CVE-2026-53647 FOSSBilling vulnerable to unauthenticated API key configuration disclosure via guest Serviceapikey get_info endpoint

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest serviceapikey/getinfo API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters custom fields stored in the...

6.9CVSS0.0042EPSS
Exploits1References1
OSV
OSV
added 2026/07/06 11:10 p.m.3 views

CVE-2026-53647 FOSSBilling vulnerable to unauthenticated API key configuration disclosure via guest Serviceapikey get_info endpoint

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest serviceapikey/getinfo API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters custom fields stored in the...

6.9CVSS5.9AI score0.0042EPSS
Exploits1References3
CVE
CVE
added 2026/07/06 11:10 p.m.27 views

CVE-2026-53647

CVE-2026-53647 affects FOSSBilling 0.5.3–0.7.2 where the Guest serviceapikey/get_info endpoint is accessible without authentication. An unauthenticated caller with a valid API key can retrieve all custom_* fields stored in the key’s database record, potentially exposing pricing tiers, feature fla...

6.9CVSS5.9AI score0.0042EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/15 9:30 p.m.9 views

EUVD-2026-36933

Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework = 5.11.1 versions...

6.8CVSS5.2AI score0.00355EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 9:16 p.m.9 views

CVE-2026-39468

Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework = 5.11.1 versions...

6.8CVSS0.00355EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/15 8:17 p.m.36 views

CVE-2026-39468 WordPress Meta Box – WordPress Custom Fields Framework plugin <= 5.11.1 - Arbitrary File Deletion vulnerability

Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework = 5.11.1 versions...

6.8CVSS0.00355EPSS
Exploits0References1
Rows per page
Query Builder