Lucene search
K

17425 matches found

NVD
NVD
added 10 hours ago3 views

CVE-2026-14846

In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the...

4.5CVSS
Exploits0References1
EUVD
EUVD
added 10 hours ago3 views

EUVD-2026-43300

An Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 could allow an attacker to access data of other users without authorization...

7.5CVSS6.1AI score
Exploits0References2
Cvelist
Cvelist
added 13 hours ago8 views

CVE-2026-14165 Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5

An Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 could allow an attacker to access data of other users without authorization...

7.5CVSS
Exploits0References1
Nuclei
Nuclei
added 15 hours ago135 views

NextGen Healthcare Mirth Connect - Remote Code Execution

Unauthenticated remote code execution vulnerability in NextGen Healthcare Mirth Connect before version 4.4.1. id: CVE-2023-43208 info: name: NextGen Healthcare Mirth Connect - Remote Code Execution author: princechaddha severity: critical description: Unauthenticated remote code execution...

9.8CVSS7.5AI score0.82708EPSS
Exploits21References2
Nuclei
Nuclei
added 15 hours ago40 views

Easy!Appointments <1.4.3 - Broken Access Control

Easy!Appointments prior to 1.4.3 allows exposure of Private Personal Information to an unauthorized actor via the GitHub repository alextselegidis/easyappointments. id: CVE-2022-0482 info: name: Easy!Appointments 1.4.3 - Broken Access Control author: francescocarlucci,opencirt severity: critical...

9.1CVSS7AI score0.38133EPSS
Exploits7References5
Nuclei
Nuclei
added 15 hours ago55 views

Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect

The Oracle Applications Framework component of Oracle E-Business Suite subcomponent: Popup windows lists of values, datepicker, etc. is impacted by open redirect issues in versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. These easily exploitable vulnerabilities allow unauthenticated attackers...

5.8CVSS6.5AI score0.14558EPSS
Exploits4References5
Nuclei
Nuclei
added 15 hours ago43 views

GeoServer Demo Request Endpoint - Server Side Request Forgery

It is possible to achieve Server Side Request Forgery SSRF via the Demo request endpoint if Proxy Base URL has not been set. An unauthenticated user can supply a request that will be issued by the server, allowing enumeration of internal networks and, in the case of cloud instances, access to...

8.2CVSS6.9AI score0.01923EPSS
Exploits0References4
Nuclei
Nuclei
added 15 hours ago12 views

WordPress Simple Job Board - Unauthorized Data Access

The Simple Job Board plugin for WordPress is vulnerable to unauthorized data access due to insufficient authorization checking in the fetchquickjob function in all versions up to and including 2.10.8. This makes it possible for unauthenticated attackers to fetch arbitrary posts, which can be...

5.3CVSS6.7AI score0.00909EPSS
Exploits0References3
Nuclei
Nuclei
added 15 hours ago16 views

Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection

Team WordPress plugin = 5.0.11 contains a SQL injection caused by improper sanitization and escaping of a parameter in an AJAX action accessible to unauthenticated users, letting remote attackers execute arbitrary SQL commands. id: CVE-2025-14124 info: name: Team WordPress Plugin TLP Team = 5.0.9...

8.6CVSS6.3AI score0.0156EPSS
Exploits1References3
Nuclei
Nuclei
added 15 hours ago158 views

WP Umbrella Update Backup Restore & Monitoring <= 2.17.0 - Local File Inclusion

The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute...

9.8CVSS7.5AI score0.15043EPSS
Exploits1References4
CVE
CVE
added yesterday13 views

CVE-2026-56281

Capgo before 12.128.2 contains a SQL injection in POST /private/admin_stats: the limit parameter is destructured from an unvalidated request body and interpolated directly into Cloudflare Analytics Engine SQL queries via template literals. An attacker with platform admin credentials can inject SQ...

5.1CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-43162

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfmproductarchive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS6.2AI score0.0025EPSS
Exploits0References12
NVD
NVD
added 3 days ago4 views

CVE-2026-55665

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, Grist contained two cross-site scripting vulnerabilities where an attacker-controlled value reached a link's href without scheme validation, so a javascript URL could run in a victim's Grist origin on a single...

8.5CVSS0.00322EPSS
Exploits0References3
NVD
NVD
added 3 days ago7 views

CVE-2026-55462

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show and printInventory authorize only user viewing before loading and rendering assigned license, accessory, and consumable relationships, allowing an authenticated user with only users.view to see inventory and...

4.3CVSS0.00252EPSS
Exploits0References3
Cvelist
Cvelist
added 3 days ago32 views

CVE-2026-55462 Snipe-IT: Authorization bypass on print inventory page

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show and printInventory authorize only user viewing before loading and rendering assigned license, accessory, and consumable relationships, allowing an authenticated user with only users.view to see inventory and...

4.3CVSS0.00252EPSS
Exploits0References3
CVE
CVE
added 3 days ago13 views

CVE-2026-21054

The CVE-2026-21054 describes an issue in the InputSharing Android component where improper export of application components before version 2.7.01.4 allows local attackers to access sharing data. Affected software: InputSharing, vulnerable up to but not including 2.7.01.4. Root cause: Android comp...

6.9CVSS5.9AI score0.00115EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42552

HCL DevOps Deploy uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...

5.4CVSS5.9AI score0.00248EPSS
Exploits0References1
Cvelist
Cvelist
added 4 days ago35 views

CVE-2026-56458 HCL DevOps Deploy is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains

HCL DevOps Deploy uses Cross-Origin Resource Sharing CORS which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains...

5.4CVSS0.00248EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 4 days ago10 views

JetBrains YouTrack < 2026.2.16593 Multiple Vulnerabilities

The version of JetBrains YouTrack installed on the remote host is prior to 2026.2.16593. It is, therefore, affected by multiple vulnerabilities, including: - The websandbox bridge was vulnerable to a prototype pollution attack. CVE-2026-57926 - Improper access control allowed reading users' priva...

9.8CVSS6.1AI score0.00178EPSS
Exploits0References7
Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-55430 Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware...

5.8CVSS0.00208EPSS
Exploits0References6
Rows per page
Query Builder