CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/04/21 7:17 p.m.•4 views

CVE-2026-40874

CVE-2026-40874 affects mailcow: dockerized. Prior to 2026-03b, there was no administrator verification for deleting Forwarding Hosts via /api/v1/delete/fwdhost, allowing any authenticated user to call the API. Deletion could significantly disrupt mail service, while checks existed only for edit/a...

6CVSS5.8AI score0.0005EPSS

EUVD•added 2026/04/16 9:31 a.m.•0 views

EUVD-2025-209493

The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to missing nonce validation and insufficient file path validation on the delete action in the...

8.8CVSS5.7AI score0.00029EPSS

CVE•added 2026/04/16 7:39 a.m.•6 views

CVE-2025-14868

The CVE affects the WordPress Career Section plugin (versions up to 1.6). The root cause is missing nonce validation and insufficient file path validation on the delete action in appform_options_page_html, enabling CSRF that can lead to Path Traversal and Arbitrary File Deletion. The vulnerabilit...

8.8CVSS5.7AI score0.00029EPSS

Exploits0References2

Positive Technologies•added 2026/04/16 12:0 a.m.•2 views

PT-2026-33281

8.8CVSS5.7AI score0.00029EPSS

Positive Technologies•added 2026/04/13 12:0 a.m.•2 views

PT-2026-32393

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the file /ajax.php?action=delete sales. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and...

7.5CVSS5.7AI score0.00043EPSS

Exploits0References6

RedhatCVE•added 2026/03/26 3:12 p.m.•1 views

CVE-2026-3138

The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via wpajaxnopriv...

EUVD•added 2026/03/24 6:31 a.m.•0 views

EUVD-2026-14730

ATTACKERKB•added 2026/03/24 4:27 a.m.•1 views

Exploits0References8

CVE-2026-3138

Cvelist•added 2026/03/24 4:27 a.m.•26 views

Exploits0References8

CVE-2026-3138 Product Filter for WooCommerce by WBW <= 3.1.2 - Missing Authorization to Unauthenticated Filter Data Deletion via TRUNCATE TABLE

6.5CVSS0.00078EPSS

Exploits0References7

Positive Technologies•added 2026/03/24 12:0 a.m.•5 views

PT-2026-27327

ATTACKERKB•added 2026/03/19 6:46 a.m.•1 views

Exploits0References9

CVE-2026-4068

The Add Custom Fields to Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.3. This is due to missing nonce validation on the field deletion functionality in the admin display template. The plugin properly validates a nonce for the 'ad...

4.3CVSS5.8AI score0.0002EPSS

Exploits0References7

Positive Technologies•added 2026/03/11 12:0 a.m.•2 views

PT-2026-24803

CVE-2026-31954 Emlog is an open source website building system. In 2.6.6 and earlier, the delete async action asynchronous delete lacks a call to LoginAuth::checkToken, enabling… https://t.co/jGjg6aBhCJ...

5.8AI score0.00021EPSS

Exploits1References4

RedhatCVE•added 2026/01/13 10:53 p.m.•1 views

CVE-2025-14976

The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect nonce...

5.4CVSS5.5AI score0.00027EPSS

NVD•added 2026/01/10 9:15 a.m.•3 views

CVE-2025-14976

5.4CVSS0.00027EPSS

Cvelist•added 2026/01/10 8:22 a.m.•20 views

CVE-2025-14976 User Registration & Membership <= 4.4.8 - Cross-Site Request Forgery to Arbitrary Post Deletion

5.4CVSS0.00027EPSS