CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

1284 matches found

DedeCMS 5.7 - Path Disclosure

DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/incarchivesfunctions.php id: CVE-2018-6910 info: name: DedeCMS 5.7 - Path Disclosure author: pikpikcu severity: high description: DedeCMS 5.7 allows remote attackers to discover t...

7.5CVSS7.2AI score0.18955EPSS

Exploits1References5

Snyk•added 2026/06/02 2:50 a.m.•6 views

Direct Request ('Forced Browsing')

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Direct Request 'Forced Browsing' in the Gateway API endpoints due ...

7.1CVSS6.6AI score0.00244EPSS

Exploits1References2

EUVD•added 2026/05/12 9:9 p.m.•47 views

EUVD-2026-29845

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the JSP tag is intended to prevent file modifications. When protected=true, elfindercheckRisk enforces that the client sends readonly=true matching the session value, but no event handler checks the readonly...

8.1CVSS5.8AI score0.00301EPSS

Exploits0References1

Positive Technologies•added 2026/03/03 12:0 a.m.•8 views

PT-2026-22951

Name of the Vulnerable Software and Affected Versions Craft versions prior to 5.9.0-beta.1 Craft versions prior to 4.17.0-beta.1 Description Craft is a content management system CMS. A flaw exists where the "Duplicate" entry action does not properly verify user permissions for specific target...

7.1CVSS5.9AI score0.00234EPSS

Exploits1References5

Vulnrichment•added 2026/02/06 4:2 a.m.•5 views

CVE-2026-1978 kalyan02 NanoCMS User Information pagesdata.txt direct request

A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The...

6.9CVSS5AI score0.0036EPSS

Exploits0References5

CVE•added 2026/02/03 12:0 a.m.•16 views

CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS version 3.9.2 is vulnerable to unauthenticated remote access to the /script/.env file. The exposure reveals sensitive data including the Laravel APP_KEY, database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, ...

10CVSS5.5AI score0.00383EPSS

Exploits1References2Affected Software1

Vulnrichment•added 2026/02/03 12:0 a.m.•2 views

CVE-2025-70841

Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key APPKEY, database credentials, SMTP/SendGrid API...

10CVSS5.4AI score0.00383EPSS

Exploits1References2

The Hacker News•added 2026/01/15 3:31 p.m.•11 views

Critical WordPress Modular DS Plugin Flaw Actively Exploited to Gain Admin Access

A maximum-severity security flaw in a WordPress plugin called Modular DS has come under active exploitation in the wild, according to Patchstack. The vulnerability, tracked as CVE-2026-23550 CVSS score: 10.0, has been described as a case of unauthenticated privilege escalation impacting all...

10CVSS6.9AI score0.20631EPSS

Exploits7

RedhatCVE•added 2026/01/09 9:27 a.m.•3 views

CVE-2023-45598

A CWE-425 “Direct Request 'Forced Browsing'” vulnerability in the “measure” functionality of the web application allows a remote unauthenticated attacker to access confidential measure information. This issue affects: AiLux imx6 bundle below version imx61.0.7-2...

5.3CVSS7.1AI score0.00487EPSS

Exploits0References1

Positive Technologies•added 2026/01/09 12:0 a.m.•6 views

PT-2026-2018

Name of the Vulnerable Software and Affected Versions ALGO 8180 IP Audio Alerter affected versions not specified Description A flaw exists in the web-based user interface of the ALGO 8180 IP Audio Alerter, allowing remote attackers to disclose sensitive information without authentication. An...

7.5CVSS5.7AI score0.00659EPSS

Exploits0References5

CNNVD•added 2025/12/09 12:0 a.m.•3 views

Fortinet FortiAuthenticator 安全漏洞

Fortinet FortiAuthenticator is a centralized user identity management solution from Fortinet, Inc. A security vulnerability exists in Fortinet FortiAuthenticator versions 6.6.0 through 6.6.6, all versions 6.5, all versions 6.4, and all versions 6.3, which stems from a direct request vulnerability...

2.7CVSS6.7AI score0.00195EPSS

Exploits0References2

Positive Technologies•added 2025/12/05 12:0 a.m.•6 views

PT-2025-49245

Name of the Vulnerable Software and Affected Versions Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace versions 2025.1.2 and prior Description Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace versions 2025.1.2 and prior are susceptible to a Direct...

9CVSS6.8AI score0.00281EPSS

Exploits0References5

CVE•added 2025/11/26 7:46 p.m.•21 views

CVE-2025-6195

CVE-2025-6195 : GitLab EE had a fix for an issue that could allow an authenticated user to view information from security reports under certain configuration conditions. The vulnerability affected all GitLab CE/EE versions up to: 13.7 before 18.4.5; 18.5 before 18.5.3; 18.6 before 18.6.1. The rem...

4.3CVSS6.1AI score0.00273EPSS

Exploits0References3Affected Software1

EUVD•added 2025/10/07 12:30 a.m.•3 views

EUVD-2007-0803

Malware in sbrugna...

7.5CVSS6.4AI score0.02376EPSS

Exploits1References5

EUVD•added 2025/10/07 12:30 a.m.•2 views

EUVD-2018-18371

Malware in sbrugna...

9.8CVSS9.5AI score0.01681EPSS

Exploits0References2