CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

ATTACKERKB•added 6 days ago•6 views

CVE-2026-45294

5.3CVSS5.8AI score0.00038EPSS

Exploits0References2Affected Software1

NVD•added 2026/05/28 4:16 p.m.•11 views

CVE-2026-35676

phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sendin...

8.8CVSS0.00035EPSS

Exploits0References2

NVD•added 2026/05/20 7:16 a.m.•7 views

CVE-2026-7385

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses...

5.8CVSS0.00037EPSS

CVE•added 2026/05/20 6:0 a.m.•8 views

CVE-2026-7385

The Decent Comments WordPress plugin (prior to version 3.0.2) exposes comment author and post author email addresses via its REST API without access restrictions, enabling unauthenticated users to enumerate registered email addresses. Root cause: insufficient access controls on the REST endpoint....

5.8CVSS5.8AI score0.00037EPSS

EUVD•added 2026/05/20 6:0 a.m.•5 views

EUVD-2026-31067

5.8CVSS5.8AI score0.00037EPSS

ATTACKERKB•added 2026/05/20 6:0 a.m.•5 views

CVE-2026-7385

5.8AI score0.00037EPSS

Positive Technologies•added 2026/05/20 12:0 a.m.•8 views

PT-2026-42113

5.8AI score0.00037EPSS

Exploits0References2

CNNVD•added 2026/05/20 12:0 a.m.•7 views

WordPress plugin Decent Comments 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Versions...

5.8CVSS5.8AI score0.00037EPSS

Cvelist•added 2026/05/12 9:30 p.m.•28 views

CVE-2026-44306 Statamic: Email enumeration via forgot password endpoint

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-u...

5.3CVSS0.00037EPSS

CVE•added 2026/05/12 9:30 p.m.•12 views

CVE-2026-44306

Statamic CMS is affected by an information exposure vulnerability in the forgot-password endpoint. Prior to versions 5.73.21 and 6.15.0, responses could reveal whether an email address is registered, enabling an unauthenticated attacker to enumerate valid users. This is fixed in 5.73.21 and 6.15....

Vulnrichment•added 2026/05/12 9:30 p.m.•4 views

CVE-2026-44306 Statamic: Email enumeration via forgot password endpoint

EUVD•added 2026/05/10 3:31 p.m.•7 views

EUVD-2021-34790

Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the productid parameter. Attackers can craft malicious SQL queries using time-based or content-based blind injection...

8.8CVSS5.9AI score0.0009EPSS

Exploits0References5

Tenable Nessus•added 2026/05/09 12:0 a.m.•6 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-017336)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017336 advisory. An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset...

5.3CVSS5.9AI score0.00235EPSS

Github Security Blog•added 2026/05/06 8:54 p.m.•4 views

Statamic CMS vulnerable to email enumeration via forgot password endpoint

Impact Responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. Patches This has been fixed in 5.73.21 and 6.15.0. The forgot...

Exploits0References3Affected Software1

OSV•added 2026/05/06 8:54 p.m.•3 views

GHSA-M24V-F7G5-GQ67 Statamic CMS vulnerable to email enumeration via forgot password endpoint

AstraLinux•added 2026/05/03 11:59 p.m.•3 views

Exploits0References3

Astra Linux - уязвимость в python-django

A issue was discovered in Django versions 5.1.1, 5.0.9, and 4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view that implements password reset processes, allows remote attackers to enumerate user email addresses by sending password reset requests and observing the...

5.3CVSS6.8AI score0.00235EPSS

Exploits0References2

Cvelist•added 2026/04/20 3:45 p.m.•24 views

CVE-2026-24468 OpenAEV Vulnerable to Username/Email Enumeration Through Differential HTTP Responses in Password Reset API

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...

5.3CVSS0.00085EPSS

Vulnrichment•added 2026/04/20 3:45 p.m.•1 views

CVE-2026-24468 OpenAEV Vulnerable to Username/Email Enumeration Through Differential HTTP Responses in Password Reset API

5.3CVSS5.7AI score0.00085EPSS

CVE•added 2026/04/20 3:45 p.m.•3 views

CVE-2026-24468

OpenAEV versions prior to 2.0.13 expose an account-enumeration flaw via the /api/reset login parameter. If the email does not exist, the API returns 400 Bad Request; if the email exists, it returns 200. This observable response difference enables an attacker to reliably determine which emails are...

5.3CVSS5.7AI score0.00085EPSS