Lucene search
K

9146 matches found

Github Security Blog
Github Security Blog
added 2026/03/11 12:17 a.m.38 views

Parse Server has a bypass of class-level permissions in LiveQuery

Impact Class-level permissions CLP are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery wit...

8.7CVSS5.8AI score0.00426EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/03/10 8:16 p.m.19 views

CVE-2026-30947

Parse Server (with LiveQuery) is affected by CVE-2026-30947 where class-level permissions (CLP) are not enforced for LiveQuery subscriptions in older releases. An unauthenticated or unauthorized client could subscribe to any LiveQuery-enabled class and receive real-time events for all objects, by...

8.7CVSS5.8AI score0.00426EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/03/10 6:31 p.m.7 views

EUVD-2026-10470

The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajaxcreateimport' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the...

7.5CVSS5.9AI score0.0035EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/10 6:31 p.m.4 views

EUVD-2026-10474

The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack...

4.3CVSS5.8AI score0.00124EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/10 6:31 p.m.5 views

EUVD-2026-10475

The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack...

4.3CVSS5.8AI score0.00124EPSS
Exploits0References2
NVD
NVD
added 2026/03/10 6:18 p.m.5 views

CVE-2026-30968

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint /sse/v1/... in Coral Server did not strongly validate that a connecting agent was a legitimate participant in the session. Th...

9.8CVSS0.00345EPSS
Exploits0References2
NVD
NVD
added 2026/03/10 5:40 p.m.3 views

CVE-2026-3585

The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajaxcreateimport' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the...

7.5CVSS0.0035EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/10 5:24 p.m.31 views

CVE-2026-30968 Coral Server has insufficient validation of agent identity for SSE connections

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint /sse/v1/... in Coral Server did not strongly validate that a connecting agent was a legitimate participant in the session. Th...

8.6CVSS0.00345EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/10 5:24 p.m.5 views

EUVD-2026-10706

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint /sse/v1/... in Coral Server did not strongly validate that a connecting agent was a legitimate participant in the session. Th...

8.6CVSS5.8AI score0.00345EPSS
Exploits0References2
OSV
OSV
added 2026/03/10 5:24 p.m.4 views

CVE-2026-30968 Coral Server has insufficient validation of agent identity for SSE connections

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, the SSE endpoint /sse/v1/... in Coral Server did not strongly validate that a connecting agent was a legitimate participant in the session. Th...

8.6CVSS5.8AI score0.00345EPSS
Exploits0References4
CVE
CVE
added 2026/03/10 5:24 p.m.14 views

CVE-2026-30968

Summary: Coral Server’s SSE endpoint (/sse/v1/...) did not strongly validate that a connecting agent was a legitimate session participant before version 1.1.0, potentially allowing unauthorized message injection or observation. Affected versions: prior to 1.1.0. Impact: stated as possible confide...

9.8CVSS5.8AI score0.00345EPSS
Exploits0References2Affected Software1
Circl
Circl
added 2026/03/10 4:57 p.m.5 views

CVE-2026-23673

creationtimestamp| type| source ---|---|--- 2026-03-10 16:57:37+00:00| seen| https://www.thezdi.com/blog/2026/3/10/the-march-2026-security-update-review 2026-03-10 19:07:55+00:00| seen| https://advisories.ncsc.nl/advisory?id=NCSC-2026-0080 2026-03-11 03:00:16+00:00| seen|...

7.8CVSS5.7AI score0.00383EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/10 3:33 a.m.30 views

CVE-2026-3585 The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import

The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajaxcreateimport' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the...

7.5CVSS0.0035EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/10 3:33 a.m.4 views

CVE-2026-3585 The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import

The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajaxcreateimport' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the...

7.5CVSS5.9AI score0.0035EPSS
Exploits0References2
CVE
CVE
added 2026/03/10 3:33 a.m.17 views

CVE-2026-3585

The Events Calendar WordPress plugin (up to v6.15.17) is affected by a path traversal vulnerability in the ajax_create_import function. The issue allows authenticated attackers with Author-level access or higher to read arbitrary files on the server, exposing sensitive information. The vulnerabil...

7.5CVSS5.9AI score0.0035EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/10 3:33 a.m.3 views

CVE-2026-3585

The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajaxcreateimport' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the...

7.5CVSS6AI score0.0035EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.5 views

PT-2026-24339

Name of the Vulnerable Software and Affected Versions Coral Server versions prior to 1.1.0 Description Coral Server is an open collaboration infrastructure designed for communication, coordination, trust, and payments within The Internet of Agents. Before version 1.1.0, the Server Side Events SSE...

9.8CVSS5.8AI score0.00345EPSS
Exploits0References6
VulnCheck KEV
VulnCheck KEV
added 2026/03/10 12:0 a.m.3 views

VulnCheck KEV: CVE-2021-4458

The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wpajaxmecloadsinglepage' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

9.8CVSS5.9AI score0.00354EPSS
In wildExploits0References15
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.6 views

PT-2026-24425

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.3 Parse Server versions prior to 8.6.16 Description Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to a flaw where class-level permissions CLP are not...

8.7CVSS5.8AI score0.00426EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.5 views

PT-2026-24179

The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack...

5.8AI score0.00124EPSS
Exploits0References1
Rows per page
Query Builder