Lucene search
K

592954 matches found

Cvelist
Cvelist
added 13 hours ago7 views

CVE-2026-57237 Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability

When the application opens a PDF and JavaScript modifies the properties of form fields, it causes the state of the underlying objects referenced by the program to become invalid. Eventually, it reads an illegal memory address, which leads to the crash of the application...

7.8CVSS
Exploits0References1
CVE
CVE
added 13 hours ago7 views

CVE-2026-57237

CVE-2026-57237 impacts Foxit PDF Editor/Reader (annotation handling) where JavaScript modifying form-field properties leaves underlying objects in an invalid state, triggering a use-after-free and reading an illegal memory address. This can crash the application. The Connected documents do not pr...

7.8CVSS5.9AI score
Exploits0References1
NVD
NVD
added 13 hours ago7 views

CVE-2026-12378

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this c...

8.1CVSS
Exploits0References1
RedHat Linux
RedHat Linux
added 14 hours ago6 views

389-ds-base: 389-ds-base: integer overflow in SASL packet length bypasses size limit leading to heap buffer overflow

An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server 389-ds-base. In sasliostartpacket, adding sizeofuint32t to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer...

7.6CVSS6.2AI score0.00539EPSS
Exploits0References5
NVD
NVD
added 14 hours ago6 views

CVE-2026-14489

The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the connect function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Custom-level access and above, to upload arbitrary files on...

8.8CVSS
Exploits0References6
NVD
NVD
added 14 hours ago7 views

CVE-2026-57895

Incorrect default permissions issue exists in Pupsman versions prior to 3.9.0. An attacker can place a malicious executable in the installation folder, which results in arbitrary code execution with SYSTEM privilege...

8.5CVSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 15 hours ago3 views

CVE-2026-12378

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this c...

6.2AI score
Exploits0References1
Cvelist
Cvelist
added 15 hours ago7 views

CVE-2026-12378 BookingPress <= 1.1.28 - Unauthenticated PHP Object Injection

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this c...

Exploits0References1
CVE
CVE
added 15 hours ago7 views

CVE-2026-12378

The CVE-2026-12378 entry concerns the WordPress plugins BookingPress/Appointment Booking Calendar (up to version 1.1.28). The vulnerability arises from unsafely passing input to a PHP deserialization function, enabling unauthenticated attackers to inject arbitrary PHP objects with a suitable gadg...

8.1CVSS6.2AI score
Exploits0References1
EUVD
EUVD
added 15 hours ago5 views

EUVD-2026-42178

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this c...

8.1CVSS6.2AI score
Exploits0References1
Cvelist
Cvelist
added 15 hours ago9 views

CVE-2026-14489 WHMCS Bridge <= 6.9 - Unauthenticated Arbitrary File Upload via 'ccce' Parameter

The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the connect function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Custom-level access and above, to upload arbitrary files on...

8.8CVSS
Exploits0References6
CVE
CVE
added 15 hours ago9 views

CVE-2026-14489

The WHMCS Bridge WordPress plugin (affected: all versions up to and including 6.9) is vulnerable to an arbitrary file upload due to missing file type validation in connect(). Exploitation requires authenticated access with Custom-level permissions or higher, enabling upload of arbitrary files on ...

8.8CVSS6.7AI score
Exploits0References6
EUVD
EUVD
added 15 hours ago5 views

EUVD-2026-42174

The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the connect function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Custom-level access and above, to upload arbitrary files on...

8.8CVSS6.7AI score
Exploits0References6
Nuclei
Nuclei
added 15 hours ago60 views

Rukovoditel <= 3.2.1 - Cross Site Scripting

Rukovoditel v3.2.1 was discovered to contain a stored cross-site scripting XSS vulnerability in /index.php?module=configuration/application. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Copyright Text field after clicking...

5.4CVSS6.2AI score0.00906EPSS
Exploits1References4
Nuclei
Nuclei
added 15 hours ago886 views

WordPress Elementor 3.18.1 - File Upload/Remote Code Execution

The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server. id: CVE-2023-48777 info: name: WordPress Elementor 3.18.1 - File...

9.9CVSS7.5AI score0.041EPSS
Exploits3References2
Nuclei
Nuclei
added 15 hours ago34 views

ThemeREX Addons - Remote Code Execution

ThemeREX Addons plugin before 2020-03-09 for WordPress contains an access control vulnerability in the /trxaddons/v2/get/sclayout REST API endpoint, allowing any users to execute PHP functions because includes/plugin.rest-api.php calls trxaddonsrestgetsclayout with an unsafe sc parameter, letting...

9.8CVSS7.4AI score0.08877EPSS
Exploits2References3
Nuclei
Nuclei
added 15 hours ago56 views

SugarCRM - Unauthenticated Remote Code Execution via PHP Object Injection

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the restdata parameter before passing it to the...

9.3CVSS6.5AI score0.02971EPSS
Exploits0References5
Nuclei
Nuclei
added 15 hours ago79 views

Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE

Gladinet CentreStack through 16.1.10296.56315 fixed in 16.4.10315.56368 has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors who know the machineKey to serialize a payload for server-side...

9.8CVSS7.6AI score0.93842EPSS
Exploits6References3
Nuclei
Nuclei
added 15 hours ago108 views

mooSocial 3.1.8 - Reflected XSS

A vulnerability, which was classified as problematic, was found in mooSocial mooStore 3.1.6. Affected is an unknown function of the file /search/index. id: CVE-2023-4173 info: name: mooSocial 3.1.8 - Reflected XSS author: momika233 severity: medium description: | A vulnerability, which was...

6.1CVSS5.8AI score0.03336EPSS
Exploits5References5
Nuclei
Nuclei
added 15 hours ago63 views

Cacti 1.2.24 - SQL Injection

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graphview.php. Since guest users can access graphview.php without authentication by default, if guest users are being utilized in an enabled state, there...

9.8CVSS7.6AI score0.87575EPSS
Exploits2References5
Rows per page
Query Builder