Lucene search
K

18778 matches found

NVD
NVD
added 2026/06/30 6:16 a.m.11 views

CVE-2026-12560

The Editorial Rating – Product Review & Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Link URL' Field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

4.4CVSS0.0024EPSS
Exploits0References9
CVE
CVE
added 2026/06/30 6:0 a.m.11 views

CVE-2026-11581

The CVE-2026-11581 entry concerns the Kali Forms — Contact Form & Drag-and-Drop Builder for WordPress, vulnerable before version 2.4.13. The form captions (columns on the form-entries admin screen) are not sanitized, allowing stored XSS where a user with Contributor-level access (or higher) can i...

5.9CVSS5.8AI score0.0014EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/30 4:30 a.m.7 views

EUVD-2026-40251

The Editorial Rating – Product Review & Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Link URL' Field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

4.4CVSS5.9AI score0.0024EPSS
Exploits0References9
CVE
CVE
added 2026/06/30 4:30 a.m.14 views

CVE-2026-12560

The Editorial Rating – Product Review & Rating System plugin for WordPress (versions up to 4.0.5) is vulnerable to Stored Cross-Site Scripting via the Link URL field due to insufficient input sanitization and output escaping. Authenticated attackers with administrator-level access can store a pay...

4.4CVSS5.9AI score0.0024EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/06/30 4:30 a.m.6 views

CVE-2026-12560

The Editorial Rating – Product Review & Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Link URL' Field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

4.4CVSS5.9AI score0.0024EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.12 views

PT-2026-53811

Name of the Vulnerable Software and Affected Versions Editorial Rating – Product Review & Rating System versions prior to 4.0.6 Description Insufficient input sanitization and output escaping allow authenticated attackers with administrator-level access and above to perform Stored Cross-Site...

4.4CVSS6.1AI score0.0024EPSS
Exploits0References15
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.7 views

PT-2026-54164

Name of the Vulnerable Software and Affected Versions Google Chrome on Android versions prior to 150.0.7871.47 Description An inappropriate implementation in the Near Field Communication NFC component allows a remote attacker who has already compromised the renderer process to leak cross-origin...

9.6CVSS6AI score0.00413EPSS
Exploits0References438
RedHat Linux
RedHat Linux
added 2026/06/29 7:50 p.m.4 views

kernel: mm/page_alloc: clear page->private in free_pages_prepare()

A flaw was found in the Linux kernel's memory management subsystem. When pages are freed, the page-private field is not properly cleared. If these pages are later reallocated as high-order pages and split, the tail pages can retain stale page-private values. This can lead to a use-after-free...

7.8CVSS7AI score0.0013EPSS
Exploits0References5
NVD
NVD
added 2026/06/29 6:16 p.m.9 views

CVE-2026-57954

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across...

5.3CVSS0.00168EPSS
Exploits0References2
NVD
NVD
added 2026/06/29 6:16 p.m.10 views

CVE-2026-56781

Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from shar...

6.9CVSS0.00231EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/29 5:15 p.m.7 views

EUVD-2026-40157

Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from shar...

6.9CVSS5.9AI score0.00231EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/29 4:8 p.m.6 views

CVE-2026-12143

A flaw was found in form-data, a library for creating readable multipart/form-data streams. A remote attacker can exploit this vulnerability by injecting carriage return CR, line feed LF, or double-quote " characters into the field argument of FormDataappend or the filename option. This allows th...

8.7CVSS5.8AI score0.00409EPSS
Exploits0References10
EUVD
EUVD
added 2026/06/29 1:15 p.m.7 views

EUVD-2026-40090

A vulnerability was detected in SourceCodester Inventory Management System 1.0. Impacted is an unknown function of the file /api/usershandler.php of the component User Registration Endpoint. Performing a manipulation of the argument fullname results in cross site scripting. The attack is possible...

5.1CVSS4.4AI score0.00191EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/29 12:30 p.m.7 views

EUVD-2026-40082

A security flaw has been discovered in code-projects Online Music Site 1.0. This affects an unknown part of the file /Frontend/Feedback.php of the component POST Request Handler. The manipulation of the argument fname/femail/faddress/fmessage results in cross site scripting. The attack may be...

5.3CVSS4.4AI score0.00273EPSS
Exploits0References6
OSV
OSV
added 2026/06/29 11:50 a.m.9 views

PYSEC-2026-319 Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API

Summary The safeevalexpression function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes giframe, fback, fbuiltins do NOT start with underscore, enabling a complete sandbox escape to achieve...

9.8CVSS6.6AI score0.0045EPSS
Exploits2References7
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-330 EPyT-Flow vulnerable to unsafe JSON deserialization (__type__)

Impact EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer myloadfromjson that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. Thi...

10CVSS5.9AI score0.00657EPSS
Exploits0References7
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-256 Agno is vulnerable to Eval Injection

Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the fieldtype parameter passed to eval. Attackers can influence the fieldtype value in a FunctionCall to achieve...

9.3CVSS6.7AI score0.00852EPSS
Exploits0References7
Patchstack
Patchstack
added 2026/06/29 11:42 a.m.7 views

WordPress Custom Field Template plugin <= 2.7.8 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin Custom Field Template versions = 2.7.8...

8.5CVSS5.8AI score0.0022EPSS
Exploits0Affected Software1
SUSE CVE
SUSE CVE
added 2026/06/28 1:8 a.m.7 views

SUSE CVE-2026-53311

In the Linux kernel, the following vulnerability has been resolved: fuse: fix uninit-value in fusedentryrevalidate fusedentryrevalidate may be called with a dentry that didn't had -dtime initialised. The issue was found with KMSAN, where lookupopen calls dalloc, followed by drevalidate, as shown...

5.7AI score0.00112EPSS
Exploits0References3
NVD
NVD
added 2026/06/26 10:16 p.m.10 views

CVE-2026-50765

A stored cross-site scripting XSS vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label...

6.1CVSS0.0022EPSS
Exploits1References1
Rows per page
Query Builder