Lucene search
+L

10513 matches found

Cvelist
Cvelist
added 5 hours ago10 views

CVE-2026-59695 Unbounded max_fee_per_gas in mpp Tempo fee-payer enables single-request wallet drain

Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to drain the fee-payer wallet in a single request by naming an arbitrarily high gas price. When the mpp Elixir library is configured as fee payer feepayer: true,...

8.3CVSS
Exploits0References4
Nuclei
Nuclei
added 10 hours ago28 views

Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauthenticated Arbitrary Plugin Settings Update

The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction function...

9.8CVSS7.9AI score0.54754EPSS
Exploits6References3
Nuclei
Nuclei
added 10 hours ago73 views

WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload

The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server. id: CVE-2022-4328 info: name: WooCommerce Checkout Field Manager 18.0 - Arbitrary File Uploa...

9.8CVSS8.6AI score0.04427EPSS
Exploits2References3
Nuclei
Nuclei
added 10 hours ago107 views

WordPress IWS Geo Form Fields <=1.0 - SQL Injection

WordPress IWS Geo Form Fields plugin through 1.0 contains a SQL injection vulnerability. The plugin does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users. An attacker can possibly obtain sensitive information, modify data,...

9.8CVSS8.8AI score0.04955EPSS
Exploits1References5
NVD
NVD
added 12 hours ago5 views

CVE-2026-2594

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping of uploaded image attachment titles. This makes it possible for authenticated attackers, with...

6.4CVSS
Exploits0References3
EUVD
EUVD
added 13 hours ago5 views

EUVD-2026-45122

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping of uploaded image attachment titles. This makes it possible for authenticated attackers, with...

6.4CVSS6.2AI score
Exploits0References3
CVE
CVE
added 13 hours ago13 views

CVE-2026-2594

The CVE-2026-2594 entry concerns the WordPress plugin Smart Custom Fields. A stored cross-site scripting (XSS) flaw affects versions up to and including 5.0.7, caused by insufficient input sanitization and output escaping for uploaded image attachment titles. This enables authenticated attackers ...

6.4CVSS6.2AI score
Exploits0References3
EUVD
EUVD
added yesterday5 views

EUVD-2026-44951

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.8.0, the decodeunknownfield function in buffa's protobuf decoder allocated heap memory in proportion to untrusted input unknown fields in the serialized protobuf without enforcing an...

6.3CVSS6.1AI score
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday5 views

CVE-2026-55407

Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.8.0, the decodeunknownfield function in buffa's protobuf decoder allocated heap memory in proportion to untrusted input unknown fields in the serialized protobuf without enforcing an...

6.3CVSS6.1AI score
Exploits0References5Affected Software1
EUVD
EUVD
added yesterday5 views

EUVD-2026-44950

Axelor Open Platform versions 8.x prior to 8.2.2 contains an authorization bypass vulnerability that allows authenticated non-admin users to escalate privileges by exploiting unenforced field restrictions on nested relational save operations. Attackers can modify sensitive User record fields such...

8.8CVSS6.1AI score
Exploits0References3
NVD
NVD
added yesterday8 views

CVE-2026-7543

The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fields' parameter in versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

7.2CVSS0.0019EPSS
Exploits0References2
EUVD
EUVD
added yesterday5 views

EUVD-2026-44886

The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fields' parameter in versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

7.2CVSS6.2AI score0.0019EPSS
Exploits0References2
NVD
NVD
added yesterday6 views

CVE-2026-12525

The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile...

8.8CVSS0.00144EPSS
Exploits0References1
CVE
CVE
added yesterday14 views

CVE-2026-21729

CVE-2026-21729 concerns Loki: queries with large limits can trigger large memory allocations, potentially affecting service availability depending on deployment. The available documents do not specify affected Loki versions, exact vulnerable components, or a remediation. It is not stated whether ...

7.5CVSS6.1AI score0.00263EPSS
Exploits0References1
NVD
NVD
added 2 days ago7 views

CVE-2026-52892

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan REST handlers in server/models/customFields.js use read-level Authentication.checkBoardAccess instead of write-level Authentication.checkBoardWriteAccess for mutating custom-field routes. A read-only board member can call POST,...

6.5CVSS0.00259EPSS
Exploits0References3
CVE
CVE
added 2 days ago10 views

CVE-2026-52892

Summary: CVE-2026-52892 affects Wekan, an open‑source Kanban app built on Meteor. Before version 9.32, REST handlers in server/models/customFields.js checked read‑level access (Authentication.checkBoardAccess) for mutating custom-field routes, instead of write‑level access (Authentication.checkBo...

6.5CVSS6.1AI score0.00259EPSS
Exploits0References3
Cvelist
Cvelist
added 2 days ago36 views

CVE-2026-52892 Wekan: Read-only board members can create/modify/delete Custom Fields (privilege escalation via read-level authz on write ops)

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan REST handlers in server/models/customFields.js use read-level Authentication.checkBoardAccess instead of write-level Authentication.checkBoardWriteAccess for mutating custom-field routes. A read-only board member can call POST,...

6.5CVSS0.00259EPSS
Exploits0References3
OSV
OSV
added 2 days ago4 views

CVE-2026-15746 Credential disclosure in Strands Agents Tools elasticsearch_memory tool

Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearchmemory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery SSRF issue i...

6.9CVSS6.1AI score0.00244EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2 days ago7 views

PT-2026-60318

Name of the Vulnerable Software and Affected Versions Wekan versions prior to 9.32 Description REST handlers in server/models/customFields.js use read-level Authentication.checkBoardAccess instead of write-level Authentication.checkBoardWriteAccess for mutating custom-field routes. This allows a...

6.5CVSS6.1AI score0.00259EPSS
Exploits0References5
NVD
NVD
added 3 days ago6 views

CVE-2026-48371

Adobe Commerce is affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerabl...

5.4CVSS0.00182EPSS
Exploits0References1
Rows per page
Query Builder