CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/06 12:43 a.m.•12 views

CVE-2026-42543

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 are vulnerable to a cross-site request forgery attack, because they use the HTTP method GET to change state on the server. Version 2.4.28 contains a patch...

4.3CVSS5.4AI score0.00174EPSS

RedhatCVE•added 2026/06/06 12:43 a.m.•6 views

CVE-2026-10586

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.3 via the saveaigeneratedimage function. This makes it possible for authenticated attackers, with Author-level...

7.2CVSS5.6AI score0.00213EPSS

EUVD•added 2026/06/06 12:31 a.m.•9 views

EUVD-2026-34926

The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funpajaxmodifynotes function. This makes it possible for unauthenticated attackers to trick a logged-in...

4.3CVSS5.4AI score0.00132EPSS

Exploits0References7

EUVD•added 2026/06/06 12:31 a.m.•9 views

EUVD-2026-34929

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the changestatus function. This makes it possible for...

EUVD•added 2026/06/06 12:31 a.m.•8 views

EUVD-2026-34931

The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capturepayment AJAX handler registered via wpajaxnoprivemcapturepayment trusting...

5.3CVSS5.6AI score0.00165EPSS

NVD•added 2026/06/06 12:16 a.m.•15 views

CVE-2026-7047

4.3CVSS0.00132EPSS

CNNVD•added 2026/06/06 12:0 a.m.•6 views

go-fastdfs-web 代码问题漏洞

go-fastdfs-web is a web management platform for a distributed file storage system developed by Perfree’s individual developers. Versions of go-fastdfs-web prior to 1.3.7 have code vulnerabilities; these vulnerabilities stem from issues with the checkServer function in the Installation Endpoint...

7.5CVSS7.5AI score0.00409EPSS

Exploits0References5

CNNVD•added 2026/06/06 12:0 a.m.•8 views

WordPress plugin LatePoint – Calendar Booking Plugin for Appointments and Events 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

CNNVD•added 2026/06/06 12:0 a.m.•7 views

WordPress plugin Frontend User Notes 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Versions...

4.3CVSS5.3AI score0.00132EPSS

Exploits0References7

Positive Technologies•added 2026/06/06 12:0 a.m.•9 views

PT-2026-47159

Name of the Vulnerable Software and Affected Versions perfree go-fastdfs-web versions prior to 1.3.8 Description A flaw in the Installation Endpoint allows for remote server-side request forgery SSRF, which occurs when an attacker can induce the server-side application to make requests to an...

7.5CVSS7.3AI score0.00409EPSS

ATTACKERKB•added 2026/06/05 11:28 p.m.•5 views

CVE-2026-9719

Cvelist•added 2026/06/05 11:28 p.m.•37 views

CVE-2026-9719 LatePoint <= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action

4.3CVSS0.00135EPSS

Exploits0References8

Vulnrichment•added 2026/06/05 11:28 p.m.•7 views

CVE-2026-9719 LatePoint <= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action

CVE•added 2026/06/05 11:28 p.m.•22 views

Exploits0References8

CVE-2026-9719

CVE-2026-9719 concerns the LatePoint WordPress plugin (versions up to 5.6.0). The issue is a Cross‑Site Request Forgery caused by missing/incorrect nonce validation in the change_status function, enabling unauthenticated actors to alter invoice statuses (e.g., mark unpaid as paid) via forged requ...

Cvelist•added 2026/06/05 11:28 p.m.•34 views

Exploits0References8

CVE-2026-7047 Frontend User Notes <= 2.1.1 - Cross-Site Request Forgery to Note Content Modification via 'confirmEdit' Action

4.3CVSS0.00132EPSS

NVD•added 2026/06/05 10:16 p.m.•7 views

CVE-2026-11424

A server-side request forgery SSRF vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is treated as a URL by the server and used to issue an outbound HTTP GET request without URL validation ...

8.3CVSS0.00226EPSS

Cvelist•added 2026/06/05 8:51 p.m.•34 views

CVE-2026-11424 Server-Side Request Forgery in Altium Platform Design GraphQL Service Allows Information Disclosure

8.3CVSS0.00226EPSS

CVE•added 2026/06/05 8:51 p.m.•26 views

CVE-2026-11424

CVE-2026-11424: SSRF in a GraphQL service shared by Altium Enterprise Server and Altium 365. An authenticated user can submit input treated as a URL, causing the server to perform an outbound HTTP GET without URL validation or destination filtering, and return the response body. This enables acce...

8.3CVSS5.3AI score0.00226EPSS