Lucene search
K

25077 matches found

Packet Storm
Packet Storm
added 2026/03/02 12:0 a.m.161 views

📄 WordPress MPMF Plugin 1.0.2 Shell Upload

This Metasploit module exploits an unauthenticated file upload vulnerability in WordPress Multi‑Purpose Multi‑Form MPMF plugin version 1.0.2. By abusing a vulnerable AJAX action exposed via admin-ajax.php, an attacker can upload a crafted PHP file and trigger its execution to obtain remote code...

10CVSS6.5AI score0.00611EPSS
Exploits2
OSV
OSV
added 2026/03/01 4:16 a.m.4 views

CVE-2026-3380

A vulnerability was found in Tenda F453 1.0.0.3. This issue affects the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page results in buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used...

8.8CVSS6.3AI score0.00773EPSS
Exploits1References5
ATTACKERKB
ATTACKERKB
added 2026/03/01 3:2 a.m.8 views

CVE-2026-3380

A vulnerability was found in Tenda F453 1.0.0.3. This issue affects the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page results in buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used...

9CVSS7.5AI score0.00773EPSS
Exploits1References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/28 9:47 p.m.4 views

CVE-2026-28556

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topicmove, topicmerge, and topicsplit form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without...

5.4CVSS6AI score0.0022EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/02/28 9:47 p.m.13 views

CVE-2026-28556

Affected software: wpForo Forum 2.4.14. Vulnerability: missing authorization that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form handlers. Requires a valid form nonce; attackers can reorganize arbitrary forum content...

5.4CVSS6AI score0.0022EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/28 2:0 p.m.6 views

CVE-2025-15498

Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges. This issue was identified in version 1.2.0 of this software. Due to lack of response from t...

9.3CVSS6AI score0.0047EPSS
Exploits0References1
OSV
OSV
added 2026/02/28 12:44 p.m.11 views

OESA-2026-1431 undertow security update

Java web server using non-blocking IO Security Fixes: A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParseStreamSourceChannel method to parse large form data encoding with application/x-www-form-urlencoded, the...

7.5CVSS5.9AI score0.01209EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/28 6:27 a.m.6 views

CVE-2026-2471

The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. This is due to the BaseModel class constructor calling maybeunserialize on all properties retrieved...

7.5CVSS6.2AI score0.00384EPSS
Exploits0References6
CVE
CVE
added 2026/02/28 6:27 a.m.23 views

CVE-2026-2471

The WP Mail Logging plugin for WordPress (up to version 1.15.0) is vulnerable to PHP Object Injection via deserialization of untrusted input in the email log message field. The BaseModel constructor calls maybe_unserialize() on all properties from the database without validation, allowing an unau...

7.5CVSS6.2AI score0.00384EPSS
Exploits0References5
Snyk
Snyk
added 2026/02/28 2:4 a.m.3 views

Allocation of Resources Without Limits or Throttling

Overview @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the deserializebinaryform function in the remote form handler. An attacker can exhaust application resources by sending crafted bina...

6.3CVSS6AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/02/28 2:4 a.m.11 views

SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)

Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn't check files.length or individual files' sizes and performs expensive processing with them, it can result in Denial of Service. Only users with experimental.remoteFunctions:...

6AI score
Exploits0References4Affected Software1
OSV
OSV
added 2026/02/28 2:4 a.m.2 views

GHSA-FPG4-JHQR-589C SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)

Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn't check files.length or individual files' sizes and performs expensive processing with them, it can result in Denial of Service. Only users with experimental.remoteFunctions:...

6.3CVSS6AI score
Exploits0References4
Cvelist
Cvelist
added 2026/02/27 3:42 p.m.21 views

CVE-2026-2359 Multer vulnerable to Denial of Service via resource exhaustion

Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service DoS by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to...

8.7CVSS0.00663EPSS
Exploits0References4
EUVD
EUVD
added 2026/02/27 3:34 p.m.7 views

EUVD-2025-208141

Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges. This issue was identified in version 1.2.0 of this software. Due to lack of response from...

9.3CVSS5.9AI score0.0047EPSS
Exploits0References3
NVD
NVD
added 2026/02/27 2:16 p.m.11 views

CVE-2025-15498

Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges. This issue was identified in version 1.2.0 of this software. Due to lack of response from...

9.3CVSS0.0047EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/02/27 1:51 p.m.5 views

CVE-2025-15498 SQL Injection in Pro3W CMS

Pro3W CMS if vulnerable to SQL injection attacks. Improper neutralization of input provided into a login form allows an unauthenticated attacker to bypass authentication and gain administrative privileges. This issue was identified in version 1.2.0 of this software. Due to lack of response from...

9.3CVSS5.9AI score0.0047EPSS
Exploits0References2
CVE
CVE
added 2026/02/27 1:51 p.m.14 views

CVE-2025-15498

Pro3W CMS is affected by a SQL injection in the login form, identified in version 1.2.0. The vulnerability arises from improper input neutralization, allowing an unauthenticated attacker to bypass authentication and gain administrative privileges. The issue is addressed in versions released in Ja...

9.3CVSS5.9AI score0.0047EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/02/27 4:13 a.m.5 views

CVE-2026-27943

OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam eyemag view loads data by formid or equivalent without verifying that the form belongs to the current user’s patient/encounter context. An...

6.5CVSS5.4AI score0.0026EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/02/27 3:23 a.m.24 views

CVE-2026-2428 Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN Instant Payment Notification verification being disabled by default disableipnverification defaults to...

7.5CVSS0.00139EPSS
Exploits0References2
NVD
NVD
added 2026/02/27 2:16 a.m.6 views

CVE-2026-3274

A security flaw has been discovered in Tenda F453 1.0.0.3. Affected by this issue is the function frmL7ProtForm of the file /goform/L7Prot of the component httpd. Performing a manipulation of the argument page results in buffer overflow. The attack is possible to be carried out remotely. The...

9CVSS0.00937EPSS
Exploits1References5
Rows per page
Query Builder