Lucene search
K

3405 matches found

CNNVD
CNNVD
added 2026/05/25 12:0 a.m.10 views

KLiK SocialMediaWebsite 安全漏洞

KLiK SocialMediaWebsite is a simple PHP-based social media website by the individual developer Muhammad Saad. A security vulnerability exists in KLiK SocialMediaWebsite version 1.0, which originates from the HTTP GET Request Parameter Handler component and could lead to injection...

7.5CVSS6.6AI score0.00242EPSS
Exploits0References7
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/22 7:36 p.m.11 views

Malicious code in orca-website (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c52f7fe46d56cb45880942f5266494a2654d9d330914a6c3c99f02045eacd1dc On require/import, index.js collects host identifiers os.hostname, os.userInfo.username, os.platform, os.arch, process.cwd, process.pid, timestamp an...

5.8AI score
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/21 8:19 p.m.8 views

CVE-2026-8417 Concrete CMS 9.5.0 and below is vulnerable to CSRF in do_update() in the package update controller

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/doupdate/. The doupdate method in concrete/controllers/singlepage/dashboard/extend/update.php checks only canInstallPackages before executing upgradeCoreData and upgrade on the named...

7.5CVSS5.7AI score0.00122EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.11 views

PT-2026-42537

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do update/. The do update method in concrete/controllers/single page/dashboard/extend/update.php checks only canInstallPackages before executing upgradeCoreData and upgrade on the...

7.5CVSS5.7AI score0.00122EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in Thunderbird

matrix-js-sdk is a client-server SDK for the Matrix messaging protocol, designed for JavaScript. Version 34.11.0 and earlier of matrix-js-sdk was vulnerable to client-side path traversal attacks through crafted MXC URIs. A malicious room member could trigger clients using matrix-js-sdk to send...

5.3CVSS7.7AI score0.00835EPSS
Exploits0References1
NVD
NVD
added 2026/05/20 2:16 a.m.15 views

CVE-2026-8418

The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gccrud function which handles the delete action action=delete via a GET request without any wpverifynonce /...

4.3CVSS0.00163EPSS
Exploits0References7
EUVD
EUVD
added 2026/05/20 1:25 a.m.12 views

EUVD-2026-31014

The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gccrud function which handles the delete action action=delete via a GET request without any wpverifynonce /...

4.3CVSS5.9AI score0.00163EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.7 views

CVE-2026-8418

The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gccrud function which handles the delete action action=delete via a GET request without any wpverifynonce /...

4.3CVSS5.9AI score0.00163EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.22 views

PT-2026-42076

Name of the Vulnerable Software and Affected Versions Games Catalog versions prior to 1.2.1 Description The Games Catalog plugin for WordPress is susceptible to Cross-Site Request Forgery, a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs because...

4.3CVSS5.8AI score0.00163EPSS
Exploits0References10
NVD
NVD
added 2026/05/13 7:17 p.m.9 views

CVE-2026-42584

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103,...

9.1CVSS0.00633EPSS
Exploits1References8
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.9 views

ShellHub 安全漏洞

ShellHub is an open-source remote device access and management platform developed by ShellHub. Versions of ShellHub prior to 0.24.2 contained security vulnerabilities. These vulnerabilities stemmed from the GET /api/devices/:uid request, which returned the complete device object for any...

6.5CVSS5.9AI score0.00246EPSS
Exploits1References1
NVD
NVD
added 2026/05/12 4:16 p.m.9 views

CVE-2023-30059

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...

5.4CVSS0.00168EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 12:0 a.m.7 views

CVE-2023-30059

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...

5.7AI score0.00168EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.12 views

PT-2026-40048

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...

5.7AI score0.00168EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/12 12:0 a.m.30 views

CVE-2023-30059

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...

0.00168EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/10 3:31 p.m.18 views

EUVD-2022-55985

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/loose module. The datecreated, datefrom, dateto, and createdat parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via...

6.1CVSS5.7AI score0.00252EPSS
Exploits0References5
NVD
NVD
added 2026/05/07 4:16 a.m.18 views

CVE-2026-41663

Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module database backup, test email, htaccess generation fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GE...

3.5CVSS0.00117EPSS
Exploits0References2
CNVD
CNVD
added 2026/05/07 12:0 a.m.10 views

XATABoost CMS SQL Injection Vulnerability

XATABoost CMS is a content management system from XATABoost that provides website content publishing and management functions. A SQL injection vulnerability exists in XATABoost CMS version 1.0.0. The vulnerability stems from the application's lack of validation of externally entered SQL statement...

8.8CVSS5.9AI score0.00323EPSS
Exploits0
Snyk
Snyk
added 2026/05/05 7:8 p.m.10 views

Use of GET Request Method With Sensitive Query Strings

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings in the OAuth login process, where the user's password hash is included as a query parameter in a redirect UR...

7.6CVSS5.8AI score0.00285EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/30 12:0 a.m.11 views

EUVD-2026-26384

A Server-Side Request Forgery SSRF in the /themes/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request...

4.3CVSS5.2AI score0.00168EPSS
Exploits0References2
Rows per page
Query Builder