Lucene search
+L

202 matches found

GithubExploit
GithubExploit
added 2026/03/21 3:47 p.m.180 views

Exploit for CVE-2026-21994

CVE-2026-21994 Summary Oracle OKIT oci-designer-tool...

9.8CVSS5.8AI score0.00448EPSS
Exploits1
OSV
OSV
added 2026/03/07 2:31 a.m.5 views

GHSA-C8M8-3JCR-6RJ5 FUXA has a hardcoded fallback JWT signing secret

FUXA used a static fallback JWT signing secret frangoteam751 when no secretCode was configured. If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication. This issue has been addressed in...

9.3CVSS5.7AI score0.02036EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/07 2:31 a.m.13 views

FUXA has a hardcoded fallback JWT signing secret

FUXA used a static fallback JWT signing secret frangoteam751 when no secretCode was configured. If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication. This issue has been addressed in...

9.8CVSS5.7AI score0.02036EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/02 4:18 a.m.11 views

CVE-2026-27167

A flaw was found in Gradio. When Gradio applications run outside of Hugging Face Spaces and use OAuth components, they automatically enable "mocked" OAuth routes. A remote attacker can exploit this by visiting the /login/huggingface endpoint, which causes the server to retrieve its Hugging Face H...

5.9CVSS5.9AI score0.00453EPSS
Exploits1References4
OSV
OSV
added 2026/03/01 1:0 a.m.20 views

GHSA-H3H8-3V2V-RG7M Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret

Summary Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingfacehub.gettoken and stores it...

5.9AI score0.00453EPSS
Exploits1References6
NVD
NVD
added 2026/02/27 10:16 p.m.13 views

CVE-2026-27167

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visi...

5.9CVSS0.00453EPSS
Exploits1References1
CVE
CVE
added 2026/02/27 9:40 p.m.34 views

CVE-2026-27167

Gradio, in versions 4.16.0 through 6.5.x, running outside Hugging Face Spaces enables mocked OAuth routes when OAuth components are used. Visiting /login/huggingface causes the server to fetch its HF token via hugggingface_hub.get_token() and store it in the visitor’s session cookie, which is sig...

5.9CVSS6AI score0.00453EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/02/27 9:40 p.m.25 views

CVE-2026-27167 Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visi...

0.00453EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/02/27 12:0 a.m.13 views

PT-2026-22405

Name of the Vulnerable Software and Affected Versions Gradio versions 4.16.0 through 6.5.9 Description Gradio is a Python package for rapid prototyping. Applications running outside of Hugging Face Spaces, versions 4.16.0 through 6.5.9, improperly handle OAuth components like gr.LoginButton...

6AI score0.00453EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/02/13 7:22 a.m.11 views

CVE-2025-14892

The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...

9.8CVSS5.4AI score0.00366EPSS
Exploits0References1
Packet Storm
Packet Storm
added 2026/02/13 12:0 a.m.185 views

📄 Patients Waiting Area Queue Management System 1.0 SQL Injection

Patients Waiting Area Queue Management System version 1.0 is vulnerable to SQL injection due to improper sanitization on the appointmentID parameter. Authentication bypass and full database dump are possible. The application also appears to have a hardcoded JWT key, suffers from a username...

9.8CVSS5.9AI score0.00357EPSS
Exploits3
NVD
NVD
added 2026/02/12 6:16 a.m.9 views

CVE-2025-14892

The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...

9.8CVSS0.00366EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/12 6:0 a.m.6 views

CVE-2025-14892

The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...

9.8CVSS5.4AI score0.00366EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/12 6:0 a.m.40 views

CVE-2025-14892 Prime Listing Manager <= 1.1 - Unauthenticated Privilege Escalation

The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...

0.00366EPSS
Exploits0References1
CVE
CVE
added 2026/02/12 6:0 a.m.26 views

CVE-2025-14892

CVE-2025-14892 affects the WordPress plugin Prime Listing Manager (

9.8CVSS5.4AI score0.00366EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/02/12 6:0 a.m.6 views

CVE-2025-14892 Prime Listing Manager <= 1.1 - Unauthenticated Privilege Escalation

The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...

5.4AI score0.00366EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/02/12 12:0 a.m.18 views

PT-2026-7819

The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...

5.4AI score0.00366EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/02/09 10:28 p.m.3 views

CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration

FUXA is a web-based Process Visualization SCADA/HMI/Dashboard software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is...

9.5CVSS6.2AI score0.00759EPSS
Exploits0References3
CVE
CVE
added 2026/02/09 10:28 p.m.26 views

CVE-2026-25894

FUXA (web-based Process Visualization) contains an insecure default configuration that allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. The root cause is a hardcoded admin JWT secret in the default configuration, affecting versions...

9.8CVSS6.2AI score0.00759EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/09 10:28 p.m.6 views

CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration

FUXA is a web-based Process Visualization SCADA/HMI/Dashboard software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is...

9.5CVSS6.2AI score0.00759EPSS
Exploits0References5
Rows per page
Query Builder