Lucene search
+L

300835 matches found

nuclei
nuclei
added 5 hours ago102 views

DataEase <= 2.4.1 - Sensitive Information Exposure

DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the /de2api/engine/getEngine;.js path via a browser reveals that the platform's database configuration is returned. id: CVE-2024-30269...

5.3CVSS6.1AI score0.16EPSS
Exploits2References3
nuclei
nuclei
added 5 hours ago59 views

All-in-One WP Migration < 7.87 - Unauthenticated Information Disclosure

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to unauthenticated information disclosure due to its error.log file being publicly accessible in versions before 7.87. id: CVE-2024-8852 info: name: All-in-One WP Migration 7.87 - Unauthenticated Information Disclosure...

5.3CVSS6.1AI score0.01175EPSS
Exploits0References2
nuclei
nuclei
added 5 hours ago33 views

Trinity Audio <= 5.21.0 - Information Exposure

The Trinity Audio Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.21.0 via the /admin/inc/phpinfo.php file that gets created on install. This makes it possible for...

5.3CVSS6.1AI score0.00937EPSS
Exploits1References2
nuclei
nuclei
added 5 hours ago34 views

WordPress Events Manager <= 7.0.3 - SQL Injection

The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in all versions up to, and including, 7.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

7.5CVSS6.1AI score0.55683EPSS
Exploits2References4
nuclei
nuclei
added 5 hours ago1488 views

Pterodactyl Panel - Remote Code Execution

Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. id: CVE-2025-49132 info: name: Pterodactyl Panel - Remote Code Execution...

10CVSS6.4AI score0.13105EPSS
Exploits28References3
nuclei
nuclei
added 5 hours ago12 views

WordPress File Manager <= 7.2.1 - Directory Traversal

File Manager and File Manager Pro plugins for WordPress versions up to 7.2.1 and 8.3.4 contain a directory traversal caused by the 'target' parameter in mkfilefoldermanageractioncallbackshortcode, letting attackers read arbitrary files and upload files outside designated directories, exploit...

9.9CVSS7.1AI score0.06009EPSS
Exploits0References2
nuclei
nuclei
added 5 hours ago17 views

Symfony HttpFoundation - Access Control Bypass via PATH_INFO

Symfony HttpFoundation component = 2.0.0 and prior to versions 5.4.50, 6.4.29, and 7.3.7 contains an access control bypass vulnerability. The Request class improperly interprets some PATHINFO values, producing URL paths without a leading /. This allows bypassing access control rules that are buil...

7.3CVSS7AI score0.01344EPSS
Exploits0References4
nuclei
nuclei
added 5 hours ago44 views

Sante PACS Server.exe - Path Traversal Information Disclosure

A Path Traversal Information Disclosure vulnerability exists in "Sante PACS Server.exe". An unauthenticated remote attacker can exploit it to download arbitrary files on the disk drive where the application is installed. id: CVE-2025-2264 info: name: Sante PACS Server.exe - Path Traversal...

7.5CVSS7.2AI score0.38656EPSS
Exploits2References1
nuclei
nuclei
added 5 hours ago25 views

Netgear R6850 - Information Disclosure

Netgear R6850 router firmware version V1.1.0.88 contains an information leakage vulnerability in the currentsetting.htm page.This hidden interface is not protected by authentication, allowing unauthenticated attackers to access sensitive informationsuch as firmware version, model details,...

7.5CVSS6.1AI score0.01923EPSS
Exploits1References3
nuclei
nuclei
added 5 hours ago30 views

D-Link DIR-859 - Information Disclosure

A critical information disclosure vulnerability exists in D-Link devices where sensitive device account information including credentials can be retrieved by sending an unauthenticated request to /getcfg.php endpoint with the parameter SERVICES=DEVICE.ACCOUNT. This could allow attackers to obtain...

9.8CVSS6.8AI score0.32261EPSS
Exploits1References2
nuclei
nuclei
added 5 hours ago34 views

Issabel PBX 4.0.0-6 - Directory Listing

An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory id: CVE-2023-37599 info: name: Issabel PBX 4.0.0-6 - Directory Listing author: ritikchaddha severity: high description: | An issue in issabel-pbx v.4.0.0-6 allows a remote attacker...

7.5CVSS7AI score0.03632EPSS
Exploits1References2
nuclei
nuclei
added 5 hours ago31 views

Mlflow < 2.17.0 - Local File Inclusion

Mlflow before 2.17.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. id: CVE-2024-8859...

7.5CVSS7AI score0.02484EPSS
Exploits1References3
nuclei
nuclei
added 5 hours ago103 views

FXServer < v9601 - Information Exposure

Incorrect Access Control in FXServer version's v9601 and prior, for CFX.re FiveM, allows unauthenticated users to modify and read userdata via exposed api endpoint. id: CVE-2024-46310 info: name: FXServer v9601 - Information Exposure author: s4e-io severity: medium description: | Incorrect Access...

9.1CVSS6.2AI score0.02393EPSS
Exploits3References3
nuclei
nuclei
added 5 hours ago24 views

CyberPower < v2.8.3 - SQL Injection

A sql injection vulnerability exists in CyberPower PowerPanel Enterprise prior to v2.8.3. id: CVE-2024-32739 info: name: CyberPower PDNU" tags: cve,cve2024,cyberpower,sqli,vkev,vuln http: - method: GET path: - "BaseURL/api/v1/ndconfig?mode=&uid=1'%20UNION%20select%201,2,3,sqliteversion;--"...

7.5CVSS6.1AI score0.05408EPSS
Exploits0References3
nuclei
nuclei
added 5 hours ago48 views

Bank Locker Management System - Cross-Site Scripting

A vulnerability classified as problematic has been found in PHPGurukul Bank Locker Management System 1.0. This affects an unknown part of the file add-locker-form.php of the component Assign Locker. The manipulation of the argument ahname leads to cross site scripting. It is possible to initiate...

4.8CVSS4.4AI score0.34771EPSS
Exploits1References4
nuclei
nuclei
added 5 hours ago57 views

Lightdash version <= 0.510.3 Arbitrary File Read

packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension .csv or .png is used. id: CVE-2023-35844 info: name: Lightdash version = 0.510.3 Arbitrary File Read author: dwisiswant0...

7.5CVSS7AI score0.06344EPSS
Exploits2References5
nuclei
nuclei
added 5 hours ago122 views

PowerJob <=4.3.2 - Unauthenticated Access

PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface. id: CVE-2023-29923 info: name: PowerJob =4.3.2 - Unauthenticated Access author: For3stCo1d severity: medium description: | PowerJob V4.3.1 is vulnerable to Insecure Permissions. via the list job interface. impact: ...

5.3CVSS6.2AI score0.09545EPSS
Exploits2References5
nuclei
nuclei
added 5 hours ago153 views

phpIPAM - 1.6 - Cross-Site Scripting

phpIPAM 1.6 contains a cross-site scripting vulnerability via the closeClass parameter at /subnet-masks/popup.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

6.1CVSS6.5AI score0.03904EPSS
Exploits3References2
nuclei
nuclei
added 5 hours ago121 views

MinIO Cluster Deployment - Information Disclosure

MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIOSECRETKEY and MINIOROOTPASSWORD. An attacker can potentially obtain sensitive...

7.5CVSS7.1AI score0.83957EPSS
Exploits13References5
nuclei
nuclei
added 5 hours ago200 views

Apache Airflow <1.10.14 - Authentication Bypass

Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session. id: CVE-2020-17526 info: name: Apache Airflow 1.10.14 -...

7.7CVSS6.9AI score0.23336EPSS
Exploits0References5
Rows per page
Query Builder