Lucene search
K

1126 matches found

Nuclei
Nuclei
added 15 hours ago13 views

Zimbra Collaboration - Cross-Site Scripting (XSS)

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0. A Cross-Site Scripting XSS vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this v...

6.1CVSS7AI score0.19543EPSS
Exploits1References3
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-40440

Capgo before 12.128.2 contains improper error handling in the /private/acceptinvitation endpoint that returns HTTP 500 instead of safe 4xx errors when magicinvitestring is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magicinvitestring values ...

6.9CVSS5.8AI score0.0025EPSS
Exploits0References3
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-40438

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.inviteusertoorg RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable AP...

6.9CVSS5.8AI score0.00261EPSS
Exploits0References3
NVD
NVD
added 3 days ago6 views

CVE-2026-56327

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.inviteusertoorg RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable AP...

6.9CVSS0.00261EPSS
Exploits0References2
NVD
NVD
added 3 days ago6 views

CVE-2026-56331

Capgo before 12.128.2 contains improper error handling in the /private/acceptinvitation endpoint that returns HTTP 500 instead of safe 4xx errors when magicinvitestring is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magicinvitestring values ...

6.9CVSS0.0025EPSS
Exploits0References2
CVE
CVE
added 3 days ago5 views

CVE-2026-56331

Capgo before 12.128.2 is affected by improper error handling in the /private/accept_invitation endpoint. The vulnerability causes HTTP 500 errors instead of safe 4xx responses when magic_invite_string is invalid, potentially leaking internal processing details. Attackers can trigger this using on...

6.9CVSS5.8AI score0.0025EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago21 views

CVE-2026-56331 Capgo - Improper Error Handling in Accept Invitation Endpoint via Invalid Magic String

Capgo before 12.128.2 contains improper error handling in the /private/acceptinvitation endpoint that returns HTTP 500 instead of safe 4xx errors when magicinvitestring is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magicinvitestring values ...

6.9CVSS0.0025EPSS
Exploits0References2
CVE
CVE
added 3 days ago5 views

CVE-2026-56327

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call a SECURITY DEFINER function with a publishable API key to...

6.9CVSS5.8AI score0.00261EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/23 8:38 p.m.26 views

CVE-2026-46552 NocoDB: Shared-base link access can invite arbitrary users as persistent base members

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID xc-shared-base-id, an attacker could enumerate base members and invite an arbitrary email in...

5.8CVSS0.00296EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/19 3:30 p.m.6 views

EUVD-2017-18983

Joomla Survey Force Deluxe 3.2.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the invite parameter. Attackers can send GET requests to the component with crafted SQL payloads in the invite...

8.8CVSS6.2AI score0.00334EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/19 3:30 p.m.29 views

CVE-2017-20256 Joomla Survey Force Deluxe 3.2.4 SQL Injection via invite Parameter

Joomla Survey Force Deluxe 3.2.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the invite parameter. Attackers can send GET requests to the component with crafted SQL payloads in the invite...

8.8CVSS0.00334EPSS
Exploits0References4
CVE
CVE
added 2026/06/19 3:30 p.m.12 views

CVE-2017-20256

Joomla Survey Force Deluxe 3.2.4 is affected by an SQL injection via the invite parameter, allowing unauthenticated attackers to run arbitrary SQL through crafted GET requests and potentially read sensitive database information. Impact is high (unauthenticated, network access, data confidentialit...

8.8CVSS6.2AI score0.00334EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.16 views

PT-2026-50933

Name of the Vulnerable Software and Affected Versions Joomla Survey Force Deluxe version 3.2.4 Description An SQL injection allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code. This is achieved by sending GET requests to the component containing crafted S...

8.8CVSS6.1AI score0.00334EPSS
Exploits0References7
NVD
NVD
added 2026/06/16 3:16 p.m.19 views

CVE-2026-48780

Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments. The issue is patched as of a2ab6d4. As a workaround,...

8.2CVSS0.00218EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/16 2:10 p.m.23 views

CVE-2026-48780 Forem vulnerable to bypass of email address domain restrictions

Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments. The issue is patched as of a2ab6d4. As a workaround,...

8.2CVSS0.00218EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 5:16 p.m.12 views

CVE-2026-6689

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation the check was only applied on update/patch, which allows an authenticated user holding...

4.3CVSS0.00152EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 3:51 p.m.10 views

EUVD-2026-36501

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation the check was only applied on update/patch, which allows an authenticated user holding...

4.3CVSS5.3AI score0.00152EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 3:51 p.m.11 views

CVE-2026-6689 *Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation the check was only applied on update/patch, which allows an authenticated user holding...

4.3CVSS5.3AI score0.00152EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 3:51 p.m.28 views

CVE-2026-6689 *Missing* {{invite_user}} *permission check on team creation allows unprivileged users to set open-invite and allowed-domains team settings*

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation the check was only applied on update/patch, which allows an authenticated user holding...

4.3CVSS0.00152EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 3:51 p.m.17 views

CVE-2026-6689

Mattermost vulnerable versions: 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x

4.3CVSS5.3AI score0.00152EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder