Lucene search
K

120 matches found

EUVD
EUVD
added 4 days ago7 views

EUVD-2026-43162

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfmproductarchive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS6.2AI score0.0025EPSS
Exploits0References12
OSV
OSV
added 2026/06/25 3:51 p.m.3 views

CVE-2026-54029 LibreChat: IDOR in Message Deletion — Incomplete Fix for CVE-2024-41703 Leaves deleteMessages() Without User Filter

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the DELETE /api/messages/:conversationId/:messageId endpoint allows any authenticated user to delete any other user's messages. The validateMessageReq middleware only validates that the conversationId...

5.3CVSS6AI score0.00159EPSS
Exploits2References3
Cvelist
Cvelist
added 2026/06/25 3:51 p.m.30 views

CVE-2026-54029 LibreChat: IDOR in Message Deletion — Incomplete Fix for CVE-2024-41703 Leaves deleteMessages() Without User Filter

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the DELETE /api/messages/:conversationId/:messageId endpoint allows any authenticated user to delete any other user's messages. The validateMessageReq middleware only validates that the conversationId...

5.3CVSS0.00159EPSS
Exploits2References1
Vulnrichment
Vulnrichment
added 2026/06/25 3:51 p.m.7 views

CVE-2026-54029 LibreChat: IDOR in Message Deletion — Incomplete Fix for CVE-2024-41703 Leaves deleteMessages() Without User Filter

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the DELETE /api/messages/:conversationId/:messageId endpoint allows any authenticated user to delete any other user's messages. The validateMessageReq middleware only validates that the conversationId...

5.3CVSS5.8AI score0.00353EPSS
Exploits2References1
CVE
CVE
added 2026/06/25 3:51 p.m.17 views

CVE-2026-54029

CVE-2026-54029 affects LibreChat prior to 0.8.4-rc1. The bug is in the DELETE /api/messages/:conversationId/:messageId endpoint where authentication validates the conversationId but the deleteMessages({ messageId }) call uses only messageId as the MongoDB filter, omitting a user constraint. As a ...

6.5CVSS5.9AI score0.00353EPSS
Exploits2References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/12 11:51 a.m.11 views

CVE-2026-47196 Quest Bot: Empty automod rule causes every guild message to be deleted

Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes"", which is always true, causing the bot ...

8.4CVSS5.2AI score0.00235EPSS
Exploits0References2
NVD
NVD
added 2026/06/11 7:16 p.m.16 views

CVE-2026-47163

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission requirement and no runti...

7.2CVSS0.00215EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/11 6:27 p.m.10 views

EUVD-2026-36298

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission requirement and no runti...

7.2CVSS5.4AI score0.00215EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/08 1:44 a.m.5 views

CVE-2026-2488

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pgdeletemsg function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting us...

4.3CVSS5.9AI score0.0022EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/07 1:21 a.m.4 views

CVE-2026-2488

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pgdeletemsg function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting us...

4.3CVSS5.9AI score0.0022EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/03/07 1:21 a.m.2 views

CVE-2026-2488 ProfileGrid <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pgdeletemsg function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting us...

4.3CVSS5.9AI score0.0022EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/03/07 1:21 a.m.29 views

CVE-2026-2488 ProfileGrid <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pgdeletemsg function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting us...

4.3CVSS0.0022EPSS
Exploits0References6
CVE
CVE
added 2026/03/07 1:21 a.m.11 views

CVE-2026-2488

CVE-2026-2488 refers to a ProfileGrid plugin vulnerability for WordPress where a missing capability check in pg_delete_msg() allows authenticated users with Subscriber+ privileges to delete arbitrary messages. Affected versions up to and including 5.9.8.1 are exploitable. Wordfence and related fe...

4.3CVSS5.9AI score0.0022EPSS
Exploits0References6
Patchstack
Patchstack
added 2026/03/07 1:14 a.m.6 views

WordPress ProfileGrid plugin <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Message Deletion vulnerability discovered by WordFence in WordPress Plugin ProfileGrid versions = 5.9.8.1...

4.3CVSS5.8AI score0.0022EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/14 11:19 p.m.7 views

CVE-2022-50908

Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation...

7.2CVSS6AI score0.00247EPSS
Exploits0References1
NVD
NVD
added 2026/01/13 11:15 p.m.5 views

CVE-2022-50908

Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation...

7.2CVSS0.00247EPSS
Exploits0References4
CVE
CVE
added 2026/01/13 10:51 p.m.15 views

CVE-2022-50908

MailHog 1.0.1 is affected by a stored XSS vulnerability in attachments that allows execution of arbitrary API calls (e.g., message deletion, browser manipulation) when a crafted email is processed. Technical details from multiple sources indicate the issue stems from improper handling of attachme...

7.2CVSS5.6AI score0.00247EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/01/13 10:51 p.m.23 views

CVE-2022-50908 Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)

Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation...

7.2CVSS0.00247EPSS
Exploits0References4
OSV
OSV
added 2026/01/13 10:51 p.m.6 views

CVE-2022-50908 Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)

Mailhog 1.0.1 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through email attachments. Attackers can send crafted emails with XSS payloads to execute arbitrary API calls, including message deletion and browser manipulation...

5.1CVSS6AI score0.00247EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/01/13 12:0 a.m.6 views

PT-2026-2384

Name of the Vulnerable Software and Affected Versions Mailhog version 1.0.1 Description Mailhog version 1.0.1 has a stored cross-site scripting issue. Attackers can inject malicious scripts through email attachments. By sending crafted emails with XSS payloads, attackers can execute arbitrary API...

7.2CVSS5.8AI score0.00247EPSS
Exploits0References6
Rows per page
Query Builder