Lucene search
K

201990 matches found

Nuclei
Nuclei
added yesterday35 views

Blinko <= 1.8.3 - User Information Leak

Blinko = 1.8.4 contains an information disclosure caused by a publicly accessible endpoint exposing user information including usernames, roles, and account creation dates, letting remote attackers access sensitive user data, exploit requires no special privileges. id: CVE-2026-23486 info: name:...

6.9CVSS6AI score0.00711EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday16 views

WeGIA <= 3.6.4 - Remote Code Execution

WeGIA = 3.6.5 contains a remote code execution caused by improper validation of backup file names in the database restoration functionality, letting attackers with administrative access execute arbitrary OS commands id: CVE-2026-28409 info: name: WeGIA = 3.6.4 - Remote Code Execution author:...

10CVSS6.8AI score0.03315EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday13 views

PraisonAI AgentOS - Information Disclosure

PraisonAI's AgentOS FastAPI application server exposes an unauthenticated GET /api/agents endpoint that lists every registered agent's name, role and the opening of its instructions system prompt. No authentication is enforced on the route, allowing a remote attacker to enumerate agent...

7.3CVSS7.3AI score0.26799EPSS
Exploits4
ATTACKERKB
ATTACKERKB
added 3 days ago4 views

CVE-2026-28705

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths...

6AI score0.00181EPSS
Exploits0References5
EUVD
EUVD
added 3 days ago4 views

EUVD-2026-41641

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths...

6AI score0.00181EPSS
Exploits0References4
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-41557

A flaw was found in the Fine-Grained Admin Permissions FGAP v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a...

4.3CVSS5.9AI score0.00172EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago9 views

EUVD-2026-41555

A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions FGAP v2 are turned on, an administrator who is allowed to see a specific "role" can...

4.3CVSS6AI score0.00187EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 4 days ago5 views

CVE-2026-58579

RAGFlow before 0.26.3 stores an agent pipeline DSL node name without sanitization: the agent update endpoint normalizes the submitted DSL via normalizedsl, which only performs JSON serialization validation and preserves the node name verbatim. The dataflow-result web UI then renders that name int...

5.4CVSS5.9AI score0.00182EPSS
Exploits0References6
EUVD
EUVD
added 4 days ago10 views

EUVD-2026-41421

RAGFlow before 0.26.3 stores an agent pipeline DSL node name without sanitization: the agent update endpoint normalizes the submitted DSL via normalizedsl, which only performs JSON serialization validation and preserves the node name verbatim. The dataflow-result web UI then renders that name int...

5.4CVSS5.9AI score0.00182EPSS
Exploits0References5
CVE
CVE
added 4 days ago10 views

CVE-2026-58579

RAGFlow before 0.26.3 stores an agent pipeline (DSL) node name without sanitization. The update endpoint normalizes DSL via JSON serialization but preserves the node name, and the dataflow-result UI renders it with dangerouslySetInnerHTML while i18next escapeValue is false, allowing an authentica...

5.4CVSS5.9AI score0.00182EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago10 views

EUVD-2026-36317

OpenClaw: Matrix allowFrom could bind to mutable display names...

8.8CVSS5.8AI score0.00309EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago37 views

CVE-2026-11781 Adminify < 4.2.10 - Contributor+ Sensitive Information Disclosure via Global Search AJAX

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

0.00189EPSS
Exploits0References1
CVE
CVE
added 4 days ago12 views

CVE-2026-11781

The CVE-2026-11781 entry affects the Adminify WordPress plugin prior to version 4.2.10. The vulnerability arises because the plugin does not perform per-user read-capability checks on results returned by an administration search feature. As a result, users with a low-privilege role (Contributor) ...

2.7CVSS5.7AI score0.00189EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-41249

The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys meta key names in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the themeta function: while the custom field VALUE is sanitized with wpksespost...

6.4CVSS5.9AI score0.00217EPSS
Exploits0References8
Cvelist
Cvelist
added 4 days ago37 views

CVE-2026-10089 Insert Pages <= 3.11.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Field Keys (Meta Key Names)

The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys meta key names in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the themeta function: while the custom field VALUE is sanitized with wpksespost...

6.4CVSS0.00217EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 5 days ago5 views

CVE-2026-34099

Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in jobinfo.php line 16: SELECT FROM jobs where id = '".$GET'id'."'. No authentication is required. An unauthenticated attacker can perform error-based SQL injection to extract the database version, current...

9.8CVSS5.8AI score0.00459EPSS
Exploits0References3
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-41056

Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in jobinfo.php line 16: SELECT FROM jobs where id = '".$GET'id'."'. No authentication is required. An unauthenticated attacker can perform error-based SQL injection to extract the database version, current...

9.8CVSS5.8AI score0.00459EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago30 views

CVE-2026-58033 "Total number of distinct authors" statistic at action=info does not exclude revisions where the author name was deleted

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Actions/InfoAction.Php. This issue affects MediaWiki: from before 1.46.0, 1.45.4, 1.44.6, 1.43.9...

5.3CVSS0.00428EPSS
Exploits0References1
NVD
NVD
added 5 days ago7 views

CVE-2026-12113

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.02 via the cpabcappointmentsfilterlist. This makes it possible for authenticated attackers, with contributor-level access and above, to extract customer...

4.3CVSS0.00228EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-54735

Name of the Vulnerable Software and Affected Versions Guardian language-system affected versions not specified Description An unauthenticated attacker can perform error-based SQL injection by sending crafted values to the id parameter via a GET request to the 'job info.php' endpoint. The issue...

9.8CVSS5.8AI score0.00459EPSS
Exploits0References6
Rows per page
Query Builder