Lucene search
K

12565 matches found

Nuclei
Nuclei
added 6 hours ago55 views

Sidekiq < 7.0.8 - Cross-Site Scripting

An XSS vulnerability on a Sidekiq admin panel can pose serious risks to the security and functionality of the system. id: CVE-2023-1892 info: name: Sidekiq 7.0.8 - Cross-Site Scripting author: ritikchaddha,princechaddha severity: critical description: | An XSS vulnerability on a Sidekiq admin pan...

9.6CVSS7.2AI score0.02742EPSS
Exploits1References3
Nuclei
Nuclei
added 6 hours ago470 views

Moodle - Cross-Site Scripting/Remote Code Execution

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system. Moodle versions 4.1.x before 4.1.3 and 4.2.x before...

6.5CVSS7AI score0.06583EPSS
Exploits3References5
Nuclei
Nuclei
added 6 hours ago35 views

Etherpad Lite <1.6.4 - Admin Authentication Bypass

Etherpad Lite before 1.6.4 is exploitable for admin access. id: CVE-2018-9845 info: name: Etherpad Lite 1.6.4 - Admin Authentication Bypass author: philippedelteil severity: critical description: Etherpad Lite before 1.6.4 is exploitable for admin access. impact: | An attacker can bypass the admi...

9.8CVSS7.2AI score0.13132EPSS
Exploits0References5
Nuclei
Nuclei
added 6 hours ago9 views

Karel IP Phone IP1211 Web Management Panel - Local File Inclusion

Karel IP Phone IP1211 Web Management Panel is vulnerable to local file inclusion and can allow remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter. id: CVE-2025-34023 info: name: Karel IP Phone IP1211 Web Management Pane...

8.5CVSS6.1AI score0.01409EPSS
Exploits0References3
Nuclei
Nuclei
added 6 hours ago17 views

KevinLAB BEMS (Building Energy Management System) - Backdoor Account

KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highes...

9CVSS7AI score0.06719EPSS
Exploits2References2
Nuclei
Nuclei
added 6 hours ago85 views

CentOS Web Panel - SQL Injection

The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter. id: CVE-2021-31316 info: name: CentOS Web Panel - SQL Injection author: ritikchaddha severity: critical description: | The unprivileged user portal part of CentOS Web Pane...

10CVSS7.3AI score0.13029EPSS
Exploits1References2
Nuclei
Nuclei
added 6 hours ago1474 views

Pterodactyl Panel - Remote Code Execution

Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. id: CVE-2025-49132 info: name: Pterodactyl Panel - Remote Code Execution...

10CVSS6.3AI score0.13105EPSS
Exploits28References3
Nuclei
Nuclei
added 6 hours ago25 views

CentOS Web Panel - OS Command Injection

The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution. id: CVE-2021-31324 info: name: CentOS Web Panel - OS Command Injection author: ritikchaddha severity: critical description: | The unprivileged user portal...

10CVSS7.3AI score0.34062EPSS
Exploits1References2
Nuclei
Nuclei
added 6 hours ago56 views

Tieline IP Audio Gateway <=2.6.4.8 - Unauthorized Remote Admin Panel Access

Tieline IP Audio Gateway 2.6.4.8 and below is affected by a vulnerability in the web administrative interface that could allow an unauthenticated user to access a sensitive part of the system with a high privileged account. id: CVE-2021-35336 info: name: Tieline IP Audio Gateway =2.6.4.8 -...

9.8CVSS7.2AI score0.11587EPSS
Exploits1References4
Nuclei
Nuclei
added 6 hours ago28 views

Control Web Panel (CWP) - File Inclusion

In CWP Control Web Panel, previously CentOS Web Panel before version 0.9.8.1107, an unauthenticated attacker can abuse null byte %00 injection with the "scripts" parameter in the /user/loader.php or /user/login.php endpoints to register arbitrary API keys or access sensitive files. This can be...

9.8CVSS7.7AI score0.70947EPSS
Exploits1References2
Nuclei
Nuclei
added 6 hours ago64 views

1Panel SQL Injection - Authenticated

1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to...

9.8CVSS7.3AI score0.29396EPSS
Exploits1References1
Nuclei
Nuclei
added 6 hours ago43 views

Netsweeper 4.0.5 - Default Weak Account

The Web Panel in Netsweeper before 4.0.5 has a default password of 'branding' for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/. id: CVE-2014-9614 info: name: Netsweeper 4.0.5 - Default Weak Account author: daffainfo severity: critica...

9.8CVSS7.3AI score0.66638EPSS
Exploits1References4
Nuclei
Nuclei
added 6 hours ago10 views

Dyn Business Panel Plugin <= 1.0.0 - Cross-Site Scripting

Dyn Business Panel WordPress plugin = 1.0.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter in output, letting attackers execute scripts in the context of high privilege users, exploit requires victim to click a malicious link. id: CVE-2024-130...

7.1CVSS7.1AI score0.00522EPSS
Exploits1References2
Nuclei
Nuclei
added 6 hours ago82 views

i-Panel Administration System 2.0 - Cross-Site Scripting

i-Panel Administration System 2.0 contains a cross-site scripting vulnerability that enables an attacker to execute arbitrary JavaScript code in the browser-based web console. id: CVE-2021-41878 info: name: i-Panel Administration System 2.0 - Cross-Site Scripting author: madrobot severity: medium...

6.1CVSS6.6AI score0.09912EPSS
Exploits4References5
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-49276

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the writer field in any blueprint allowed a scripting link to be included as the target of a link or email link in writer mark components, making the target clickable by the user who entered it and...

7.4CVSS5.8AI score
Exploits0References4Affected Software1
CVE
CVE
added yesterday20 views

CVE-2026-54003

Summary of CVE-2026-54003 (Kirby CMS) : Affected Kirby installations with no configured user accounts, running behind a reverse proxy that sets Forwarded, X-Client-IP, or X-Real-IP headers could allow remote attackers to install the Panel and create the first admin user. This occurs on releases p...

9.1CVSS6AI score
Exploits0References8
Nuclei
Nuclei
added yesterday94 views

Apache APISIX - Remote Code Execution

A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different...

9.8CVSS7.7AI score0.96182EPSS
Exploits16References5
Nuclei
Nuclei
added yesterday35 views

Triofox - Improper Access Control

The Gladinet Triofox solution before 12.91.1126.65588 and CentreStack before 12.10.595.65696 allow unauthenticated access to the /management/admindatabase.aspx endpoint, exposing sensitive database management functionality to anyone with network access. An unauthenticated attacker can remotely...

9.1CVSS7.4AI score0.90532EPSS
Exploits1References3
NVD
NVD
added 2 days ago7 views

CVE-2026-60092

AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored meetjoinlog.useragent without...

6.1CVSS0.002EPSS
Exploits0References3
CVE
CVE
added 2 days ago7 views

CVE-2026-60092

The CVE-2026-60092 entry describes a stored cross-site scripting vulnerability in the AVideo Meet plugin. When a participant joins a public meeting, the raw HTTP User-Agent header is stored in meet_join_log.user_agent without sanitization and later echoed in the Participants management panel (vis...

6.1CVSS5.7AI score0.002EPSS
Exploits0References3
Rows per page
Query Builder