CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added yesterday•15 views

CVE-2026-53926

NocoDB vulnerability CVE-2026-53926: prior to 2026.05.1, revokeAllOAuthTokensByUser was an empty stub used by passwordChange, passwordForgot, and passwordReset, so OAuth access and refresh tokens were not revoked after a password change/reset, allowing an attacker-issued token to remain valid. Th...

6.3CVSS5.9AI score0.00051EPSS

ATTACKERKB•added yesterday•3 views

CVE-2026-53926

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, revokeAllOAuthTokensByUser in the users service is an empty stub being called from passwordChange, passwordForgot, and passwordReset. OAuth access and refresh tokens were not revoked when the user changed, reset, or...

6.3CVSS5.9AI score0.00051EPSS

Exploits0References2Affected Software1

Nuclei•added yesterday•7 views

LatePoint <= 5.0.11 - SQL Injection

The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

9.8CVSS5.9AI score0.02823EPSS

EUVD•added 4 days ago•6 views

EUVD-2026-38097

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to...

9.8CVSS6AI score0.00625EPSS

Exploits1References4

NVD•added 4 days ago•7 views

CVE-2026-11551

9.8CVSS0.00625EPSS

Exploits1References3

NVD•added 5 days ago•11 views

CVE-2026-12622

The GridTime 3000 GNSS Time Server has an open redirect vulnerability in the password change form submission. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0...

5.3CVSS0.00207EPSS

EUVD•added 5 days ago•6 views

EUVD-2026-38039

The GridTime 3000 GNSS Time Server has an open redirect vulnerability in the password change form submission. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0...

5.3CVSS5.8AI score0.00207EPSS

Positive Technologies•added 5 days ago•11 views

PT-2026-51041

Name of the Vulnerable Software and Affected Versions Branda plugin for WordPress versions prior to 3.4.30 Description The plugin is susceptible to privilege escalation through account takeover. This occurs because the software fails to properly validate a user's identity before updating a...

9.8CVSS6AI score0.00625EPSS

Exploits1References9

NVD•added 6 days ago•8 views

CVE-2026-54103

The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could chang...

9.8CVSS0.00427EPSS

EUVD•added 6 days ago•8 views

EUVD-2026-37910

9.8CVSS5.4AI score0.00427EPSS

CVE•added 6 days ago•14 views

CVE-2026-54103

CVE-2026-54103 affects GAO EPDS and CBCA EDS, where the /update-profile/N endpoint does not require authentication for password changes. The vulnerability allows a remote attacker to change an arbitrary user’s password without credentials. This result is supported by the CVSS data indicating high...

9.8CVSS5.4AI score0.00427EPSS

Cvelist•added 6 days ago•26 views

CVE-2026-54103 U.S. GAO EPDS and CBCA EDS unauthenticated password change

9.8CVSS0.00427EPSS

Positive Technologies•added 6 days ago•13 views

PT-2026-50703

Name of the Vulnerable Software and Affected Versions U.S. GAO Electronic Protest Docketing System EPDS affected versions not specified U.S. CBCA Electronic Docketing System EDS affected versions not specified Description The U.S. Government Accountability Office GAO Electronic Protest Docketing...

9.8CVSS5.9AI score0.00427EPSS

Exploits0References8

Cvelist•added 2026/06/17 2:4 p.m.•25 views

CVE-2026-54415 Broken Access Control in Azuriom CMS Server Routes Allows Account Takeover

Missing Authorization in the server management routes routes/admin.php in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email...

8.6CVSS0.00348EPSS

EUVD•added 2026/06/17 2:4 p.m.•8 views

EUVD-2026-37721

8.6CVSS5.3AI score0.00348EPSS

CVE•added 2026/06/17 2:4 p.m.•11 views

CVE-2026-54415

CVE-2026-54415 is a broken access control issue in Azuriom CMS before 1.2.11. An authenticated user with the admin.access permission can abuse server-management routes to create AzLink server tokens and take over non-admin user accounts by changing passwords and emails. The vulnerability exists i...

8.6CVSS5.3AI score0.00348EPSS

Positive Technologies•added 2026/06/17 12:0 a.m.•13 views

PT-2026-50444

Name of the Vulnerable Software and Affected Versions Azuriom CMS versions prior to 1.2.11 Description Missing authorization in the server management routes allows an authenticated attacker with the admin.access permission to create AzLink server tokens. This can lead to the takeover of non-admin...

8.6CVSS5.2AI score0.00348EPSS

Exploits0References5

NVD•added 2026/06/16 3:16 p.m.•10 views

CVE-2026-0647

An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server. The vulnerability allows an unauthenticated attacker to change the device's web interface password by sending a crafted HTTP GET request to a specific endpoint, without any prior authentication...

8.8CVSS0.00435EPSS