CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

67 matches found

Positive Technologies•added 2026/05/29 12:0 a.m.•8 views

PT-2026-44746

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the 'ays poll get user information' AJAX action, which serializes and returns the...

4.3CVSS5.7AI score0.0005EPSS

Exploits0References10

CNNVD•added 2026/05/11 12:0 a.m.•6 views

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained security vulnerabilities. These vulnerabilities stemmed from the plugin/MobileManager/oauth2.php file, which exposed the user’s password hash in the OAuth login...

6.8CVSS5.8AI score0.0001EPSS

Exploits0References1

Patchstack•added 2026/05/06 3:32 p.m.•4 views

NPM: Flowise: Bcrypt Password Hash Exposure

NPM: Flowise: Bcrypt Password Hash Exposure vulnerability discovered by ? in WordPress Npm flowise versions = 3.0.12...

6.3CVSS5.8AI score0.00019EPSS

Exploits1References6Affected Software1

OSV•added 2026/05/06 3:32 p.m.•4 views

GHSA-8F47-4RH3-X44M Flowise: Bcrypt Password Hash Exposure

A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched...

6.3CVSS5.2AI score0.00019EPSS

Exploits1References6

OSV•added 2026/03/19 11:10 p.m.•2 views

CVE-2026-29108 Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...

6.5CVSS5.9AI score0.00018EPSS

Exploits0References3

Cvelist•added 2026/03/19 11:10 p.m.•18 views

CVE-2026-29108 Authenticated SuiteCRM Users Can Retrieve The Password Hash of Any User

6.5CVSS0.00018EPSS

Exploits0References1

CVE•added 2026/03/19 11:10 p.m.•4 views

CVE-2026-29108

SuiteCRM vulnerable prior to 8.9.3 via an authenticated API endpoint that can reveal detailed user data including password hashes and MFA configuration for any user. Root cause: exposed information in the API when queried by an authenticated user. Impact: potential to crack stored password hashes...

6.5CVSS5.8AI score0.00018EPSS

Exploits0References1Affected Software1

Vulnrichment•added 2026/03/19 11:15 a.m.•1 views

CVE-2026-3658 Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the 'fields' parameter in all versions up to, and including, 1.6.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparati...

7.5CVSS5.9AI score0.00112EPSS

Exploits0References5

Cvelist•added 2026/02/11 8:36 p.m.•22 views

CVE-2020-37173 AVideo Platform 8.1 - Information Disclosure (User Enumeration)

AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. Attackers can retrieve sensitive user information including email, password hash, and administrative status by manipulating the...

8.7CVSS0.0014EPSS

Exploits1References4

NVD•added 2026/01/29 3:16 p.m.•3 views

CVE-2020-37004

The Ultimate Project Manager CRM PRO version 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tblusers database table. Attackers can exploit the /frontend/getarticlesuggestion/ endpoint by crafting malicious search paramete...

8.2CVSS0.0006EPSS

Exploits0References3

RedhatCVE•added 2026/01/09 11:29 a.m.•6 views

CVE-2021-27491

Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,The Ypsomed mylife Cloud discloses password hashes during the registration process...

7.5CVSS7AI score0.0022EPSS

Exploits0References1

RedhatCVE•added 2026/01/07 9:27 a.m.•7 views

CVE-2019-12452

types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control which is contrary to the API documentation, allows remote authenticated users to discover password hashes by reading the Basic HTT...

7.5CVSS6.8AI score0.00326EPSS

Exploits1References1

RedhatCVE•added 2025/11/13 1:0 a.m.•5 views

CVE-2025-63666

Tenda AC15 v15.03.05.18multi issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier. An attacker with network access or the ability to run JS in a victim browser can steal the cookie and replay it to acce...

9.8CVSS7.4AI score0.00105EPSS

Exploits1References1