Lucene search
K

237 matches found

Cvelist
Cvelist
added 2026/04/17 6:44 a.m.31 views

CVE-2026-6443 Essentialplugin Plugins (Various Versions) - Injected Backdoor

All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a...

9.8CVSS0.00495EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/08 3:32 a.m.7 views

parisneo/lollms has an insufficient session expiration vulnerability

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

4.1CVSS5.9AI score0.0021EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/04/08 2:20 a.m.7 views

EUVD-2026-20030

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

4.1CVSS5.9AI score0.0021EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/08 2:20 a.m.4 views

CVE-2026-1163 Insufficient Session Expiration in parisneo/lollms

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

4.1CVSS5.9AI score0.0021EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.10 views

LoLLMs 代码问题漏洞

LoLLMs is a large language and multimodal system personally developed by Saifeddine ALOUI. LoLLMs has code vulnerabilities; these vulnerabilities stem from an insufficient conversation expiration mechanism after password reset, which may allow attackers to maintain persistent access to compromise...

4.1CVSS5.9AI score0.0021EPSS
Exploits0References1
NVD
NVD
added 2026/04/01 10:16 p.m.4 views

CVE-2026-34572

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the...

8.8CVSS0.00502EPSS
Exploits1References2
NVD
NVD
added 2026/04/01 10:16 p.m.8 views

CVE-2026-34570

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...

8.8CVSS0.00502EPSS
Exploits1References2
OSV
OSV
added 2026/04/01 10:9 p.m.4 views

GHSA-8FQ3-C5W3-PJ3Q CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

Summary Vulnerability: Improper Session Invalidation on Account Deactivation Broken Access Control / Logic Flaw - This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/01 10:9 p.m.11 views

CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

Summary Vulnerability: Improper Session Invalidation on Account Deactivation Broken Access Control / Logic Flaw - This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/04/01 10:8 p.m.3 views

Incorrect Comparison Logic Granularity

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Incorrect Comparison Logic Granularity due to improper session invalidation in the account deletion process. An attacker can maintain persistent access to protected...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References4
OSV
OSV
added 2026/04/01 10:8 p.m.5 views

GHSA-4VXV-4XQ4-P84H CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

Summary Vulnerability: Improper Session Invalidation on Account Deletion Broken Access Control / Logic Flaw - This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References4
CVE
CVE
added 2026/04/01 9:35 p.m.15 views

CVE-2026-34572

CI4MS is a CodeIgniter 4-based CMS skeleton. Before version 0.31.0.0, deactivated accounts do not have their active sessions revoked promptly; authentication-only enforcement allows already-authenticated users to retain access. The root cause is a backend logic flaw where account state changes ar...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/01 9:35 p.m.3 views

CVE-2026-34572 CI4MS: Account Deactivation Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deactivated. Due to a logic flaw in the...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References2
CVE
CVE
added 2026/04/01 9:30 p.m.9 views

CVE-2026-34570

CI4MS is a CodeIgniter 4-based CMS skeleton. Before version 0.31.0.0, it does not immediately revoke active sessions when an account is deleted due to a backend logic flaw that enforces account state changes only at login, leaving existing sessions valid indefinitely. This allows deleted accounts...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/01 9:30 p.m.4 views

CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...

8.8CVSS5.8AI score0.00502EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/01 9:30 p.m.19 views

CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...

8.8CVSS0.00502EPSS
Exploits1References2
Microsoft Secure
Microsoft Secure
added 2026/03/31 5:0 p.m.5 views

The threat to critical infrastructure has changed. Has your readiness?

Critical infrastructure CI organizations underpin national security, public safety, and the economy. In 2026, the cyber threat landscape facing these sectors is structurally different than it was even two years ago. What Microsoft Threat Intelligence is observing across critical infrastructure...

5.9AI score
Exploits0
OSV
OSV
added 2026/03/16 12:0 a.m.4 views

MAL-2026-1556 Malicious code in yoshi-base (npm)

The package 'yoshi-base' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server npm.jpartifacts.com...

5.6AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/03/03 4:8 a.m.14 views

Malicious code in xpack-per-device (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5f3e144fc188f6f28820784883e158f5841d1276a3eb100db4c469e45439f415 The package xpack-per-device was found to contain malicious code. Source: ghsa-malware 40c08125e60c3d43432e40679e35d49bb3fc0b9d4a3df799c45b80999f1753...

5.7AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/02/28 7:45 p.m.13 views

CVE-2026-27757

SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication vulnerability that allows authenticated users to change account passwords without verifying the current password. Attackers who gain access to an authenticated session can modify credentials to maintain persisten...

7.2CVSS5.9AI score0.00252EPSS
Exploits0References1
Rows per page
Query Builder