Lucene search
+L

1213 matches found

Nuclei
Nuclei
added yesterday15 views

WP Go Maps < 10.0.10 - Unauthenticated Marker Information Disclosure

WP Go Maps WordPress plugin 10.0.10 contains an information disclosure vulnerability caused by lack of approval-state filtering on the public single-marker REST endpoint, letting unauthenticated users access unapproved marker records including PII and geographic coordinates, exploit requires no...

5.3CVSS5.2AI score0.00489EPSS
Exploits0References2
NVD
NVD
added yesterday7 views

CVE-2026-15159

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheetexportformid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, wit...

4.3CVSS0.00178EPSS
Exploits0References2
Cvelist
Cvelist
added yesterday15 views

CVE-2026-15159 Ninja Forms - Excel Export <= 3.3.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Data Disclosure via 'spreadsheet_export_form_id' Parameter

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheetexportformid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, wit...

4.3CVSS0.00178EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-15159

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheetexportformid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, wit...

4.3CVSS6AI score0.00178EPSS
Exploits0References3
Nuclei
Nuclei
added 2 days ago39 views

Schools Alert Management Script - Arbitrary File Read

Schools Alert Management Script is susceptible to an arbitrary file read vulnerability via the f parameter in img.php, aka absolute path traversal. id: CVE-2018-12054 info: name: Schools Alert Management Script - Arbitrary File Read author: wisnupramoedya severity: high description: Schools Alert...

7.5CVSS7AI score0.39391EPSS
Exploits4References5
OSV
OSV
added 2 days ago2 views

MAL-2026-10764 Malicious code in syft-acp-atoms (npm)

The syft-acp-atoms package was published to the npm registry by user 'ada8877' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the 'syft-acp' internal/private package naming convention an ACP component library of a target...

6.1AI score
Exploits0References2
NVD
NVD
added 5 days ago8 views

CVE-2026-58408

ChurchCRM is an open-source church management system. Prior to version 7.4.0, a low-privileged user can bypass the /admin/export UI and exfiltrate the entire member directory. The POST /CSVCreateFile.php endpoint generates and streams a CSV containing the full Personally Identifiable Information...

6.5CVSS0.00217EPSS
Exploits0References1
Cvelist
Cvelist
added 5 days ago30 views

CVE-2026-58408 ChurchCRM : Broken Access Control in `CSVCreateFile.php` Allows Low-Privileged Users to Export All Members' PII

ChurchCRM is an open-source church management system. Prior to version 7.4.0, a low-privileged user can bypass the /admin/export UI and exfiltrate the entire member directory. The POST /CSVCreateFile.php endpoint generates and streams a CSV containing the full Personally Identifiable Information...

6.5CVSS0.00217EPSS
Exploits0References1
NVD
NVD
added 5 days ago5 views

CVE-2026-15574

A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information PII and secrets, to persistent logs. This sensitive data, including bearer tokens and...

7.5CVSS0.00259EPSS
Exploits0References2
CVE
CVE
added 5 days ago10 views

CVE-2026-15574

The CVE-2026-15574 issue affects the vllm-orchestrator-gateway component, where the production binary logs incoming authorization headers and full chat payloads, potentially exposing PII, secrets, bearer tokens, and conversation content. This data exposure arises from a hard-coded debug/default l...

7.5CVSS6AI score0.00259EPSS
Exploits0References2
NVD
NVD
added 2026/07/09 7:16 a.m.9 views

CVE-2026-11869

The WP DSGVO Tools GDPR WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export including name, postal address, pho...

5.3CVSS0.00193EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/09 6:0 a.m.34 views

CVE-2026-11869 WP DSGVO Tools (GDPR) < 3.1.40 - Unauthenticated Sensitive Information Disclosure via Subject Access Request

The WP DSGVO Tools GDPR WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export including name, postal address, pho...

0.00193EPSS
Exploits0References1
CVE
CVE
added 2026/07/09 6:0 a.m.14 views

CVE-2026-11869

The CVE concerns WP DSGVO Tools (GDPR) WordPress plugin prior to 3.1.40. A missing authorization check on the immediate-processing path of the data subject access request feature allows unauthenticated attackers to generate and download the full personal-data export (name, postal address, phone n...

5.3CVSS6AI score0.00193EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/07/09 12:0 a.m.10 views

PT-2026-56808

Name of the Vulnerable Software and Affected Versions AcyMailing versions prior to 10.11.1 Description An unauthenticated SQL injection flaw exists in the AcyMailing component for Joomla. This issue allows a remote attacker to execute crafted SQL queries to gain unauthorized access to the databas...

9.2CVSS6.1AI score0.00263EPSS
Exploits1References6
NVD
NVD
added 2026/07/08 2:17 p.m.11 views

CVE-2026-56226

Capgo Cap-go/capgo before 12.128.2 exposes the Supabase PostgREST RPC function public.getorgsv6userid uuid, which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the...

8.7CVSS0.00255EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.4 views

Malicious code in tme-xca (npm)

The tme-xca package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a 'tme' Travel Mall /...

6.2AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.4 views

Malicious code in @logdna-web/shared (npm)

The @logdna-web/shared package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @logdna-w...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.5 views

Malicious code in @idms-corp/auth-ui (npm)

The @idms-corp/auth-ui package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @idms-cor...

6.1AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/06 12:0 a.m.5 views

Malicious code in @logdna-web/styles (npm)

The @logdna-web/styles package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @logdna-w...

6.1AI score
Exploits0References3
OSV
OSV
added 2026/07/06 12:0 a.m.4 views

MAL-2026-10222 Malicious code in @flex-ng/filter-pipe (npm)

The @flex-ng/filter-pipe package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @flex-n...

6.1AI score
Exploits0References3
Rows per page
Query Builder