Lucene search
K

1197 matches found

CVE
CVE
added 2026/05/14 12:32 p.m.8 views

CVE-2026-4031

CVE-2026-4031 affects the Database Backup for WordPress plugin for WordPress up to version 2.5.2. The root cause is missing authorization for the wp_db_temp_dir parameter, allowing unauthenticated requests to wp-cron.php to point backups to a publicly accessible directory (e.g., wp-content/upload...

7.5CVSS5.7AI score0.00488EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/05/13 8:23 p.m.12 views

CVE-2026-44010

Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver src/gql/resolvers/elements/Address.php performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read ever...

7.1CVSS5.8AI score0.00338EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/13 6:30 p.m.7 views

EUVD-2026-29946

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information PII...

6.5CVSS5.8AI score0.00209EPSS
Exploits0References3
NVD
NVD
added 2026/05/13 2:17 p.m.16 views

CVE-2026-37428

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information PII...

6.5CVSS0.00209EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/13 12:0 a.m.37 views

CVE-2026-37429

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information PII via a crafted SQL...

0.00275EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.19 views

PT-2026-40812

Name of the Vulnerable Software and Affected Versions CubeCart versions prior to 6.7.0 Description The admin orders-transactions listing page at 'admin.php? g=orders&node=transactions' constructs a raw ORDER BY SQL fragment using the sort array from the $ GET variable without validating the colum...

4.9CVSS6.1AI score0.00239EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.10 views

PT-2026-40604

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information PII...

5.8AI score0.00209EPSS
Exploits0References2
NVD
NVD
added 2026/05/12 9:16 p.m.40 views

CVE-2026-44010

Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver src/gql/resolvers/elements/Address.php performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read ever...

7.1CVSS0.00338EPSS
Exploits0References2
Malwarebytes
Malwarebytes
added 2026/05/12 8:41 a.m.14 views

Stolen Canvas data was “returned” after hacker agreement, Instructure says

The Instructure/Canvas data breach that has dominated cybersecurity coverage recently has reached a new stage. Millions of students had personal data stolen, with extortion group ShinyHunters claiming credit for the data breach and applying extra pressure for their ransom demands by bothering...

5.8AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/05/11 4:11 p.m.14 views

Valtimo has sensitive data exposure through HTTP request/response logging in LoggingRestClientCustomizer

Summary The LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls made via Spring's RestClient and logs the full request body, response body, and response headers. When an error response is received, this information is included in the thrown...

7.6CVSS5.9AI score0.002EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/07 7:33 p.m.11 views

FacturaScripts Vulnerable to Unstripped Image Metadata (EXIF) Leakage via Library Module File Upload/Download

Summary Fectura Scripts is an open-source ERP application, a sensitive information disclosure vulnerability was identified in the Library module's image upload and download pipeline. The application fails to strip EXIF and other embedded metadata from user-uploaded image files before storing them...

6.5CVSS7.1AI score0.00227EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/05/07 7:33 p.m.40 views

Improper Removal of Sensitive Information Before Storage or Transfer

Overview Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the image upload and download process. An attacker can access sensitive metadata, such as GPS coordinates, device information, timestamps, and personally identifiab...

7.1CVSS5.8AI score0.00227EPSS
Exploits0References2
Wired Threat Level
Wired Threat Level
added 2026/05/07 11:0 a.m.15 views

Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web

Companies like Lovable, Base44, Replit, and Netlify use AI to let anyone build a web app in seconds—and in thousands of cases, spill highly sensitive data onto the public internet...

5.8AI score
Exploits0
NVD
NVD
added 2026/05/07 4:16 a.m.16 views

CVE-2026-41659

Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint membersassignmentdata.php includes hidden profile fields BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY in its SQL search condition regardless of field visibility settings. While the...

2.7CVSS0.00258EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/07 2:59 a.m.11 views

EUVD-2026-28270

Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint membersassignmentdata.php includes hidden profile fields BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY in its SQL search condition regardless of field visibility settings. While the...

2.7CVSS5.8AI score0.00258EPSS
Exploits0References2
CVE
CVE
added 2026/05/07 2:59 a.m.10 views

CVE-2026-41659

CVE-2026-41659 (Admidio) : The Admidio member assignment data endpoint before 5.0.9 includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in the SQL search condition, regardless of visibility settings. While JSON output hides these fields, the server-side search runs on the h...

2.7CVSS5.8AI score0.00258EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/07 12:0 a.m.18 views

PT-2026-38611

Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to 2026 Description A sensitive information disclosure issue exists in the Library module of FacturaScripts. The application stores and serves uploaded images byte-for-byte without stripping EXIF, XMP, or IPTC...

6.5CVSS5.8AI score0.00227EPSS
Exploits0References7
Packet Storm News
Packet Storm News
added 2026/05/07 12:0 a.m.19 views

Profiling for Pennies: Unveiling the Privacy Iceberg of LLM Agents

Large Language Models LLMs have revolutionized how information are collected, aggregated, and reasoned. However, this enables a novel and accessible vector of privacy intrusion: the automated and in-depth personal profiling; this engenders a chilling effect of "peepers everywhere". Existing...

5.8AI score
Exploits0
CVE
CVE
added 2026/05/06 6:37 p.m.11 views

CVE-2026-41930

Vvveb

9.8CVSS5.8AI score0.00347EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/06 6:37 p.m.20 views

EUVD-2026-27885

Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to...

9.8CVSS5.8AI score0.00347EPSS
Exploits0References4
Rows per page
Query Builder