Lucene search
K

60 matches found

NVD
NVD
added last week5 views

CVE-2026-58580

LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows by message id alone, omitting the userId scope that sibli...

6CVSS0.00154EPSS
Exploits0References2
EUVD
EUVD
added last week7 views

EUVD-2026-41422

LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows by message id alone, omitting the userId scope that sibli...

6CVSS5.8AI score0.00154EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added last week6 views

CVE-2026-58580

LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows by message id alone, omitting the userId scope that sibli...

6CVSS5.8AI score0.00154EPSS
Exploits0References3
CVE
CVE
added last week13 views

CVE-2026-58580

LobeChat up to version 2.2.9 is affected by broken object-level authorization in MessageModel. An authenticated user who knows another user’s non-enumerable message identifier can overwrite that victim’s plugin tool‑call metadata, plugin state/error, and TTS/translation records via tRPC message p...

6CVSS5.8AI score0.00154EPSS
Exploits0References2
Cvelist
Cvelist
added last week33 views

CVE-2026-58580 LobeChat 2.2.9 - Broken Object-Level Authorization in Message Sub-Resource Writes

LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows by message id alone, omitting the userId scope that sibli...

6CVSS0.00154EPSS
Exploits0References2
OSV
OSV
added 2026/06/26 4:32 p.m.2 views

GHSA-PR7J-96CJ-549H Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API

Fluentd's Monitor Agent plugin inmonitoragent exposes internal metrics and plugin information via a REST API. It was discovered that the API response /api/plugins.json and related endpoints unintentionally includes internal instance variables of loaded plugins. If any plugins store sensitive...

7.5CVSS5.8AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/26 4:32 p.m.6 views

Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API

Fluentd's Monitor Agent plugin inmonitoragent exposes internal metrics and plugin information via a REST API. It was discovered that the API response /api/plugins.json and related endpoints unintentionally includes internal instance variables of loaded plugins. If any plugins store sensitive...

7.5CVSS5.8AI score
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.10 views

PT-2026-53003

Name of the Vulnerable Software and Affected Versions Fluentd versions prior to 1.19.3 Description The Monitor Agent plugin in monitor agent exposes internal metrics and plugin information through a REST API. The responses from the /api/plugins.json endpoint and related endpoints unintentionally...

7.5CVSS7.1AI score
Exploits0References7
NVD
NVD
added 2026/06/24 7:16 a.m.12 views

CVE-2026-12094

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdbajaxdeleteuser function in versions up to, and including, 1.0.0. The handler is registered against both wpajaxcf7cdbdelete and...

5.3CVSS0.00295EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/22 12:0 a.m.10 views

WordPress plugin Alfie – Feed Plugin 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

4.3CVSS5.8AI score0.00164EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.13 views

PT-2026-42724

Name of the Vulnerable Software and Affected Versions Alfie – Feed Plugin for WordPress versions prior to 1.2.2 Description Cross-Site Request Forgery occurs due to missing nonce validation in the alfie manage function, which handles feed deletion through the 'delete' GET parameter. This allows...

4.3CVSS5.8AI score0.00164EPSS
Exploits0References10
Vulnrichment
Vulnrichment
added 2026/04/20 7:45 a.m.3 views

CVE-2026-6618 langgenius dify ApiBasedToolSchemaParser parser.py parse_openai_plugin_json_to_tool_bundle server-side request forgery

A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parseopenaipluginjsontotoolbundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The...

6.5CVSS5.3AI score0.00206EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/01/17 5:22 a.m.17 views

CVE-2026-1000

The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration function. This makes it possible for authenticated attackers, wi...

6.5CVSS5.3AI score0.00282EPSS
Exploits0References1
NVD
NVD
added 2026/01/16 5:16 a.m.13 views

CVE-2026-1000

The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration function. This makes it possible for authenticated attackers, wi...

6.5CVSS0.00282EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/01/16 4:44 a.m.5 views

CVE-2026-1000

The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration function. This makes it possible for authenticated attackers, wi...

6.5CVSS5.5AI score0.00282EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/01/16 12:0 a.m.6 views

PT-2026-3218

The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration function. This makes it possible for authenticated attackers, wi...

6.5CVSS5.3AI score0.00282EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/01/07 9:8 a.m.6 views

CVE-2024-2019

The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbterender' function in all versions up to, and including, 1.8.4. This makes it possible for authenticated...

7.5CVSS6.4AI score0.00382EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/12/13 12:9 p.m.4 views

CVE-2025-14159

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.2. This is due to missing nonce validation on the 'ayssccpresultsexportfile' AJAX action. This makes it possible for unauthenticated...

4.3CVSS4.8AI score0.00137EPSS
Exploits0References1
Veracode
Veracode
added 2025/12/13 5:57 a.m.7 views

Server-Side Template Injection (SSTI)

getgrav/grav is vulnerable to a Server-Side Template Injection SSTI. The vulnerability is due to improper input handling in form submissions, which allows an attacker to send a crafted POST payload to expose sensitive configuration details, including plugin configurations...

8.7CVSS5.9AI score0.00331EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2025/10/30 6:45 a.m.7 views

EUVD-2025-36971

The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myapppverify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data...

5.3CVSS4.9AI score0.00277EPSS
Exploits0References5
Rows per page
Query Builder