Lucene search
K

696 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/21 5:10 p.m.9 views

CVE-2026-48230

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdbimport.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters mdbhost, mdbdb, mdbuser, mdbpassword, mdbprefix,...

5.4CVSS5.8AI score0.00212EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/21 12:0 a.m.10 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions prior to Concrete CMS 9.5.0 contained security vulnerabilities. These vulnerabilities stemmed from the User Profile Editing controller, which passed the entire original POST array to UserInfo::update...

5.3CVSS5.8AI score0.00182EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/21 12:0 a.m.11 views

tickets SQL注入漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a SQL injection vulnerability. This vulnerability stemmed from multiple POST parameters in tables.php—tablename, indexname, and sortby—which were...

7.1CVSS5.9AI score0.00214EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.15 views

PT-2026-42500

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm add str POST parameter directly into an HTML form hidden input value attribute...

5.4CVSS5.8AI score0.00212EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/20 12:58 p.m.11 views

Malicious code in @scp3500/openvl (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fee1ab6796d8af462e9f00e82a28545b72eae4d9d9f0ab0f36ca4b09cd29487c scripts/mcpserver.js loads childprocess, fs, and http, reads from process.env, and issues HTTP POST requests to a hardcoded external destination at...

5.9AI score
Exploits0References1
OSV
OSV
added 2026/05/20 8:14 a.m.8 views

MAL-2026-4601 Malicious code in local-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4649a6cac828460ea4a3e6d867038eaa507f109eb6a46de9eef1fc340d867608 The package executes lifecycle and import-time code that fetches executables and posts host data to off-publisher infrastructure. download.js line 92...

5.9AI score
Exploits0References21
Github Security Blog
Github Security Blog
added 2026/05/18 4:23 p.m.15 views

CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule

Summary The Pages backend module registers the htmlpurify validation rule on language-keyed page content but persists the raw, un-purified POST value into the database. The public renderer for pages Home::index → app/Views/templates/default/pages.php emits $pageInfo-content without esc, yielding...

6.1AI score0.00062EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/18 4:23 p.m.6 views

GHSA-GQR2-7HCG-RCHF CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule

Summary The Pages backend module registers the htmlpurify validation rule on language-keyed page content but persists the raw, un-purified POST value into the database. The public renderer for pages Home::index → app/Views/templates/default/pages.php emits $pageInfo-content without esc, yielding...

8.7CVSS6.1AI score0.00062EPSS
Exploits0References3
OPENSUSE Linux
OPENSUSE Linux
added 2026/05/18 12:0 a.m.16 views

Security update for cacti (important)

openSUSE Security Update: Security update for cacti Announcement ID: openSUSE-SU-2026:0169-1 Rating: important References: Affected Products: openSUSE Backports SLE-15-SP7 An update that contains security fixes can now be installed. Description: This update for cacti fixes the following issues: -...

6AI score
Exploits0
CNNVD
CNNVD
added 2026/05/17 12:0 a.m.12 views

Joomla! extension EkRishta SQL注入漏洞

The Joomla! extension EkRishta is an open-source community extension designed to provide Joomla websites with functions for matchmaking and marriage-related services. Version 2.10 of the Joomla! extension EkRishta contains a SQL injection vulnerability. This vulnerability stems from persistent...

8.8CVSS5.8AI score0.00317EPSS
Exploits0References1
Veracode
Veracode
added 2026/05/16 5:49 a.m.15 views

Cross-site Scripting (XSS)

ci4-cms-erp/ci4ms is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization and output encoding of user-controlled post data in the Menu Management functionality, which allows an attacker to inject malicious scripts that execute in administrative dashboards and...

9.1CVSS5.9AI score0.00269EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2026/05/15 7:16 p.m.13 views

CVE-2021-47967

PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, o...

6.1CVSS0.00211EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/14 8:24 a.m.9 views

EUVD-2026-30260

The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfromquerystring function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract da...

5.3CVSS5.8AI score0.00351EPSS
Exploits0References3
CVE
CVE
added 2026/05/14 8:24 a.m.22 views

CVE-2026-6206

The MW WP Form plugin for WordPress (versions

5.3CVSS5.8AI score0.00351EPSS
Exploits0References3
NVD
NVD
added 2026/05/14 5:16 a.m.26 views

CVE-2026-7525

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

4.3CVSS0.00341EPSS
Exploits0References12
Cvelist
Cvelist
added 2026/05/14 3:27 a.m.42 views

CVE-2026-7525 My Calendar <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

4.3CVSS0.00341EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.12 views

PT-2026-40850

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

4.3CVSS5.8AI score0.00341EPSS
Exploits0References13
ATTACKERKB
ATTACKERKB
added 2026/05/13 8:58 p.m.9 views

CVE-2026-44418

EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL queries via strreplace without any sanitization, enabling SQL injection through query parameters th...

9.8CVSS5.9AI score0.0035EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/13 8:58 p.m.9 views

CVE-2026-44418 Incomplete fix for CVE-2026-35184: SQL Injection in phili67/ecclesiacrm

EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL queries via strreplace without any sanitization, enabling SQL injection through query parameters th...

8.7CVSS5.9AI score0.00285EPSS
Exploits0References2
CVE
CVE
added 2026/05/13 2:22 p.m.14 views

CVE-2020-37168

The CVE-2020-37168 entry concerns Ecommerce Systempay 1.0, where a weak cryptographic implementation exposes a 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint and perform a ...

9.8CVSS5.8AI score0.00246EPSS
Exploits0References4
Rows per page
Query Builder