Lucene search
+L

1708 matches found

nvd
nvd
added 2026/04/21 5:16 p.m.6 views

CVE-2026-30452

Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the duplicate-and-save workflow in...

6.5CVSS0.00247EPSS
Exploits0References2
nvd
nvd
added 2026/04/20 10:16 a.m.8 views

CVE-2025-13480

Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This vulnerability has been...

6.5CVSS0.00257EPSS
Exploits0References3
cvelist
cvelist
added 2026/04/20 9:0 a.m.33 views

CVE-2025-13480 Incorrect authorization in Fudo Enterprise

Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This vulnerability has been...

5.1CVSS0.00257EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/04/20 12:0 a.m.6 views

PT-2026-33717

The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered html capability is disallowed for example in multisite setup...

5.7AI score0.00213EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/04/20 12:0 a.m.13 views

PT-2026-33742

Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This vulnerability has been...

5.1CVSS5.7AI score0.00257EPSS
Exploits0References3
osv
osv
added 2026/04/18 12:7 a.m.3 views

CVE-2026-40350 Movary User Management (/settings/users) has Authorization Bypass that Allows Low-Privileged Users to Enumerate All Users and Create Administrator Accounts

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints /settings/users and use them to enumerate all users and create a new administrator account. This happens because the route...

8.8CVSS5.9AI score0.00441EPSS
Exploits1References6
euvd
euvd
added 2026/04/07 5:8 p.m.5 views

EUVD-2026-19773

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting Stored XSS vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator...

8CVSS5.9AI score0.00243EPSS
Exploits0References1
osv
osv
added 2026/04/07 10:46 a.m.2 views

CVE-2026-4420 Stored XSS via Page Creating functionality in Bludit

Bludit is vulnerable to Stored Cross-Site Scripting XSS in its page creating functionality. An authenticated attacker with page creation privileges such as Author, Editor, or Administrator can embed a malicious JavaScript payload in the tags field of a newly created article. This payload will be...

5.1CVSS5.8AI score0.00161EPSS
Exploits0References6
cnnvd
cnnvd
added 2026/04/07 12:0 a.m.12 views

WordPress plugin Under Construction, Coming Soon & Maintenance Mode 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

7.5CVSS5.8AI score0.00122EPSS
Exploits0References1
cnnvd
cnnvd
added 2026/04/07 12:0 a.m.8 views

WordPress plugin Simple Social Media Share Buttons 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

7.5CVSS5.7AI score0.00122EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/04/06 12:0 a.m.4 views

PT-2026-30660

ChurchCRM is an open-source church management system. Prior to 7.1.0, authenticated users with Edit Records or Manage Groups permissions can exploit a time-based blind SQL injection vulnerability in the PropertyAssign.php endpoint to exfiltrate or modify any database content, including user...

8.1CVSS5.9AI score0.00021EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/04/03 3:15 p.m.1 views

CVE-2026-23439

In the Linux kernel, the following vulnerability has been resolved: udptunnel: fix NULL deref caused by udpsockcreate6 when CONFIGIPV6=n When CONFIGIPV6 is disabled, the udpsockcreate6 function returns 0 success without actually creating a socket. Callers such as foucreate then proceed to...

5.7AI score0.00129EPSS
Exploits0References9Affected Software1
redhatcve
redhatcve
added 2026/04/02 4:56 p.m.4 views

CVE-2026-4927

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11...

6.5CVSS5.9AI score0.00224EPSS
Exploits0References1
snyk
snyk
added 2026/04/01 10:4 p.m.4 views

Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS via the backup filename field during backup upload and processing. An attacker can execute arbitrary JavaScript in the browsers of privileged user...

9.1CVSS6AI score0.00269EPSS
Exploits1References2
vulnrichment
vulnrichment
added 2026/04/01 2:54 p.m.2 views

CVE-2026-4927

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11...

5.9AI score0.00224EPSS
Exploits0References1
cve
cve
added 2026/04/01 2:54 p.m.14 views

CVE-2026-4927

CVE-2026-4927 affects Devolutions Server. A flaw in the MFA feature allows users with user-management privileges to obtain other users’ OTP keys via an authenticated API request, exposing sensitive information. Affected versions are 2026.1.6 through 2026.1.11. No remediation details are provided ...

6.5CVSS5.9AI score0.00224EPSS
Exploits0References1Affected Software1
nvd
nvd
added 2026/04/01 11:15 a.m.6 views

CVE-2026-24096

Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 beta before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information...

8.8CVSS0.00236EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/04/01 10:7 a.m.2 views

CVE-2026-24096 Insufficient permission validation on multiple REST API Quick Setup endpoints

Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 beta before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information...

5.3CVSS5.9AI score0.00236EPSS
Exploits0References1
osv
osv
added 2026/04/01 10:7 a.m.3 views

CVE-2026-24096 Insufficient permission validation on multiple REST API Quick Setup endpoints

Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 beta before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information...

5.3CVSS5.9AI score0.00236EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/04/01 12:0 a.m.9 views

PT-2026-29540

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11...

5.9AI score0.00224EPSS
Exploits0References2
Rows per page
Query Builder