Lucene search
K

217 matches found

Positive Technologies
Positive Technologies
added 2026/05/16 12:0 a.m.18 views

PT-2026-41448

Name of the Vulnerable Software and Affected Versions MyBB Timeline Plugin version 1.0 Description Cross-site scripting issues allow the injection of malicious scripts via thread titles, post content, and user profile fields such as Location and Bio. Additionally, a cross-site request forgery fla...

6.9CVSS5.8AI score0.00232EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/05/16 12:0 a.m.10 views

MyBB Timeline Plugin 跨站脚本漏洞

The MyBB Timeline Plugin is a plugin provided by MyBB Corporation that offers dynamic timeline displays and social activity stream functions for MyBB forums. Version 1.0 of the MyBB Timeline Plugin contained a cross-site scripting vulnerability. This vulnerability stemmed from cross-site scriptin...

6.9CVSS5.6AI score0.00232EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/15 9:31 p.m.8 views

EUVD-2025-209885

ORSEE Online Recruitment System for Economic Experiments 3.1.0 contains an authenticated Remote Code Execution vulnerability in the participant profile field processing subsystem. Certain field configurations accept values beginning with the prefix "func:" which are passed directly into an eval...

5.8AI score0.00343EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/15 6:36 p.m.14 views

CVE-2021-47962 Savsoft Quiz 5.0 Persistent Cross-Site Scripting via User Settings

Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers can inject script payloads into user profile fields at the edituser endpoint, which execute in th...

6.4CVSS5.7AI score0.00243EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/15 12:0 a.m.33 views

CVE-2025-67031

ORSEE Online Recruitment System for Economic Experiments 3.1.0 contains an authenticated Remote Code Execution vulnerability in the participant profile field processing subsystem. Certain field configurations accept values beginning with the prefix "func:" which are passed directly into an eval...

0.00343EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.12 views

PT-2026-41373

ORSEE Online Recruitment System for Economic Experiments 3.1.0 contains an authenticated Remote Code Execution vulnerability in the participant profile field processing subsystem. Certain field configurations accept values beginning with the prefix "func:" which are passed directly into an eval...

5.8AI score0.00343EPSS
Exploits0References3
CVE
CVE
added 2026/05/15 12:0 a.m.14 views

CVE-2025-67031

ORSEE 3.1.0 contains an authenticated Remote Code Execution vulnerability in the participant profile field processing subsystem. Certain field configurations accept values starting with the prefix "func:" , which are passed directly into an eval() call inside tagsets/participant.php and tagsets/o...

6.3CVSS5.8AI score0.00343EPSS
Exploits0References2
NVD
NVD
added 2026/05/07 4:16 a.m.16 views

CVE-2026-41659

Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint membersassignmentdata.php includes hidden profile fields BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY in its SQL search condition regardless of field visibility settings. While the...

2.7CVSS0.00258EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/07 2:59 a.m.38 views

CVE-2026-41659 Admidio: Hidden Profile Field Values Leaked via Blind Search Oracle in Member Assignment

Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint membersassignmentdata.php includes hidden profile fields BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY in its SQL search condition regardless of field visibility settings. While the...

2.7CVSS0.00258EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/07 2:59 a.m.11 views

EUVD-2026-28270

Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint membersassignmentdata.php includes hidden profile fields BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY in its SQL search condition regardless of field visibility settings. While the...

2.7CVSS5.8AI score0.00258EPSS
Exploits0References2
CVE
CVE
added 2026/05/07 2:59 a.m.10 views

CVE-2026-41659

CVE-2026-41659 (Admidio) : The Admidio member assignment data endpoint before 5.0.9 includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in the SQL search condition, regardless of visibility settings. While JSON output hides these fields, the server-side search runs on the h...

2.7CVSS5.8AI score0.00258EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/07 2:59 a.m.7 views

CVE-2026-41659

Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint membersassignmentdata.php includes hidden profile fields BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY in its SQL search condition regardless of field visibility settings. While the...

2.7CVSS5.8AI score0.00258EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/07 2:59 a.m.9 views

CVE-2026-41659 Admidio: Hidden Profile Field Values Leaked via Blind Search Oracle in Member Assignment

Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint membersassignmentdata.php includes hidden profile fields BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY in its SQL search condition regardless of field visibility settings. While the...

2.7CVSS5.8AI score0.00258EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/07 12:0 a.m.9 views

Admidio 信息泄露漏洞

Admidio is a set of open-source member management systems developed by the Admidio team. This system supports features such as member lists, event management, message boards, photo albums, and downloads. Prior to Admidio 5.0.9, there was a vulnerability involving information leakage. This...

2.7CVSS5.9AI score0.00258EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/06 7:48 p.m.9 views

CSV Injection

Overview Affected versions of this package are vulnerable to CSV Injection via the export function. An attacker can execute arbitrary spreadsheet formulas in the context of an administrator's local machine by injecting formula payloads into profile fields, which are then exported and opened in...

8.2CVSS6.4AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.6 views

CVE-2026-7641

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the saveextrauserprofilefields function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site e.g...

8.8CVSS5.7AI score0.00665EPSS
Exploits0References1
NVD
NVD
added 2026/05/02 5:16 a.m.7 views

CVE-2026-7641

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the saveextrauserprofilefields function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site e.g...

8.8CVSS0.00665EPSS
Exploits0References14
Vulnrichment
Vulnrichment
added 2026/05/02 4:27 a.m.6 views

CVE-2026-7641 Import and export users and customers <= 2.0.8 - Authenticated (Subscriber+) Privilege Escalation via Multisite Capability Meta Fields

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the saveextrauserprofilefields function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site e.g...

8.8CVSS5.7AI score0.00665EPSS
Exploits0References14
CNNVD
CNNVD
added 2026/05/02 12:0 a.m.9 views

WordPress plugin Import and export users and customers 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

8.8CVSS5.8AI score0.00665EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/02 12:0 a.m.5 views

PT-2026-36572

Name of the Vulnerable Software and Affected Versions Import and export users and customers plugin for WordPress versions prior to 2.0.9 Description An issue exists in the save extra user profile fields function where an incomplete blocklist fails to restrict capability meta keys for subsites in ...

8.8CVSS5.8AI score0.00665EPSS
Exploits0References20
Rows per page
Query Builder