Lucene search
K

92 matches found

Vulnrichment
Vulnrichment
added 2026/04/17 11:16 p.m.5 views

CVE-2026-40582 ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication...

9.1CVSS5.7AI score0.00502EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/07 5:58 p.m.9 views

EUVD-2026-19839

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

9.1CVSS5.9AI score0.01351EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 5:58 p.m.3 views

CVE-2026-39339

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

9.1CVSS5.9AI score0.01351EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/07 5:58 p.m.197 views

CVE-2026-39339 ChurchCRM has an API Authentication Bypass

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

9.1CVSS0.01351EPSS
Exploits0References1
CVE
CVE
added 2026/04/07 5:58 p.m.7 views

CVE-2026-39339

CVE-2026-39339 describes a critical authentication bypass in ChurchCRM prior to version 7.1.0. An unauthenticated attacker can access all protected API endpoints by including meaningful strings like "api/public" anywhere in the request URL, exposing church member data and system information. The ...

9.1CVSS5.9AI score0.01351EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/07 2:30 p.m.3 views

CVE-2026-35462 Papra Does Not Reject Expired API Keys

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...

4.3CVSS5.9AI score0.00239EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/07 2:30 p.m.4 views

EUVD-2026-19657

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...

4.3CVSS5.9AI score0.00239EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.8 views

Papra 代码问题漏洞

Papra is an open-source document management and archiving platform developed by Papra. Versions of Papra prior to 26.4.0 contained code vulnerabilities. These vulnerabilities stemmed from the lack of verification of API keys with an expiresAt date during authentication. As a result, any API key...

4.3CVSS5.9AI score0.00239EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.4 views

PT-2026-30962

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

9.1CVSS5.9AI score0.01351EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/04 6:14 a.m.7 views

LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass

Subject: Security Vulnerability Report Hardcoded JWT Secret CVE-2026-30762 Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type: Improper Authentication...

5.8AI score0.0012EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:13 p.m.6 views

CVE-2025-10736

The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility function in all versions up to, and including, 2.2.10. This...

6.5CVSS5.8AI score0.00171EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/23 11:40 p.m.25 views

CVE-2026-33242 Salvo has a Path Traversal in salvo-proxy::encode_url_path allows API Gateway Bypass

Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backend paths e.g.,...

7.5CVSS0.00565EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/23 4:26 a.m.33 views

CVE-2025-10736 ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.10 - Incorrect Authorization to Unauthenticated Information Exposure and Data Manipulation

The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility function in all versions up to, and including, 2.2.10. This...

6.5CVSS0.00171EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/23 4:26 a.m.6 views

CVE-2025-10736

The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility function in all versions up to, and including, 2.2.10. This...

6.5CVSS5.8AI score0.00171EPSS
Exploits0References3
CVE
CVE
added 2026/03/23 4:26 a.m.16 views

CVE-2025-10736

The CVE-2025-10736 entry concerns the WordPress plugin “ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More.” All versions up to 2.2.10 are affected due to improper authorization checks in the userAccessibility() function, allowing unauthentic...

6.5CVSS5.8AI score0.00171EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/03/23 12:0 a.m.6 views

WordPress plugin ReviewX 授权问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

6.5CVSS5.8AI score0.00171EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/23 12:0 a.m.5 views

PT-2026-27045

Name of the Vulnerable Software and Affected Versions ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress versions through 2.2.10 Description The ReviewX plugin for WordPress is susceptible to unauthorized data access...

6.5CVSS5.8AI score0.00171EPSS
Exploits0References5
NVD
NVD
added 2026/03/06 10:16 p.m.9 views

CVE-2026-30244

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission...

7.5CVSS0.00377EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/05 12:0 a.m.10 views

PT-2026-23619

Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.2.2 Description An issue exists in Plane that allows unauthenticated attackers to enumerate workspace members and extract sensitive information, including email addresses, user roles, and internal identifiers. This is...

7.5CVSS5.8AI score0.00377EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/02/26 10:56 p.m.26 views

CVE-2026-28275 Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid)

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API...

8.1CVSS0.00369EPSS
Exploits1References2
Rows per page
Query Builder