Lucene search
K

544 matches found

Packet Storm
Packet Storm
added 2026/03/04 12:0 a.m.209 views

📄 WordPress AI Engine 3.0.0 Shell Upload

This Metasploit module exploits an unauthenticated file upload vulnerability in the WordPress AI Engine plugin versions prior to 3.0.0. The plugin's REST API endpoint /wp-json/mwai-ui/v1/files/upload fails to properly validate authentication, allowing attackers to upload arbitrary files including...

10CVSS6.6AI score0.65046EPSS
Exploits4
NVD
NVD
added 2026/02/27 8:17 a.m.18 views

CVE-2025-9572

n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass...

6.5CVSS0.00348EPSS
Exploits0References7
EUVD
EUVD
added 2026/02/26 12:31 a.m.5 views

EUVD-2026-8745

The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'canedit' and 'candelete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with...

5.4CVSS5.4AI score0.00227EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/02/25 9:25 p.m.22 views

CVE-2026-2694 The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API

The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'canedit' and 'candelete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with...

5.4CVSS0.00227EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/02/25 9:25 p.m.6 views

CVE-2026-2694 The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API

The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'canedit' and 'candelete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with...

5.4CVSS5.4AI score0.00227EPSS
Exploits0References6
CVE
CVE
added 2026/02/25 9:25 p.m.18 views

CVE-2026-2694

Affected software: The Events Calendar WordPress plugin. Vulnerability: Improper authorization due to inadequate capability checks on can_edit and can_delete, affecting all versions up to and including 6.15.16. Impact: Authenticated users with Contributor-level access and above can update or tras...

5.4CVSS5.4AI score0.00227EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/02/24 7:1 p.m.4 views

CVE-2026-3131

Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data...

5.9AI score0.00301EPSS
Exploits0References1
NVD
NVD
added 2026/02/20 10:16 p.m.6 views

CVE-2026-27111

Kargo manages and automates the promotion of software artifacts. From v1.9.0 to v1.9.2, Kargo's authorization model includes a promote verb -- a non-standard Kubernetes "dolphin verb" -- that gates the ability to advance Freight through a promotion pipeline. This verb exists to separate the abili...

5.3CVSS0.00175EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/02/20 7:22 a.m.5 views

CVE-2025-13851

The Buyent Classified plugin for WordPress bundled with Buyent theme is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during registration via the REST API endpoint. This...

9.8CVSS5.7AI score0.0031EPSS
Exploits0References1
Snyk
Snyk
added 2026/02/19 3:16 p.m.5 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the REST API, Kargo’s authorization model fails to enforce the non-standard promote "dolphin verb" across three specific endpoints. While this sensitive operation is correctly gated in the legacy gRPC API, the...

5.3CVSS5.7AI score0.00175EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.5 views

PT-2026-20778

Dell PowerProtect Data Manager, versions prior to 19.22, contains an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass...

4.7CVSS5.6AI score0.00275EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/02/19 12:0 a.m.10 views

WordPress plugin Buyent Classified 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

9.8CVSS6AI score0.0031EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.7 views

PT-2026-21302

Name of the Vulnerable Software and Affected Versions Kargo versions 1.9.0 through 1.9.2 Description Kargo manages and automates the promotion of software artifacts. The authorization model includes a 'promote' verb intended to control access to promotion pipelines. While correctly enforced in th...

9.9CVSS5.2AI score0.27661EPSS
Exploits45References115
OSV
OSV
added 2026/02/12 4:22 p.m.8 views

CVE-2025-55210 FreePBX API has a Privilege Escalation Error in GraphQL Allowing Authenticated Users to Access Additional Scopes

FreePBX is an open-source web-based graphical user interface GUI that manages Asterisk. Prior to 17.0.5 and 16.0.17, FreePBX module api PBX API is vulnerable to privilege escalation by authenticated users with REST/GraphQL API access. This vulnerability allows an attacker to forge a valid JWT wit...

2CVSS5.6AI score0.00296EPSS
Exploits0References6
NVD
NVD
added 2026/02/04 11:15 p.m.7 views

CVE-2026-1894

A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results in improper authorization. Remote exploitation of the atta...

6.5CVSS0.00236EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/02/04 7:59 p.m.4 views

CVE-2026-25513 FacturaScripts has SQL Injection vulnerability in API ORDER BY Clause

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The...

8.3CVSS6AI score0.00473EPSS
Exploits3References2
ATTACKERKB
ATTACKERKB
added 2026/02/04 7:59 p.m.7 views

CVE-2026-25513

FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The...

8.3CVSS6AI score0.00473EPSS
Exploits3References3Affected Software1
CNNVD
CNNVD
added 2026/02/04 12:0 a.m.9 views

FacturaScripts 安全漏洞

FacturaScripts is an open-source ERP software developed by Carlos Garcia, a Spanish developer. Versions of FacturaScripts prior to 2025.81 contained security vulnerabilities. These vulnerabilities stemmed from the use of the sort parameter in the REST API, which was directly concatenated into the...

8.8CVSS6.1AI score0.00473EPSS
Exploits3References2
Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.7 views

PT-2026-6305

Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to 2025.81 Description FacturaScripts, an open-source enterprise resource planning and accounting software, contains a critical SQL injection issue in its REST API. Authenticated API users can execute arbitrary SQ...

8.3CVSS6AI score0.00473EPSS
Exploits3References9
Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.7 views

PT-2026-6408

Summary FacturaScripts contains a critical SQL Injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy method where user-supplied sorting parameters are directly...

8.3CVSS6.4AI score0.00473EPSS
Exploits3References5
Rows per page
Query Builder