18017 matches found
CVE-2026-57377
CVE-2026-57377 describes a missing authorization vulnerability in the WordPress WowAddons plugin (product-addons) affecting versions up to 1.6.8. The underlying issue is broken access control, i.e., incorrectly configured access control security levels, which can allow unauthorized actions. The v...
CVE-2026-15537
A security flaw has been discovered in SourceCodester Online Book Store System 1.0. This vulnerability affects unknown code of the file admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit has been released to the...
Ruckus vRioT IoT Controller - Authentication Bypass
Ruckus vRioT through 1.5.1.0.21 contains an API backdoor caused by a hardcoded token in validatetoken.py,letting unauthenticated attackers interact with the API without authentication. id: CVE-2020-26879 info: name: Ruckus vRioT IoT Controller - Authentication Bypass author: DhiyaneshDk severity:...
Navidrome <=0.54.5 - Authentication Bypass in Subsonic API
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...
WordPress My Calendar <3.4.22 - SQL Injection
WordPress My Calendar plugin versions before 3.4.22 are vulnerable to an unauthenticated SQL injection within the 'from' and 'to' parameters of the '/my-calendar/v1/events' REST route. id: CVE-2023-6360 info: name: WordPress My Calendar 3.4.22 - SQL Injection author: xxcdd severity: critical...
Stable Diffusion Webui 1.10.0 - Open Redirect
An open redirect vulnerability exists in Stable-Diffusion-Webui 1.10.0, where the file parameter in the /file= endpoint can be manipulated to redirect users to malicious websites. This could facilitate phishing attacks by tricking users into visiting attacker-controlled URLs. id: CVE-2024-11044...
WordPress Toolbar <= 2.2.6 - Open Redirect
The plugin redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. id: CVE-2023-6389 info: name: WordPress Toolbar = 2.2.6 - Open Redirect...
WooCommerce Ultimate Gift Card ≤ 2.6.0 - Arbitrary File Upload
The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwbwgmpreviewmail' and 'mwbwgmwoocommerceaddcartitemdata' functions in all versions up to, and including, 2.6.0. This makes it possible for...
Users Ultra <= 3.1.0 - SQL Injection
The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the datatarget parameter before it is being interpolated in an SQL statement and then executed via the ratingvote AJAX action available to both unauthenticated and authenticated users, leading to an SQL Injection...
CVE-2026-15499
A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/crontools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload"note" results in improper authorization...
EUVD-2026-43230
Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and...
PT-2026-57618
A vulnerability was identified in Shibby Tomato up to 1.28.0000. Affected by this vulnerability is the function main of the file www/apcupsd/tomatodata.cgi of the component apcupsd. Such manipulation leads to out-of-bounds write. The attack may be launched remotely. The exploit is publicly...
CVE-2026-55478
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, POST /api/v1/kits/kitid/licenses checks whether the caller can edit kits but does not authorize access to the referenced license object, allowing a low-privilege user with predefined-kit permissions to bind a license they should n...
CVE-2026-56675
9Router is an AI router & token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows /v1/ access without an API key, so a same-host reverse proxy that forwards public traffic to the backend through 127.0.0.1 causes src/dashboardGuard.js to misclassify external requests as...
Laser Attack Resets Tangem Wallet Passwords on Cards That Can't Be Patched
Researchers at Ledger's Donjon security team have shown that a precisely timed laser pulse, aimed at the chip inside a Tangem crypto wallet card, can reset the card's password to anything the attacker picks. No old password. No backup card. Once it is reset, whoever did it controls the wallet and...
EUVD-2026-42880
Crawl4AI before 0.8.7 contains a server-side request forgery SSRF vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, o...
CVE-2026-6440
The CVE concerns the WordPress plugin GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference. A CSRF vulnerability exists in versions up to 1.1.8 due to missing nonce verification in reset_credential() for the wp_ajax_goodmeet_reset_google_meet_credential action. Although user...
CVE-2026-12924
The Eventin – Event Calendar, Event Registration, Tickets & Booking AI Powered plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'etnfaqcontent' parameter in all versions up to, and including, 4.1.15 due to insufficient input sanitization and output escaping. This makes it...
CVE-2026-5069
creationtimestamp| type| source ---|---|--- 2026-07-10 05:39:55+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mqbgptqx442d 2026-07-11 00:43:56+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mqdgnihrty2e...
CVE-2026-15332 zhayujie CowAgent Message Endpoint channel.py authorization
A security flaw has been discovered in zhayujie CowAgent up to 2.1.0. The impacted element is an unknown function of the file channel/channel.py of the component Message Endpoint. The manipulation results in missing authorization. The attack may be launched remotely. The exploit has been released...