Lucene search
K

18017 matches found

CVE
CVE
added yesterday3 views

CVE-2026-57377

CVE-2026-57377 describes a missing authorization vulnerability in the WordPress WowAddons plugin (product-addons) affecting versions up to 1.6.8. The underlying issue is broken access control, i.e., incorrectly configured access control security levels, which can allow unauthorized actions. The v...

6.5CVSS6.1AI score0.00332EPSS
Exploits0References1
NVD
NVD
added yesterday4 views

CVE-2026-15537

A security flaw has been discovered in SourceCodester Online Book Store System 1.0. This vulnerability affects unknown code of the file admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit has been released to the...

7.5CVSS0.00263EPSS
Exploits0References6
Nuclei
Nuclei
added yesterday51 views

Ruckus vRioT IoT Controller - Authentication Bypass

Ruckus vRioT through 1.5.1.0.21 contains an API backdoor caused by a hardcoded token in validatetoken.py,letting unauthenticated attackers interact with the API without authentication. id: CVE-2020-26879 info: name: Ruckus vRioT IoT Controller - Authentication Bypass author: DhiyaneshDk severity:...

10CVSS7AI score0.42479EPSS
Exploits1References6
Nuclei
Nuclei
added yesterday157 views

Navidrome <=0.54.5 - Authentication Bypass in Subsonic API

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

6.9CVSS6.2AI score0.00936EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday129 views

WordPress My Calendar <3.4.22 - SQL Injection

WordPress My Calendar plugin versions before 3.4.22 are vulnerable to an unauthenticated SQL injection within the 'from' and 'to' parameters of the '/my-calendar/v1/events' REST route. id: CVE-2023-6360 info: name: WordPress My Calendar 3.4.22 - SQL Injection author: xxcdd severity: critical...

9.8CVSS7.1AI score0.63141EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday86 views

Stable Diffusion Webui 1.10.0 - Open Redirect

An open redirect vulnerability exists in Stable-Diffusion-Webui 1.10.0, where the file parameter in the /file= endpoint can be manipulated to redirect users to malicious websites. This could facilitate phishing attacks by tricking users into visiting attacker-controlled URLs. id: CVE-2024-11044...

6.1CVSS6.4AI score0.00816EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday63 views

WordPress Toolbar <= 2.2.6 - Open Redirect

The plugin redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. id: CVE-2023-6389 info: name: WordPress Toolbar = 2.2.6 - Open Redirect...

6.1CVSS6.7AI score0.25679EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday33 views

WooCommerce Ultimate Gift Card ≤ 2.6.0 - Arbitrary File Upload

The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwbwgmpreviewmail' and 'mwbwgmwoocommerceaddcartitemdata' functions in all versions up to, and including, 2.6.0. This makes it possible for...

9.8CVSS7.6AI score0.03858EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday69 views

Users Ultra <= 3.1.0 - SQL Injection

The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the datatarget parameter before it is being interpolated in an SQL statement and then executed via the ratingvote AJAX action available to both unauthenticated and authenticated users, leading to an SQL Injection...

9.8CVSS7.1AI score0.0854EPSS
Exploits2References5
NVD
NVD
added 2 days ago9 views

CVE-2026-15499

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/crontools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload"note" results in improper authorization...

6.5CVSS0.00201EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago9 views

EUVD-2026-43230

Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and...

8.4CVSS6.1AI score0.00244EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago6 views

PT-2026-57618

A vulnerability was identified in Shibby Tomato up to 1.28.0000. Affected by this vulnerability is the function main of the file www/apcupsd/tomatodata.cgi of the component apcupsd. Such manipulation leads to out-of-bounds write. The attack may be launched remotely. The exploit is publicly...

9CVSS6.7AI score0.00396EPSS
Exploits0References7
NVD
NVD
added 4 days ago6 views

CVE-2026-55478

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, POST /api/v1/kits/kitid/licenses checks whether the caller can edit kits but does not authorize access to the referenced license object, allowing a low-privilege user with predefined-kit permissions to bind a license they should n...

5.4CVSS0.00175EPSS
Exploits0References3
NVD
NVD
added 4 days ago6 views

CVE-2026-56675

9Router is an AI router & token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows /v1/ access without an API key, so a same-host reverse proxy that forwards public traffic to the backend through 127.0.0.1 causes src/dashboardGuard.js to misclassify external requests as...

8.3CVSS0.00315EPSS
Exploits0References3
The Hacker News
The Hacker News
added 4 days ago10 views

Laser Attack Resets Tangem Wallet Passwords on Cards That Can't Be Patched

Researchers at Ledger's Donjon security team have shown that a precisely timed laser pulse, aimed at the chip inside a Tangem crypto wallet card, can reset the card's password to anything the attacker picks. No old password. No backup card. Once it is reset, whoever did it controls the wallet and...

6.1AI score
Exploits0
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42880

Crawl4AI before 0.8.7 contains a server-side request forgery SSRF vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, o...

9.2CVSS6.1AI score0.00371EPSS
Exploits0References3
CVE
CVE
added 4 days ago8 views

CVE-2026-6440

The CVE concerns the WordPress plugin GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference. A CSRF vulnerability exists in versions up to 1.1.8 due to missing nonce verification in reset_credential() for the wp_ajax_goodmeet_reset_google_meet_credential action. Although user...

4.3CVSS6AI score0.00168EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 4 days ago7 views

CVE-2026-12924

The Eventin – Event Calendar, Event Registration, Tickets & Booking AI Powered plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'etnfaqcontent' parameter in all versions up to, and including, 4.1.15 due to insufficient input sanitization and output escaping. This makes it...

6.4CVSS6.2AI score0.00206EPSS
Exploits0References9
Circl
Circl
added 4 days ago7 views

CVE-2026-5069

creationtimestamp| type| source ---|---|--- 2026-07-10 05:39:55+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mqbgptqx442d 2026-07-11 00:43:56+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mqdgnihrty2e...

5.4CVSS6.1AI score0.00176EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-15332 zhayujie CowAgent Message Endpoint channel.py authorization

A security flaw has been discovered in zhayujie CowAgent up to 2.1.0. The impacted element is an unknown function of the file channel/channel.py of the component Message Endpoint. The manipulation results in missing authorization. The attack may be launched remotely. The exploit has been released...

6.5CVSS0.00209EPSS
Exploits0References6
Rows per page
Query Builder