Lucene search
+L

1014 matches found

CVE
CVE
added 2 days ago89 views

CVE-2026-63030

Summary (CVE-2026-63030 & related CVE-2026-60137): WordPress core pre-6.9.5/7.0.2 is vulnerable to an unauthenticated remote code execution chain via the REST API batch endpoint. The root cause is a route-confusion bug in WP_REST_Server::serve_batch_request_v1() that desynchronizes the per-sub-re...

9.8CVSS6AI score0.08946EPSS
Exploits30References2
Tenable Nessus
Tenable Nessus
added 5 days ago9 views

Zoom Workplace < 7.0.0 Vulnerability (ZSB-26014)

The version of Zoom Workplace installed on the remote host is prior to 7.0.0. It is, therefore, affected by a vulnerability as referenced in the ZSB-26014 advisory. - Improper Input Validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may...

9.8CVSS5.7AI score0.00508EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/07/10 3:45 p.m.9 views

CVE-2026-15376 Eleveo Call Recording Software statisticReportAction.do improper authorization

A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor...

6.5CVSS6.3AI score0.00256EPSS
Exploits0References5
EUVD
EUVD
added 2026/07/10 4:31 a.m.6 views

EUVD-2026-42803

The affiliate-toolkit – WP Affiliate Plugin with Amazon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'atkpproduct' shortcode in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. Th...

6.4CVSS6.1AI score0.00333EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.10 views

PT-2026-57164

Name of the Vulnerable Software and Affected Versions Lucee CFML Server versions 5.3.x Lucee CFML Server versions 6.1.x Lucee CFML Server versions 6.2.x Lucee CFML Server versions 7.0.x Description Reflected cross-site scripting occurs during URL path parsing, allowing unauthenticated remote...

8.2CVSS6.3AI score0.00386EPSS
Exploits1References4
OSV
OSV
added 2026/07/09 6:28 p.m.4 views

CVE-2026-59149 Mockoon: Path traversal in templated `filePath` lets a request escape the served directory (prefix-only base check)

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, a FILE response whose filePath embeds request data is confined by getSafeFilePath in packages/commons-server/src/libs/server/server.ts with resolvedPath.startsWithstaticBaseDir. That prefix test has no path-separator boundary, so a...

6.5CVSS6.1AI score0.0033EPSS
Exploits0References7
CVE
CVE
added 2026/07/09 6:27 p.m.14 views

CVE-2026-59148

The CVE covers Mockoon prior to version 9.7.0, where the admin API was mounted on the same Express listener as user mock routes with default-enabled, unauthenticated access and permissive CORS (Access-Control-Allow-Origin: ). This allowed any unauthenticated client on the mock server port to: rea...

8.8CVSS6AI score0.00173EPSS
Exploits0References5
OSV
OSV
added 2026/07/07 11:45 a.m.7 views

PYSEC-2026-1148 Improper Certificate Validation vulnerability in Apache Airflow FTP Provider

Improper Certificate Validation vulnerability in Apache Airflow FTP Provider. The FTP hook lacks complete certificate validation in FTPTLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.createdefaultcontext during FTPTLS...

2.7CVSS6AI score0.00626EPSS
Exploits0References9
OSV
OSV
added 2026/07/07 11:45 a.m.4 views

PYSEC-2026-1144 Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service

Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. Additionally, if used with an...

6.5CVSS6.5AI score0.00381EPSS
Exploits0References9
NVD
NVD
added 2026/07/05 3:16 p.m.8 views

CVE-2026-9085

Incorrect Permission Assignment for Critical Resource, Improper Access Control vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus-Parental-Control allows DNS Spoofing. This issue affects Pardus-Parental-Control: from =0.5.1 before 0.7.0...

8.8CVSS0.00101EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/02 11:16 a.m.12 views

CVE-2026-57763

Contributor Cross Site Scripting XSS in Structured Content = 1.7.0 versions...

6.5CVSS5.8AI score0.00139EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/30 7:4 p.m.8 views

EUVD-2026-40378

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information disclosure vulnerability...

3.5CVSS5.8AI score0.00241EPSS
Exploits0References1
CVE
CVE
added 2026/06/29 8:18 p.m.32 views

CVE-2026-34597

CVE-2026-34597 affects Coolify prior to 4.0.0-beta.470. The vulnerability lies in how user-supplied build parameters for the Nixpacks build pack are handled: the install_command provided by a user is directly concatenated into a shell command string executed on the deployment host during the buil...

8.8CVSS6.2AI score0.00526EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.13 views

PT-2026-52476

Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.2.0670 Description The get text props function in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textprop T entries that follow. Because the count ...

6.1CVSS5.8AI score0.00113EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/24 9:24 p.m.19 views

CVE-2026-55570 SiYuan: Stored XSS results to Electron RCE in SiYuan marketplace via unescaped `data-obj` attribute (Bypass for CVE-2026-45375's patch)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields name, version, author, description when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted and the value is...

9CVSS0.00327EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 9:21 p.m.21 views

CVE-2026-54759 SiYuan: Lute HTML sanitizer allows `<iframe>` tags in Bazaar package README, leading to arbitrary command execution via SiYuan Electron client

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious in a Bazaar package README that executes arbitrary...

8.7CVSS0.00262EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/22 1:20 p.m.11 views

EUVD-2025-210300

IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially...

5.4CVSS5.5AI score0.00139EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/21 10:45 p.m.7 views

CVE-2026-12814

A flaw has been found in Comfast CF-WR631AX V3 up to 2.7.0.8. This issue affects the function system of the file /cgi-bin/mbox-config?section=pingconfig of the component API Endpoint. This manipulation of the argument destination causes os command injection. The attack is possible to be carried o...

6.5CVSS6.1AI score0.01182EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/06/16 10:16 a.m.15 views

CVE-2026-2381

The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxpayfororder function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or orderkey verification when...

6.5CVSS0.00267EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/15 9:30 p.m.11 views

EUVD-2026-36973

Unauthenticated Broken Access Control in Redsys for WooCommerce Light = 7.0.0 versions...

7.5CVSS5.1AI score0.00246EPSS
Exploits0References2
Rows per page
Query Builder