Lucene search
K

64 matches found

NVD
NVD
added yesterday3 views

CVE-2025-69153

Unauthenticated Cross Site Scripting XSS in Trendy Travel = 6.7 versions...

7.1CVSS
Exploits0References1
Cvelist
Cvelist
added yesterday6 views

CVE-2025-69153 WordPress Trendy Travel theme <= 6.7 - Reflected Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Trendy Travel = 6.7 versions...

7.1CVSS
Exploits0References1
Patchstack
Patchstack
added 3 days ago4 views

WordPress SpaLab | Beauty Salon WordPress Theme theme <= 6.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme SpaLab | Beauty Salon WordPress Theme versions = 6.7...

7.1CVSS5.8AI score
Exploits0Affected Software1
NVD
NVD
added 2026/05/13 9:16 p.m.15 views

CVE-2026-45053

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint POST /api/v1/files of CubeCart. The endpoint allows any holder of an API key with files:rw permission to upload PHP source files into the...

9.1CVSS0.00585EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.10 views

PT-2026-40805

Name of the Vulnerable Software and Affected Versions CubeCart versions prior to 6.7.0 Description An unauthenticated Reflected Cross-Site Scripting XSS issue exists in the search feature. A logic flaw in the classes/catalogue.class.php file allows user input to be reflected without sanitization...

6.1CVSS5.8AI score0.00697EPSS
Exploits2References5
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.13 views

CubeCart 代码注入漏洞

CubeCart is an open-source e-commerce software developed by CubeCart. Versions of CubeCart prior to 6.7.0 had a code injection vulnerability. This vulnerability stemmed from authenticated server-side template injections in multiple modules. The application insecurely evaluated inputs provided by...

9.1CVSS6.2AI score0.00415EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/02 12:0 a.m.10 views

WordPress plugin WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The WordPres...

8.1CVSS5.8AI score0.00328EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/15 1:25 a.m.6 views

CVE-2026-4812 Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...

5.3CVSS5.7AI score0.00625EPSS
Exploits0References17
SUSE CVE
SUSE CVE
added 2026/03/28 12:27 a.m.5 views

SUSE CVE-2026-32301

Centrifugo is an open-source scalable real-time messaging server. Prior to 6.7.0, Centrifugo is vulnerable to Server-Side Request Forgery SSRF when configured with a dynamic JWKS endpoint URL using template variables e.g. tenant. An unauthenticated attacker can craft a JWT with a malicious iss or...

9.3CVSS5.9AI score0.00258EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/20 9:39 p.m.26 views

CVE-2026-33171 Statamic has a path traversal in file dictionary fieldtype

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's...

4.3CVSS0.00348EPSS
Exploits0References1
Snyk
Snyk
added 2026/03/13 8:3 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...

9.3CVSS5.9AI score0.00258EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/13 8:3 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...

9.3CVSS5.9AI score0.00258EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/02/27 8:59 p.m.4 views

CVE-2026-28351

pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaroun...

6.9CVSS5.8AI score0.00423EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/02/26 12:42 a.m.7 views

CVE-2026-27888 pypdf: Manipulated FlateDecode XFA streams can exhaust RAM

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.3, an attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing the xfa property of a reader or writer and the corresponding stream being compressed using /FlateDecode...

8.7CVSS5.5AI score0.00348EPSS
Exploits1References6
Debian CVE
Debian CVE
added 2026/02/20 9:10 p.m.5 views

CVE-2026-27024

pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines. This vulnerability is fixed in 6.7.1...

6.9CVSS5.3AI score0.00168EPSS
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/02/20 3:47 p.m.6 views

CVE-2026-22356

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Automattic Jetpack CRM zero-bs-crm allows PHP Local File Inclusion.This issue affects Jetpack CRM: from n/a through = 6.7.0...

5.5AI score0.00423EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/02/06 1:30 p.m.10 views

CVE-2026-23796

Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this...

9.8CVSS5.4AI score0.00268EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/06 1:30 p.m.12 views

CVE-2026-23797

In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7...

6.9CVSS5.4AI score0.00245EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/02/05 11:7 a.m.6 views

CVE-2026-23797 Plaintext password display in Quick.Cart

In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7...

6.9CVSS5.4AI score0.00268EPSS
Exploits0References2
CVE
CVE
added 2026/02/05 11:7 a.m.15 views

CVE-2026-23797

CVE-2026-23797 — Quick.Cart password exposure : The vulnerability in Quick.Cart stores passwords in plaintext, allowing a highly privileged attacker to display user passwords on the user editing page. Red Hat entries corroborate the claim that only version 6.7 has been tested and confirmed vulner...

6.9CVSS5.4AI score0.00268EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder