Lucene search
K

15085 matches found

Nuclei
Nuclei
added 12 hours ago15 views

Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection

Team WordPress plugin = 5.0.11 contains a SQL injection caused by improper sanitization and escaping of a parameter in an AJAX action accessible to unauthenticated users, letting remote attackers execute arbitrary SQL commands. id: CVE-2025-14124 info: name: Team WordPress Plugin TLP Team = 5.0.9...

8.6CVSS6.3AI score0.0156EPSS
Exploits1References3
Nuclei
Nuclei
added 12 hours ago102 views

CZ Loan Management <= 1.1 - SQL Injection

The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. id: CVE-2024-5975 info: name: CZ Loan Management = 1.1 - SQL Injection author...

9.1CVSS6AI score0.01958EPSS
Exploits1References3
NVD
NVD
added 2 days ago6 views

CVE-2026-54602

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0, GET /api/core/ai/record/getRecord authenticates the caller but loads LLM request and response traces only by requestId without team scoping, allowing any authenticated user to read another team's prompts, retrieved RAG chunks,...

7.1CVSS0.00227EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago23 views

CVE-2026-54602 FastGPT: Cross-team LLM request/response disclosure (IDOR) via /api/core/ai/record/getRecord

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0, GET /api/core/ai/record/getRecord authenticates the caller but loads LLM request and response traces only by requestId without team scoping, allowing any authenticated user to read another team's prompts, retrieved RAG chunks,...

7.1CVSS0.00227EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 days ago3 views

CVE-2026-54602

FastGPT is a knowledge-based AI application platform. Prior to 4.15.0, GET /api/core/ai/record/getRecord authenticates the caller but loads LLM request and response traces only by requestId without team scoping, allowing any authenticated user to read another team's prompts, retrieved RAG chunks,...

7.1CVSS6AI score0.00227EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2 days ago13 views

CVE-2026-54602

CVE-2026-54602 — FastGPT : A cross-team information disclosure via GET /api/core/ai/record/getRecord existed prior to version 4.15.0. The endpoint authenticated users but loaded LLM request/response traces by requestId without team scoping, allowing any authenticated user to read another team’s p...

7.1CVSS6AI score0.00227EPSS
Exploits0References2
CVE
CVE
added 2 days ago11 views

CVE-2026-55418

Summary: CVE-2026-55418 affects FastGPT prior to v4.15.0-beta5, where two FastGPT file handlers authorize an unrelated resource and then sign or read an S3 object using a key taken directly from the request. The key’s association with the caller’s team is not validated, allowing cross-team file d...

8.6CVSS6AI score0.00299EPSS
Exploits0References4
OSV
OSV
added 2 days ago6 views

GO-2026-5869 Rancher has over-inclusive team membership expansion in GitHub App authentication provider in github.com/rancher/rancher

Rancher has over-inclusive team membership expansion in GitHub App authentication provider in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

8.8CVSS5.9AI score0.0037EPSS
Exploits0References6
NVD
NVD
added 2 days ago7 views

CVE-2026-34044

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by...

7.7CVSS0.00244EPSS
Exploits0References3
CVE
CVE
added 2 days ago12 views

CVE-2026-34048

CVE-2026-34048 concerns Coolify prior to 4.0.0-beta.471, where terminal websocket bootstrap routes failed to enforce terminal authorization, only checking authentication. This allowed a low-privileged team member to connect to terminal routes and execute commands on team servers. The issue is fix...

9.9CVSS6AI score0.00405EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 days ago4 views

CVE-2026-34044

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the Logs::mount component looks up resources by UUID without scoping the lookup to the current team, allowing an authenticated user to access logs for applications owned by...

7.7CVSS5.9AI score0.00244EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2 days ago10 views

CVE-2026-34044

The CVE-2026-34044 issue affects Coolify prior to 4.0.0-beta.466 where Logs::mount() looks up resources by UUID without limiting to the current team. This enables an authenticated user to read logs for applications owned by other teams by supplying a victim resource UUID, constituting a cross‑tea...

7.7CVSS5.9AI score0.00244EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2 days ago4 views

PT-2026-56260

Name of the Vulnerable Software and Affected Versions FastGPT versions prior to 4.15.0 Description An issue exists where the endpoint "/api/core/ai/record/getRecord" authenticates the caller but fails to implement team scoping when loading LLM request and response traces. By providing a known...

7.1CVSS6AI score0.00227EPSS
Exploits0References6
NVD
NVD
added 3 days ago6 views

CVE-2026-34167

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the ActivityMonitor Livewire component exposes a public $activityId property without Livewire's Locked attribute. It loads activities via Activity::find$this-activityId wit...

5CVSS0.00199EPSS
Exploits0References4
CVE
CVE
added 3 days ago15 views

CVE-2026-34167

Coolify (open-source self-hosted) has a vulnerability in the ActivityMonitor Livewire component prior to version 4.0.0-beta.471: a public $activityId property is not protected with Livewire’s #[Locked] attribute, allowing any authenticated user to enumerate activity records across all teams and r...

5CVSS6AI score0.00199EPSS
Exploits0References4
Circl
Circl
added 3 days ago7 views

CVE-2026-14807

creationtimestamp| type| source ---|---|--- 2026-07-06 08:02:04+00:00| seen| https://bsky.app/profile/stackflag.bsky.social/post/3mpxmsdqm5f2s 2026-07-06 08:14:51+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mpxnj6vp2d2n 2026-07-06 09:00:30+00:00| seen|...

9.8CVSS5.9AI score0.00463EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 3 days ago11 views

PT-2026-56020

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.471 Description An authenticated command injection exists in the GetLogs Livewire component. Users with team membership, including those with the lowest privilege role, can execute arbitrary commands as roo...

8.8CVSS6.1AI score0.01385EPSS
Exploits0References10
Circl
Circl
added 2026/07/02 7:21 a.m.10 views

CVE-2026-13875

creationtimestamp| type| source ---|---|--- 2026-07-02 07:21:58+00:00| seen| https://www.hkcert.org/security-bulletin/google-chrome-multiple-vulnerabilities20260702 2026-07-06 07:17:32+00:00| seen| https://www.hkcert.org/security-bulletin/microsoft-edge-multiple-vulnerabilities20260706...

5.3CVSS5.9AI score0.00281EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/01 8:51 p.m.7 views

EUVD-2026-40297

Rancher has over-inclusive team membership expansion in GitHub App authentication provider...

8.8CVSS5.8AI score0.0037EPSS
Exploits0References6
OSV
OSV
added 2026/07/01 8:51 p.m.2 views

GHSA-4J6X-2764-M8GH Rancher has over-inclusive team membership expansion in GitHub App authentication provider

Impact A vulnerability has been identified within Rancher Manager in the GitHub App authentication provider. When evaluating permissions, the provider incorrectly expands user team memberships to include all teams within the associated GitHub organization, rather than restricting access to the...

8.8CVSS5.7AI score0.0037EPSS
Exploits0References7
Rows per page
Query Builder