Lucene search
K

117 matches found

Cvelist
Cvelist
added 2026/03/07 5:40 a.m.32 views

CVE-2026-30841 Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $GET"token" and $GET"email" directly into HTML input value attributes using and without calling htmlspecialchars. This allows reflected XSS by breaking out of the attribute...

6.9CVSS0.00283EPSS
Exploits1References3
CVE
CVE
added 2026/03/07 5:40 a.m.16 views

CVE-2026-30841

CVE-2026-30841 affects Wallos prior to version 4.6.2. The vulnerability is a reflected XSS in passwordreset.php where $_GET["token"] and $_GET["email"] are echoed directly into HTML input value attributes without htmlspecialchars(), allowing an attacker to break out of the attribute context. The ...

6.9CVSS5.7AI score0.00283EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/07 5:40 a.m.5 views

CVE-2026-30841 Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $GET"token" and $GET"email" directly into HTML input value attributes using and without calling htmlspecialchars. This allows reflected XSS by breaking out of the attribute...

6.9CVSS5.7AI score0.00283EPSS
Exploits1References5
CNNVD
CNNVD
added 2026/03/03 12:0 a.m.5 views

joserfc 安全漏洞

Joserfc is a Python library developed by Authlib. Joserfc versions 1.6.2 and earlier have security vulnerabilities. These vulnerabilities stem from the lack of verification or restrictions on the p2c parameter value in the JWE token. This allows unverified attackers to cause denial-of-service...

7.5CVSS5.8AI score0.00432EPSS
Exploits2References3
NVD
NVD
added 2026/02/19 7:17 a.m.6 views

CVE-2025-13587

The Two Factor 2FA Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS882FAVE::wplogin method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes i...

6.5CVSS0.00361EPSS
Exploits0References3
CVE
CVE
added 2026/02/19 4:36 a.m.16 views

CVE-2025-13587

CVE-2025-13587 affects the WordPress plugin “Two Factor (2FA) Authentication via Email” up to version 1.9.8. The root cause is that SS88_2FAVE::wp_login() only enforces 2FA when the 'token' parameter is undefined; providing any value (including empty) for token during login bypasses 2FA. The acco...

6.5CVSS5.5AI score0.00361EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/19 4:36 a.m.3 views

CVE-2025-13587 Two Factor (2FA) Authentication via Email <= 1.9.8 - Two-Factor Authentication Bypass via token

The Two Factor 2FA Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS882FAVE::wplogin method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes i...

6.5CVSS5.5AI score0.00361EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.5 views

PT-2026-20601

Name of the Vulnerable Software and Affected Versions Two Factor 2FA Authentication via Email plugin for WordPress versions up to and including 1.9.8 Description The Two Factor 2FA Authentication via Email plugin for WordPress is susceptible to a bypass of the two-factor authentication mechanism...

6.5CVSS5.3AI score0.00361EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/02/03 3:18 p.m.10 views

CVE-2024-5386

In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role...

9.6CVSS5.5AI score0.00482EPSS
Exploits2References1
ATTACKERKB
ATTACKERKB
added 2026/02/02 10:36 a.m.3 views

CVE-2024-5386

In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role...

9.6CVSS5.5AI score0.00482EPSS
Exploits2References3
RedhatCVE
RedhatCVE
added 2025/12/07 6:5 a.m.6 views

CVE-2025-13863

The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the token parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

6.4CVSS5AI score0.00191EPSS
Exploits0References1
EUVD
EUVD
added 2025/12/06 6:30 a.m.6 views

EUVD-2025-201520

The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the token parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

6.4CVSS4.7AI score0.00191EPSS
Exploits0References4
NVD
NVD
added 2025/12/06 6:15 a.m.4 views

CVE-2025-13863

The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the token parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

6.4CVSS0.00191EPSS
Exploits0References3
CVE
CVE
added 2025/12/06 5:49 a.m.29 views

CVE-2025-13863

RevInsite is a WordPress plugin vulnerable to stored cross-site scripting (XSS) in versions up to 1.1.0 due to insufficient input sanitization and output escaping. The vulnerability enables an authenticated attacker with Contributor+ privileges to inject scripts via shortcode attributes (token/re...

6.4CVSS4.7AI score0.00191EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/12/06 5:49 a.m.14 views

CVE-2025-13863 RevInsite <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the token parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

6.4CVSS0.00191EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/12/06 5:49 a.m.5 views

CVE-2025-13863 RevInsite <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the token parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

6.4CVSS4.7AI score0.00191EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2025/12/06 12:0 a.m.10 views

PT-2025-49348

The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the token parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

6.4CVSS5AI score0.00191EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.12 views

EUVD-2016-5456

Malware in sbrugna...

8.8CVSS8.6AI score0.07863EPSS
Exploits7References9
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2014-4895

Malware in sbrugna...

5CVSS6.2AI score0.017EPSS
Exploits2References10
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2022-4675

Malicious code in bioql PyPI...

6.1CVSS6.2AI score0.01244EPSS
Exploits1References4
Rows per page
Query Builder