Lucene search
K

1185 matches found

Nuclei
Nuclei
added yesterday14 views

WordPress Contact Form by Supsystic - Server-Side Template Injection

Contact Form by Supsystic WordPress plugin = 1.7.36 contains a server-side template injection caused by unsandboxed TwigLoaderString and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters. id: CVE-2026-4257 info: name: WordPress Contact...

9.8CVSS6.3AI score0.41475EPSS
Exploits9References3
NVD
NVD
added 4 days ago7 views

CVE-2026-61450

Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author any admin.pages user, or anyone able to write to user/pages to exfiltrate configuration secrets. Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method...

7.1CVSS0.00246EPSS
Exploits0References2
CVE
CVE
added 4 days ago6 views

CVE-2026-61450

Grav prior to 2.0.2 contains a Twig sandbox bypass that enables a page author (including any admin.pages user or anyone with write access to user/pages) to exfiltrate configuration secrets. The sandbox replaces the config variable with a redacted facade and strips Config::get/toArray from the all...

7.1CVSS6.1AI score0.00246EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42903

Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author any admin.pages user, or anyone able to write to user/pages to exfiltrate configuration secrets. Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method...

7.1CVSS6.1AI score0.00246EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago28 views

CVE-2026-61450 Grav before 2.0.2 Config Exfiltration via offsetGet Filter

Grav before 2.0.2 contains a Twig sandbox bypass that allows a page author any admin.pages user, or anyone able to write to user/pages to exfiltrate configuration secrets. Although the sandbox replaces the 'config' variable with a redacted facade and strips Config::get/toArray from the method...

7.1CVSS0.00246EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 6 days ago7 views

PT-2026-56663

Name of the Vulnerable Software and Affected Versions ECA: Event - Condition - Action versions 0.0.0 through 2.1.20 ECA: Event - Condition - Action versions 3.0.0 through 3.0.12 ECA: Event - Condition - Action versions 3.1.0 through 3.1.4 Description Improperly controlled modification of...

6.1AI score0.002EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/06 9:37 p.m.7 views

EUVD-2026-41213

Craft CMS: Potential authenticated Remote Code Execution via referrer redirect...

8.7CVSS6.1AI score0.00293EPSS
Exploits0References3
NVD
NVD
added 2026/07/02 12:16 a.m.10 views

CVE-2026-55794

Craft CMS is a content management system CMS. In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header, potentially leading to authenticated RCE. The issue happens when a user is saving entries...

8.7CVSS0.00293EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/01 11:26 p.m.37 views

CVE-2026-55794 Craft CMS: Potential authenticated Remote Code Execution via referrer redirect

Craft CMS is a content management system CMS. In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header, potentially leading to authenticated RCE. The issue happens when a user is saving entries...

8.7CVSS0.00293EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 11:26 p.m.35 views

CVE-2026-55794

Craft CMS

8.7CVSS5.8AI score0.00293EPSS
Exploits0References2
Nuclei
Nuclei
added 2026/07/01 11:28 a.m.11 views

FOSSBilling - Server-Side Template Injection

A Server-Side Template Injection SSTI vulnerability exists in FOSSBilling's template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custom payment adapters, and the stringrender API endpoint can inject arbitrary Twig...

9.4CVSS6.2AI score0.01892EPSS
Exploits1References3
EUVD
EUVD
added 2026/07/01 12:34 a.m.10 views

EUVD-2026-40452

Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget...

9.8CVSS6.4AI score0.01683EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.7 views

PT-2026-54862

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.9.0 through 5.9.x Description Control panel users with entry editing permissions can execute unsandboxed Twig code, which may lead to authenticated Remote Code Execution RCE. The issue occurs during the entry saving proces...

8.7CVSS6AI score0.00293EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.16 views

PT-2026-54048

Name of the Vulnerable Software and Affected Versions Grav CMS versions prior to 2.0.0-beta.2 Description Multiple issues allow for code execution. Three unsafe unserialize calls within SchedulerJobQueue, FrameworkCacheAdapterFileCache, and Session deserialize untrusted data without restricting...

9.8CVSS6.5AI score0.01683EPSS
Exploits0References4
VulnCheck KEV
VulnCheck KEV
added 2026/06/25 12:0 a.m.26 views

VulnCheck KEV: CVE-2026-28496

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...

9.4CVSS6.4AI score0.01892EPSS
In wildExploits1References2
NVD
NVD
added 2026/06/23 3:16 p.m.13 views

CVE-2026-28496

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...

9.4CVSS0.01892EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/06/23 2:20 p.m.7 views

CVE-2026-28496

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...

9.4CVSS6.4AI score0.01892EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/06/23 2:20 p.m.74 views

CVE-2026-28496

CVE-2026-28496 – FOSSBilling SSTI in Twig rendering affects versions prior to 0.8.0. Administrators with access to Twig-rendering features (email templates, mass mail campaigns, custom payment adapters, and the string_render API) can inject Twig expressions, leading to information disclosure and ...

9.4CVSS6.4AI score0.01892EPSS
In wildExploits1References3
Cvelist
Cvelist
added 2026/06/23 2:20 p.m.64 views

CVE-2026-28496 FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...

9.4CVSS0.01892EPSS
Exploits1References3
OSV
OSV
added 2026/06/23 2:20 p.m.3 views

CVE-2026-28496 FOSSBilling: Server-side template injection in Twig template rendering enables information disclosure and RCE

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template Injection SSTI vulnerability in the template rendering system. Administrators with access to features that render Twig templates email templates, mass mail campaigns, custo...

9.4CVSS6.4AI score0.01892EPSS
Exploits1References5
Rows per page
Query Builder