Lucene search
K

49638 matches found

cve
cve
added 1 hour ago2 views

CVE-2026-61505

Rejetto HFS 3.0.0 through 3.2.0 allows path traversal through the lang query parameter, permitting a remote unauthenticated attacker to read certain JSON files outside the shared folders. Exploitation is constrained to files matching a narrow naming and format pattern, limiting practical impact...

6.9CVSS6.1AI score
Exploits0References2
nvd
nvd
added 8 hours ago4 views

CVE-2026-22099

The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL...

8.7CVSS
Exploits0References1
cvelist
cvelist
added 8 hours ago5 views

CVE-2026-13014 Remote Code Execution vulnerability in "Suspicious" application

A vulnerability in Thales CERT "Suspicious" application = 1.3.4 allows a remote and unauthenticated attacker to execute arbitrary code and arbitrarily overwrite writable application files—including Python modules, configuration files, cron inputs, and runtime artifacts—leading to a persistent...

9.2CVSS
Exploits0References1
euvd
euvd
added 9 hours ago3 views

EUVD-2026-43297

Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an...

9.8CVSS6.1AI score
Exploits0References2
euvd
euvd
added 9 hours ago5 views

EUVD-2026-43283

The Breeze Cache WordPress plugin before 2.5.6 is vulnerable to unauthenticated Stored Cross-Site Scripting XSS due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the fina...

6.1CVSS6.2AI score
Exploits0References2
nvd
nvd
added 10 hours ago6 views

CVE-2026-4769

Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an...

9.8CVSS
Exploits0References1
nvd
nvd
added 11 hours ago4 views

CVE-2026-12081

The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary PHP objects that are instantiated when an administrator...

5CVSS
Exploits0References1
cvelist
cvelist
added 12 hours ago7 views

CVE-2026-4769 Unauthenticated Access to Internal Diagnostic Interface

Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an...

9.8CVSS
Exploits0References1
cve
cve
added 12 hours ago11 views

CVE-2026-4769

The affected product family is WAGO System I/O Field series devices. The CVE describes an undocumented internal diagnostic capability that activates during the initial startup sequence and remains accessible without authentication for a brief window in the early boot phase. During this window, an...

9.8CVSS6.1AI score
Exploits0References1
cvelist
cvelist
added 12 hours ago5 views

CVE-2026-12582 Library Management System < 3.5.8 - Unauthenticated SQL Injection via book_id

The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes...

Exploits0References1
cve
cve
added 12 hours ago8 views

CVE-2026-12582

The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes...

8.6CVSS6.2AI score
Exploits0References1
cvelist
cvelist
added 12 hours ago7 views

CVE-2026-12081 Database for Contact Form 7, WPforms, Elementor forms < 1.5.2 - Unauthenticated PHP Object Injection via Entry File Field

The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin before 1.5.2 does not restrict the PHP classes allowed when unserializing an attacker-supplied form-field value, allowing unauthenticated users to inject arbitrary PHP objects that are instantiated when an administrator...

Exploits0References1
cve
cve
added 12 hours ago6 views

CVE-2026-10551

The Breeze Cache WordPress plugin before 2.5.6 is vulnerable to unauthenticated Stored Cross-Site Scripting XSS due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the fina...

6.1CVSS6.2AI score
Exploits0References1
redhatcve
redhatcve
added 12 hours ago2 views

CVE-2026-58208

A flaw was found in NATS Server. An unauthenticated client with access to the WebSocket listener could exploit a vulnerability where requests for the MQTT-over-WebSocket path were incorrectly routed into MQTT handling, even when MQTT was not configured. This allowed the client to access...

7.5CVSS6AI score0.00593EPSS
Exploits0References8
nuclei
nuclei
added 14 hours ago32 views

WordPress LiteSpeed Cache - Unauthenticated Privilege Escalation to Admin

Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from 1.9 through 6.3.0.1. id: CVE-2024-28000 info: name: WordPress LiteSpeed Cache - Unauthenticated Privilege Escalation to Admin...

9.8CVSS7.1AI score0.68266EPSS
Exploits8References5
nuclei
nuclei
added 14 hours ago61 views

Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access

The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them. id: CVE-2023-1263 info: name: Coming Soon & Maintenance 4.1.7 - Unauthenticated Post/Page Access author: r3Y3r53 severity: medium...

5.3CVSS6.7AI score0.01414EPSS
Exploits1References5
nuclei
nuclei
added 14 hours ago164 views

Nacos <1.4.1 - Authentication Bypass

Nacos before version 1.4.1 is vulnerable to authentication bypass because the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint i...

8.6CVSS7AI score0.64697EPSS
Exploits2References5
nuclei
nuclei
added 14 hours ago54 views

Onair2 < 3.9.9.2 & KenthaRadio < 2.0.2 - Remote File Inclusion/Server-Side Request Forgery

Onair2 3.9.9.2 and KenthaRadio 2.0.2 have exposed proxy functionality to unauthenticated users. Sending requests to this proxy functionality will have the web server fetch and display the content from any URI, allowing remote file inclusion and server-side request forgery. id: CVE-2021-24472 info...

9.8CVSS7.1AI score0.56614EPSS
Exploits2References4
nuclei
nuclei
added 14 hours ago16 views

Apache Tomcat Tribes EncryptInterceptor Bypass - Remote Code Execution

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. id: CVE-2026-34486 info: name: Apache Tomcat Tribes EncryptInterceptor Bypass - Remote...

7.5CVSS7AI score0.21691EPSS
Exploits6References3
nuclei
nuclei
added 14 hours ago10 views

SPIP Saisies - Remote Code Execution

SPIP Saisies plugin 5.4.0 through 5.11.0 contains a remote code execution caused by an unspecified flaw, letting attackers execute arbitrary code on the server, exploit requires no special conditions. id: CVE-2025-71243 info: name: SPIP Saisies - Remote Code Execution author: omarkurt severity:...

9.8CVSS6.7AI score0.05126EPSS
Exploits5References4
Rows per page
Query Builder