Lucene search
K

316 matches found

Nuclei
Nuclei
added 7 hours ago15 views

Premium Addons for Elementor - Unauthenticated Information Disclosure

Premium Addons for Elementor plugin for WordPress version 4.11.53 and below contains an unauthenticated information disclosure vulnerability.The vulnerability exists due to a missing authorization check in the gettemplatecontent AJAX handler, allowing unauthenticated attackers to retrieve private...

5.3CVSS6.1AI score0.00715EPSS
Exploits0References4
Nuclei
Nuclei
added 7 hours ago33 views

WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure

An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username. id: CVE-2019-9880 info: name: WPEngine WPGraphQL 0.2.3 -...

9.1CVSS7AI score0.34761EPSS
Exploits3References4
Nuclei
Nuclei
added 7 hours ago59 views

All-in-One WP Migration < 7.87 - Unauthenticated Information Disclosure

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to unauthenticated information disclosure due to its error.log file being publicly accessible in versions before 7.87. id: CVE-2024-8852 info: name: All-in-One WP Migration 7.87 - Unauthenticated Information Disclosure...

5.3CVSS6.1AI score0.01175EPSS
Exploits0References2
Nuclei
Nuclei
added 7 hours ago20 views

Formidable Form Builder < 2.05.03 - Unauthenticated Information Disclosure

The Formidable Form Builder plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.05.03 via the frmformspreview AJAX action. This makes it possible for unauthenticated attackers to export all of the form entries for a given form. id: CVE-2017-20194 info...

5.3CVSS6.1AI score0.01098EPSS
Exploits1References3
Cvelist
Cvelist
added 3 days ago33 views

CVE-2026-61454 Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__

The Grav Admin2 plugin getgrav/grav-plugin-admin2 before 2.0.4 embeds a global JavaScript variable window.GRAVCONFIG in the Admin2 SPA bootstrap page at /grav/admin and its subroutes. This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base...

8.7CVSS0.00239EPSS
Exploits0References2
CVE
CVE
added 3 days ago21 views

CVE-2026-61454

CVE-2026-61454 affects Grav's Admin2 plugin prior to 2.0.4. The vulnerability arises from embedding a global JavaScript variable, window.GRAV_CONFIG , in the Admin2 SPA bootstrap page at /grav/admin and subroutes. This object is returned in every unauthenticated response and exposes server URL, A...

8.7CVSS6.1AI score0.00239EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-57219 RabbitMQ: Unauthenticated disclosure of OAuth client credentials via an HTTP API endpoint with certain less common OAuth 2 configurations

RabbitMQ is a messaging and streaming broker. Prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6, the obsolete GET /api/auth endpoint can disclose the OAuth 2 client secret on RabbitMQ installations configured with management.oauthclientsecret, exposing credentials to unauthenticated callers when the...

8.7CVSS0.0033EPSS
Exploits0References6
CVE
CVE
added 4 days ago59 views

CVE-2026-57219

RabbitMQ suffers an unauthenticated disclosure vulnerability in the management API: the obsolete GET /api/auth endpoint can reveal the OAuth 2 client secret on installations configured with management.oauth_client_secret prior to versions 3.13.15, 4.0.20, 4.1.11, and 4.2.6. The issue arises when ...

8.7CVSS6.1AI score0.0033EPSS
Exploits0References6Affected Software1
NVD
NVD
added last week7 views

CVE-2026-44877

An unauthenticated remote disclosure vulnerability has been identified in HPE Networking Instant On 1830, 1930, and 1960 Switches. Successful exploitation of this vulnerability could allow an unauthenticated remote threat actor to access sensitive cryptographic secrets on a vulnerable system...

6.5CVSS0.00277EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.10 views

PT-2026-54951

Name of the Vulnerable Software and Affected Versions Database for Contact Form 7, WPforms, Elementor forms versions prior to 1.5.2 Description An arbitrary file copy issue exists in the create entry el function. The function retrieves the raw value from the Elementor Pro Form Record object for...

6.5CVSS6AI score0.00372EPSS
Exploits0References7
Patchstack
Patchstack
added 2026/07/01 8:4 p.m.6 views

WordPress My Calendar – Accessible Event Manager plugin <= 3.7.14 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure vulnerability

Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure vulnerability discovered by ? in WordPress Plugin My Calendar versions = 3.7.14...

5.3CVSS5.8AI score0.00313EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/07/01 10:0 a.m.12 views

WordPress Ninja Forms – The Contact Form Builder That Grows With You plugin <= 3.14.1 - Missing Authorization to Unauthenticated Sensitive Information Disclosure vulnerability

Missing Authorization to Unauthenticated Sensitive Information Disclosure vulnerability discovered by suyoung kimAhnLab - AhnLab in WordPress Plugin Ninja Forms versions = 3.14.1...

7.5CVSS5.8AI score0.0026EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/06/29 3:16 p.m.8 views

CVE-2026-56124

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the comple...

8.7CVSS0.00365EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/29 1:47 p.m.7 views

EUVD-2026-40114

phpUploader before 2.0.2 contains an unauthenticated information disclosure vulnerability that allows remote attackers to access the full contents of the uploaded-files database table by visiting any page of the application. The index model executes an unbounded SELECT query and embeds the comple...

8.7CVSS5.8AI score0.00365EPSS
Exploits0References4
CVE
CVE
added 2026/06/29 1:47 p.m.23 views

CVE-2026-56124

CVE-2026-56124 affects phpUploader prior to 2.0.2. An unauthenticated information-disclosure flaw exists where the index model runs an unbounded SELECT and embeds the full JSON-encoded result set in an inline script, exposing uploader IP addresses, Argon2ID key hashes, internal filenames, and SHA...

8.7CVSS5.8AI score0.00365EPSS
Exploits0References4
CVE
CVE
added 2026/06/26 3:15 p.m.35 views

CVE-2026-5757

CVE-2026-5757 concerns Ollama’s model quantization engine. The CERT entry describes an unauthenticated remote information-disclosure vulnerability triggered via the model upload interface. Root cause: three factors—no bounds checking on user-supplied GGUF header metadata, unsafe memory access usi...

7.5CVSS6.7AI score0.00551EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/06/25 5:43 p.m.30 views

CVE-2026-54091 File Browser: Incorrect access control in public directory shares via rule path rebasing

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths agains...

7.5CVSS0.00471EPSS
Exploits0References3
NVD
NVD
added 2026/06/24 9:16 p.m.9 views

CVE-2026-52815

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/orgteam.go:8 returns all teams for any organization without requiring authentication. The route...

6.9CVSS0.01553EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/23 12:13 p.m.6 views

CVE-2026-56322

Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions, allowing attackers to enumerate private channels and leak version/config state. Unauthenticated attacke...

8.7CVSS5.9AI score0.00334EPSS
Exploits0References3
NVD
NVD
added 2026/06/20 1:16 a.m.15 views

CVE-2026-56214

Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints istrialorg and ispayingorg that allows unauthenticated attackers to enumerate organizations and disclose billing status using the public sbpublishable key. Attackers can invoke these endpoin...

8.7CVSS0.00302EPSS
Exploits0References2
Rows per page
Query Builder