Lucene search
K

2362 matches found

Cvelist
Cvelist
added 2026/05/16 3:26 p.m.41 views

CVE-2021-47956 EgavilanMedia PHPCRUD 1.0 SQL Injection via firstname

EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Attackers can send POST requests to insert.php with malicious firstname values to extract sensitive databas...

8.8CVSS0.00276EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.11 views

DHTMLX Gantt 路径遍历漏洞

DHTMLX Gantt is a JavaScript Gantt chart component developed by DHTMLX Corporation. It supports project planning, task scheduling, and timeline visualization. Versions of DHTMLX Gantt prior to 0.7.6 contained a path traversal vulnerability. This vulnerability stemmed from a lack of HTML cleaning,...

9.2CVSS5.8AI score0.00497EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 5:38 a.m.24 views

CVE-2025-14869

GitLab CVE-2025-14869 affects GitLab CE/EE versions 18.5–before 18.9.7, 18.10–before 18.10.6, and 18.11–before 18.11.3. It could allow an unauthenticated attacker to cause a denial of service by sending specially crafted payloads to certain API endpoints. CVSSv3.1 base score 7.5 (HIGH), with NETW...

7.5CVSS5.8AI score0.00354EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/05/13 6:30 p.m.7 views

EUVD-2020-31223

Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoint. Attackers can send POST requests to /web/?c=bbs&a=reply with HTML and JavaScript payloads in t...

7.2CVSS5.9AI score0.00311EPSS
Exploits0References5
NVD
NVD
added 2026/05/12 11:16 p.m.17 views

CVE-2026-44341

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access ...

5.3CVSS0.00239EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 9:16 a.m.24 views

CVE-2026-6808

The Pricing Tables for WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS0.00255EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/12 7:48 a.m.66 views

CVE-2026-7626 Slek Gateway for WooCommerce <= 1.0 - Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields

The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsbhandleslekpaymentredirect function placing the merchant's slekkey and sleksecret API credentials directly into a client-side HTML form, and additionally embedding the...

5.3CVSS0.00251EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/05/12 2:27 a.m.10 views

CVE-2026-41456

Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit...

5.1CVSS5.8AI score0.00379EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 2:19 a.m.38 views

CVE-2026-34258 Content Spoofing vulnerability in SAPUI5 (Search UI)

SAPUI5 Search UI allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low...

4.7CVSS0.00249EPSS
Exploits0References2
NVD
NVD
added 2026/05/11 6:16 p.m.25 views

CVE-2026-44226

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/ is reachable without authentication and renders attacker-controlled template names, an...

5.3CVSS0.00336EPSS
Exploits1References1
NVD
NVD
added 2026/05/08 11:16 p.m.15 views

CVE-2026-44286

FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery SSRF vulnerability allows attackers or authenticated users with App editing privileges to send arbitrary HTTP requests to internal/private network addresses. The fetchData function i...

2.3CVSS0.00228EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 12:59 a.m.6 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the stampExpression and watermarkExpression parameters in the merge, split, and convert routes. An attacker can access the contents of arbitrary PDF files on the server by supplying a path to a...

6.9CVSS5.9AI score0.00311EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/05/07 12:0 a.m.13 views

PT-2026-38588

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.21 Description An authentication bypass allows an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication is enable...

6.3CVSS5.8AI score0.00266EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/05/06 6:47 a.m.5 views

CVE-2026-7332

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookingformpageurl' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possib...

7.2CVSS6AI score0.0045EPSS
Exploits0References12
ATTACKERKB
ATTACKERKB
added 2026/05/05 11:24 a.m.4 views

CVE-2023-54349

AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Attackers can enter script tags in the search box to execute arbitrary JavaScript that fires when...

6.1CVSS5.9AI score0.00265EPSS
Exploits0References4Affected Software1
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.6 views

VulnCheck KEV: CVE-2024-12281

The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by...

9.8CVSS7.3AI score0.00402EPSS
In wildExploits0References2
CNNVD
CNNVD
added 2026/05/02 12:0 a.m.9 views

WordPress plugin Gravity Forms 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

7.2CVSS5.8AI score0.00247EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/01 8:48 p.m.6 views

CVE-2026-2892

The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'getcustomerdata' method relying on an unsigned 'ostripedata' cookie to determine Stripe product ownership for unauthenticated users. The...

7.5CVSS5.8AI score0.0032EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/28 6:0 a.m.6 views

EUVD-2026-25995

The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled...

5.4CVSS5.2AI score0.00155EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.12 views

PT-2026-35668

The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled...

5.1AI score0.00155EPSS
Exploits0References2
Rows per page
Query Builder