Lucene search
K

1393 matches found

NVD
NVD
added 2026/06/17 10:16 p.m.12 views

CVE-2026-54386

marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...

6.1CVSS0.00239EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/17 2:30 p.m.10 views

EUVD-2026-37729

Dell PowerFlex Manager, versions Versions, contains an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure, Information tampering, and Unauthorized access...

7.4CVSS5.3AI score0.0021EPSS
Exploits0References1
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.99 views

Ivanti EPM - Remote Code Execution

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. id: CVE-2024-29824 info: name: Ivanti EPM - Remote Code Execution author: DhiyaneshDK severity: critical description: | ...

9.6CVSS9.4AI score0.99951EPSS
Exploits5References4
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.20 views

PT-2026-50016

Name of the Vulnerable Software and Affected Versions JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.2 Description An issue exists in the Enterprise Infrastructure Security component of Oracle JD Edwards. An unauthenticated attacker with network access via HTTP can exploit this fl...

9.8CVSS5.9AI score0.00483EPSS
Exploits0References3
CVE
CVE
added 2026/06/15 12:0 p.m.14 views

CVE-2016-20082

CVE-2016-20082 concerns the WordPress plugin Abtest . The vulnerability is a local file inclusion in the admin area via abtest_admin.php, where an unauthenticated attacker can influence the action parameter to include files from the admin directory and execute arbitrary code. The description indi...

6.9CVSS5.8AI score0.00326EPSS
Exploits0References3
CVE
CVE
added 2026/06/11 1:27 a.m.23 views

CVE-2026-2827

CVE-2026-2827 affects the Open User Map PRO plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) via the oum_location_notification parameter in versions up to and including 1.4.31, caused by insufficient input sanitization and output escaping. Unauthenticated attackers c...

4.7CVSS5.7AI score0.00188EPSS
Exploits0References2
CVE
CVE
added 2026/06/10 6:16 a.m.45 views

CVE-2026-29116

The CVE-2026-29116 entry concerns certain Dahua products. A vulnerability allows an unauthenticated remote attacker to send a crafted packet that triggers an exception, causing the system to reboot and resulting in denial of service. The CVSS baseline score is 8.7 (HIGH) with network access, no p...

8.7CVSS5.4AI score0.00395EPSS
Exploits0References1
NVD
NVD
added 2026/06/09 6:17 p.m.12 views

CVE-2026-50635

LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default and documented configuration, so LSHttpRequest::checkIsAllowedHost results in no operation....

8.8CVSS0.00372EPSS
Exploits0References3
AlpineLinux
AlpineLinux
added 2026/06/09 4:4 p.m.9 views

CVE-2026-49843

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, modverto's JSON-RPC handler bound the connection to the client-supplied sessid on the fir...

5.3CVSS5.4AI score0.00284EPSS
Exploits0References2
CVE
CVE
added 2026/06/09 3:41 a.m.17 views

CVE-2026-8909

WpMobi WordPress plugin (versions ≤ 0.0.3) is vulnerable to Cross-Site Request Forgery due to missing/incorrect nonce validation in handleSaveGeneralSettings. This allows unauthenticated attackers to modify General Settings and inject scripts into an administrator’s browser via unescaped app_name...

4.3CVSS5.5AI score0.00128EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/09 3:41 a.m.35 views

CVE-2026-8909 WpMobi <= 0.0.3 - Cross-Site Request Forgery via save_general_settings Action

The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify the plugin's...

4.3CVSS0.00128EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.26 views

PT-2026-47678

The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the rc options page function. This makes it possible for unauthenticated attackers to modify plugin settin...

4.3CVSS5.3AI score0.00124EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/06/08 12:0 a.m.15 views

TencentOS Server 4: nginx (TSSA-2026:0398)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0398 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

9.2CVSS6.5AI score0.04261EPSS
Exploits3References3
Cvelist
Cvelist
added 2026/06/05 11:28 p.m.39 views

CVE-2026-9719 LatePoint <= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the changestatus function. This makes it possible for...

4.3CVSS0.00135EPSS
Exploits0References8
CVE
CVE
added 2026/06/05 11:28 p.m.29 views

CVE-2026-9719

CVE-2026-9719 concerns the LatePoint WordPress plugin (versions up to 5.6.0). The issue is a Cross‑Site Request Forgery caused by missing/incorrect nonce validation in the change_status function, enabling unauthenticated actors to alter invoice statuses (e.g., mark unpaid as paid) via forged requ...

4.3CVSS5.5AI score0.00135EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/06/05 7:34 p.m.10 views

CVE-2026-1673

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobedeletetaxterm function. This makes it possible...

4.3CVSS5.4AI score0.00128EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:27 p.m.12 views

CVE-2026-40137

SAP TAFAPPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on...

6.1CVSS5.5AI score0.00211EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:23 p.m.12 views

CVE-2026-43967

Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls...

8.7CVSS5.5AI score0.00624EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:15 p.m.10 views

CVE-2026-24467

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable...

9.8CVSS5.7AI score0.009EPSS
Exploits1References1
CVE
CVE
added 2026/06/03 6:10 p.m.20 views

CVE-2026-7888

CVE-2026-7888 affects Concrete CMS versions below 9.5.2. The vulnerability arises from PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that do not enforce allowed_classes. An unauthenticated attacker could trigger arbitrary PHP object instantiatio...

8.4CVSS5.9AI score0.00175EPSS
Exploits0References1
Rows per page
Query Builder