Lucene search
K

1383 matches found

Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.7 views

PT-2026-33027

The OPEN-BRAIN plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.0. This is due to missing nonce verification on the settings form in the func page main function. This makes it possible for unauthenticated attackers to inject malicious web...

6.1CVSS5.6AI score0.00211EPSS
Exploits0References11
Vulnrichment
Vulnrichment
added 2026/04/14 12:6 a.m.2 views

CVE-2026-0512 Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog)

Due to a Cross-Site Scripting XSS vulnerability in the SAP Supplier Relationship Management SICF Handler in SRM Catalog, an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow t...

6.1CVSS6AI score0.00226EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.5 views

PT-2026-33235

Name of the Vulnerable Software and Affected Versions @vendure/core versions prior to 2.3.4 @vendure/core versions 3.0.0 through 3.5.6 @vendure/core versions 3.6.0 through 3.6.1 Description An unauthenticated SQL injection exists in the Shop API and an authenticated SQL injection exists in the...

9.1CVSS6.1AI score0.01762EPSS
Exploits0References10
Vulnrichment
Vulnrichment
added 2026/04/13 8:35 a.m.2 views

CVE-2026-4810 Remote Code Execution in Google Agent Development Kit (ADK)

A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit ADK versions 1.7.0 and 2.0.0a1 through 1.28.1 and 2.0.0a2 on Python OSS, Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance. This...

10CVSS6.3AI score0.01816EPSS
Exploits0References1
CVE
CVE
added 2026/04/11 6:26 p.m.18 views

CVE-2026-31845

CVE-2026-31845 describes a reflected XSS in Rukovoditel CRM ≤ 3.6.4 via the Zadarma telephony API endpoint (/api/tel/zadarma.php). The code path uses: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); which directly reflects user input from the zd_echo GET parameter into the HTTP response with...

9.3CVSS5.8AI score0.00502EPSS
Exploits0References1
NVD
NVD
added 2026/04/10 2:16 a.m.3 views

CVE-2026-1924

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the ahscajaxresetoptions function. This makes it possible for unauthenticated attackers to reset all plugin settings t...

4.3CVSS0.00181EPSS
Exploits0References4
NVD
NVD
added 2026/04/08 7:24 p.m.5 views

CVE-2026-0811

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vszcf7savesettingcallback' function. This makes it possible for unauthenticated attackers to...

5.4CVSS0.00136EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.9 views

PT-2026-31291

Name of the Vulnerable Software and Affected Versions The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net versions up to and including 1.1.5 Description The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPre...

4.3CVSS5.5AI score0.00128EPSS
Exploits0References8
CVE
CVE
added 2026/04/07 11:25 p.m.12 views

CVE-2026-4406

The CVE concerns Gravity Forms for WordPress (≤ 2.9.30) with a Reflected XSS in the gform_get_config AJAX action via the form_ids parameter. The root cause is that GFCommon::send_json() returns JSON wrapped in HTML comments using echo/wp_die(), sending a text/html header instead of application/js...

4.7CVSS6.1AI score0.00356EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.5 views

CVE-2026-22675

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft...

6.1CVSS6AI score0.00218EPSS
Exploits0References1
PyPA
PyPA
added 2026/04/07 4:16 p.m.8 views

PYSEC-2026-134

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...

7.5CVSS5.8AI score0.00274EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/07 3:23 p.m.5 views

CVE-2026-35526

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...

7.5CVSS5.9AI score0.00274EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/06 3:40 p.m.29 views

CVE-2026-34756 vLLM Affected by Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server

vLLM is an inference and serving engine for large language models LLMs. From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionReques...

6.5CVSS0.0033EPSS
Exploits0References3
UbuntuCve
UbuntuCve
added 2026/04/06 3:17 p.m.3 views

CVE-2026-26263

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6...

9.8CVSS5.9AI score0.08741EPSS
Exploits0References2
CVE
CVE
added 2026/04/02 10:30 a.m.16 views

CVE-2026-32145

CVE-2026-32145 affects gleam-wisp wisp. The multipart_body and multipart_headers code paths can bypass configured max_body_size and max_files_size, allowing an unauthenticated attacker to exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP reques...

8.7CVSS5.9AI score0.00622EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/04/01 12:13 a.m.2 views

GHSA-37FQ-47QJ-6J5J YesWiki has Persistent Blind XSS at "/?BazaR&vue=consulter"

Summary A stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. Type: Stored an...

7.1CVSS6AI score0.00213EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/01 12:3 a.m.9 views

TorchGeo Remote Code Execution Vulnerability

Impact TorchGeo 0.4–0.6.0 used an eval statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose torchgeo.models.getweight or torchgeo.trainers as an external API could be affected. Patches The eval statement wa...

8.1CVSS6.2AI score0.01221EPSS
Exploits0References9Affected Software1
NVD
NVD
added 2026/03/31 4:16 p.m.4 views

CVE-2026-34240

JOSE is a Javascript Object Signing and Encryption JOSE library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header jwk. The vulnerability exists because key selection could tre...

7.5CVSS0.0013EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/31 2:2 p.m.5 views

CVE-2026-34202

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic crash. This is triggered by sending a specially crafted V5...

9.2CVSS5.8AI score0.00725EPSS
Exploits0References4Affected Software2
NVD
NVD
added 2026/03/31 2:15 a.m.36 views

CVE-2026-3300

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...

9.8CVSS0.40992EPSS
Exploits1References3
Rows per page
Query Builder