Lucene search
K

21 matches found

NVD
NVD
added 2026/05/28 6:16 p.m.12 views

CVE-2026-45307

Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the issafeurl helper used to validate post-login redirect targets applied urljoinrequest.hosturl, target before parsing, while the controller passed the raw target to redirect. A...

6.1CVSS0.00153EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:9 p.m.10 views

CVE-2026-33126

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery SSRF attacks. An attacker can use the Frigate server t...

5CVSS5.9AI score0.00189EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/21 1:24 a.m.27 views

CVE-2026-4302 WowOptin: Next-Gen Popup Maker <= 1.4.29 - Unauthenticated Server-Side Request Forgery via 'link' Parameter in REST API

The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint optn/v1/integration-action with a permissioncallback of returntrue that...

7.2CVSS0.00299EPSS
Exploits0References10
CNNVD
CNNVD
added 2025/10/22 12:0 a.m.4 views

WordPress plugin Mixlr Shortcode 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plug-in. A cross-site scriptin...

6.4CVSS5.9AI score0.00211EPSS
Exploits0References4
OSV
OSV
added 2025/10/09 10:29 p.m.24 views

GHSA-63WH-P5FX-H4VC BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver

Summary Due to unsafe URL handling, bbot's gitclone.py can be made to leak a user's github.com API key to an attacker-controlled webserver. Impact A user who has placed their github.com API key in the configuration for any of the following modules: githubcodesearch githubworkflows gitlab gitclone...

4.7CVSS6.8AI score0.00208EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2025/10/07 7:1 p.m.2 views

CVE-2025-61784 LLaMA Factory's Chat API has Critical SSRF and LFI Vulnerabilities

LLaMA-Factory is a tuning library for large language models. Prior to version 0.9.4, a Server-Side Request Forgery SSRF vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure ...

7.6CVSS6.1AI score0.00342EPSS
Exploits1References2
Cvelist
Cvelist
added 2025/10/07 7:1 p.m.8 views

CVE-2025-61784 LLaMA Factory's Chat API has Critical SSRF and LFI Vulnerabilities

LLaMA-Factory is a tuning library for large language models. Prior to version 0.9.4, a Server-Side Request Forgery SSRF vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure ...

7.6CVSS0.00342EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2018-18117

Malware in sbrugna...

8.8CVSS8.6AI score0.02642EPSS
Exploits1References8
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2022-7196

Malicious code in bioql PyPI...

5.4CVSS5.4AI score0.00617EPSS
Exploits0References7
Veracode
Veracode
added 2025/06/03 4:48 a.m.3 views

Arbitrary Command Execution

github.com/cli/go-gh is vulnerable to Arbitrary command execution. The vulnerability is due to unsafe handling of GitHub-provided URLs, allowing an attacker-controlled GitHub Enterprise Server to replace HTTP URLs with local file paths that could be executed on the user's machine...

9.8CVSS6.3AI score0.00429EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2025/05/23 8:16 a.m.3 views

CVE-2024-9239

The Booster for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg & removequeryarg without appropriate escaping on the URL in all versions up to, and including, 7.2.3. This makes it possible for unauthenticated attackers to inject...

6.1CVSS7.4AI score0.00402EPSS
Exploits0References1
OSV
OSV
added 2024/11/26 6:15 p.m.2 views

CVE-2024-10878

The Sugar Calendar – Simple Event Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg & removequeryarg without appropriate escaping on the URL in all versions up to, and including, 3.3.0. This makes it possible for unauthenticated attacker...

6.1CVSS7.4AI score0.00443EPSS
Exploits0References3
CNNVD
CNNVD
added 2024/11/22 12:0 a.m.4 views

WordPress plugin Premium Packages 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL. WordPress plugin is an application plugin. A cross-site scripting vulnerability...

6.1CVSS7.6AI score0.00507EPSS
Exploits0References5
CNNVD
CNNVD
added 2024/10/19 12:0 a.m.5 views

WordPress plugin WordPress Social Share Buttons 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exist...

6.1CVSS6.3AI score0.00368EPSS
Exploits0References5
OSV
OSV
added 2024/10/02 9:15 a.m.2 views

CVE-2024-9218

The Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including,...

6.1CVSS5.9AI score0.00355EPSS
Exploits0References3
OSV
OSV
added 2024/09/24 2:15 a.m.2 views

CVE-2024-8738

The Seriously Simple Stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts i...

6.1CVSS5.9AI score0.00432EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2023/01/30 8:31 p.m.6 views

CVE-2022-4794 AAWP < 3.12.3 - Unsafe URL Handling

The AAWP WordPress plugin before 3.12.3 can be used to abuse trusted domains to load malware or other files through it Reflected File Download to bypass firewall rules in companies...

7.7AI score0.00797EPSS
Exploits2References1
Cvelist
Cvelist
added 2023/01/30 8:31 p.m.20 views

CVE-2022-4794 AAWP < 3.12.3 - Unsafe URL Handling

The AAWP WordPress plugin before 3.12.3 can be used to abuse trusted domains to load malware or other files through it Reflected File Download to bypass firewall rules in companies...

7.7AI score0.00797EPSS
Exploits2References1
WPVulnDB
WPVulnDB
added 2023/01/04 12:0 a.m.27 views

AAWP < 3.12.3 - Unsafe URL Handling

The plugin can be used to abuse trusted domains to load malware or other files through it Reflected File Download to bypass firewall rules in companies. PoC wp-content/aawp/public/image.php?url=base64-url will load and download the file from the base64-decoded URL...

7.5CVSS0.9AI score0.00797EPSS
Exploits2Affected Software1
ThreatPost
ThreatPost
added 2021/12/07 8:24 p.m.99 views

Windows 10 Drive-By RCE Triggered by Default URI Handler

Researchers have discovered a drive-by remote code-execution RCE bug in Windows 10 via Internet Explorer 11/Edge Legacy – the EdgeHTML-based browser that’s currently the default browser on Windows 10 PCs – and Microsoft Teams. According to a report posted Tuesday by Positive Security, the...

6.8CVSS9.1AI score0.25895EPSS
Exploits2References22
Rows per page
Query Builder