Lucene search
K

760 matches found

CVE
CVE
added 2026/04/13 12:0 a.m.7 views

CVE-2026-36919

CVE-2026-36919 affects Sourcecodester Online Reviewer System v1.0. The vulnerability is a SQL Injection in the file /system/system/admins/assessments/examproper/exam-update.php. The available records confirm the impact is SQL injection but do not provide patch details or specific vulnerable param...

2.7CVSS5.9AI score0.00225EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/04/10 7:20 p.m.4 views

GHSA-C3H3-89QF-JQM5 LXD: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin

Summary A restricted TLS certificate user can escalate to cluster admin by changing their certificate type from client to server via PUT/PATCH to /1.0/certificates/fingerprint. The non-admin guard and reset block in doCertificateUpdate fail to validate or reset the Type field, allowing a...

9.1CVSS5.9AI score0.00274EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.6 views

PT-2026-30864

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services AWS IMDSv1, cloud metadata, internal APIs by creating a link with a publ...

5CVSS5.9AI score0.00274EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/06 5:17 p.m.1 views

CVE-2026-35045 Tandoor Recipes Affected by Private Recipe Exposure and Unauthorized Modification

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batchupdate/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by...

8.1CVSS5.9AI score0.00267EPSS
Exploits1References2
EUVD
EUVD
added 2026/04/06 12:32 p.m.4 views

EUVD-2026-19211

A vulnerability was found in PHPGurukul Online Shopping Portal Project 2.1. The impacted element is an unknown function of the file /admin/update-image1.php of the component Parameter Handler. The manipulation of the argument filename results in sql injection. The attack may be performed from...

6.5CVSS5.6AI score0.00196EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/04/01 5:0 a.m.6 views

CVE-2026-30877

baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges o...

9.1CVSS6AI score0.01516EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.3 views

PT-2026-29821

Name of the Vulnerable Software and Affected Versions PraisonAI affected versions not specified Description A second-order SQL injection issue exists in the get all user threads function. The function constructs raw SQL queries using f-strings with unescaped thread IDs obtained from the database...

9.8CVSS6AI score0.00533EPSS
Exploits1References10
EUVD
EUVD
added 2026/03/31 10:35 p.m.7 views

EUVD-2026-17259

baserCMS Update Functionality Vulnerable to OS Command Injection...

9.1CVSS5.9AI score0.01516EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/31 10:35 p.m.3 views

baserCMS Update Functionality Vulnerable to OS Command Injection

Summary The latest version of baserCMS basercms-5.2.2 contains an OS command injection vulnerability CWE-78 in its update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the us...

9.1CVSS6.1AI score0.01516EPSS
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/31 5:39 p.m.1 views

CVE-2026-32273

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, updating a category description via API is not sanitizing the description string, which can lead to XSS attacks. This issu...

5.4CVSS5.8AI score0.00167EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/03/31 2:30 a.m.2 views

Command Injection

Overview baserproject/baser-core is a baserCMS plugin for CakePHP Affected versions of this package are vulnerable to Command Injection through the update functionality in the update process. An authenticated attacker with administrator privileges can execute arbitrary OS commands on the server b...

9.1CVSS6.1AI score0.01516EPSS
Exploits0References2
NVD
NVD
added 2026/03/31 1:16 a.m.4 views

CVE-2026-30877

baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges o...

9.1CVSS0.01516EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/31 12:45 a.m.24 views

CVE-2026-30877 baserCMS: OS Command Injection in the baserCMS Update Functionality

baserCMS is a website development framework. Prior to version 5.2.3, there is an OS command injection vulnerability in the update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges o...

9.1CVSS0.01516EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.4 views

PT-2026-29148

Name of the Vulnerable Software and Affected Versions baserCMS versions prior to 5.2.3 Description baserCMS is a website development framework. A security issue exists in the update functionality that allows an authenticated user with administrator privileges to execute arbitrary OS commands on t...

9.1CVSS6.1AI score0.01516EPSS
Exploits0References14
RedhatCVE
RedhatCVE
added 2026/03/26 3:12 p.m.4 views

CVE-2026-25745

OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the message/note update endpoint e.g. PUT or POST updates by message/note ID only and does not verify that the message belongs to the current patient or...

6.5CVSS5.8AI score0.00274EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:3 p.m.7 views

CVE-2026-30900

Improper Check of minimum version in update functionality of certain Zoom Clients for Windows may allow an authenticated user to conduct an escalation of privilege via local access...

7.8CVSS5.8AI score0.00125EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/25 11:49 p.m.2 views

CVE-2026-34055 OpenEMR has IDOR in Patient Notes Web UI allows unauthorized note access/modification

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in library/pnotes.inc.php perform updates and deletes using WHERE id = ? without verifying that the note belongs to a patient the...

8.1CVSS5.9AI score0.00267EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/03/23 7:26 p.m.12 views

WordPress Redirect countdown plugin <= 1.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Redirect countdown versions = 1.0...

4.3CVSS5.8AI score0.0014EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/21 3:26 a.m.4 views

CVE-2026-1392 SR WP Minify HTML <= 2.1 - Cross-Site Request Forgery to Settings Update

The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing nonce validation on the srminifyhtmltheme function. This makes it possible for unauthenticated attackers to update plugin settings via a forged...

4.3CVSS5.7AI score0.0014EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/20 6:2 a.m.2 views

CVE-2026-4474

A flaw has been found in itsourcecode University Management System 1.0. Impacted is an unknown function of the file /adminsinglestudentupdate.php. This manipulation of the argument stname causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be...

4.8CVSS4.2AI score0.00271EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder