Lucene search
+L

2911 matches found

Cvelist
Cvelist
added 3 hours ago7 views

CVE-2024-23567

HCL Aftermarket EPC is affected by Sensitive Information in GET method & in URL which allows application to pass sensitive data via URL parameters during normal usage. Data passed in this manner can be exposed because it may end up stored in unintended locations, including server logs, local...

4.3CVSS
Exploits0References1
Nuclei
Nuclei
added 12 hours ago27 views

WordPress StageShow <5.0.9 - Open Redirect

WordPress StageShow plugin before 5.0.9 contains an open redirect vulnerability in the Redirect function in stageshowredirect.php. A remote attacker can redirect users to arbitrary web sites and conduct phishing attacks via a malicious URL in the url parameter. id: CVE-2015-5461 info: name:...

6.4CVSS5.6AI score0.06283EPSS
Exploits2References5
NVD
NVD
added 13 hours ago6 views

CVE-2026-11324

The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for...

6.1CVSS
Exploits0References8
EUVD
EUVD
added 14 hours ago5 views

EUVD-2026-45129

The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for...

6.1CVSS6.2AI score
Exploits0References8
CVE
CVE
added 17 hours ago8 views

CVE-2026-62214

OpenClaw Bot Framework (versions before 2026.5.28) contains an input validation flaw in serviceUrl parameters that enables SSRF-style access by lower-trust callers. This misvalidation can allow retrieval of bot tokens and credentials by supplying malicious serviceUrl values through configured inp...

6.5CVSS6.1AI score
Exploits0References2
CVE
CVE
added 3 days ago13 views

CVE-2026-15668

The CVE affects louisho5 picobot up to version 0.2.0, specifically the web Tool component. The vulnerability resides in WebTool.Execute (internal/agent/tools/web.go) where manipulation of the url argument enables server-side request forgery (SSRF). It is a network-vector, with low privileges requ...

6.5CVSS6.2AI score0.00228EPSS
Exploits0References6
NVD
NVD
added 3 days ago8 views

CVE-2026-44767

setThemeRoot failed to enforce the sap-allowed-theme-origins allowlist. An attacker-controlled absolute cross-origin URL could be stored and used directly to construct a element, even when no tag was present in the document. The same bypass was reachable via the ?sap-themeRoot URL...

6.1CVSS0.00181EPSS
Exploits0References2
NVD
NVD
added 3 days ago6 views

CVE-2026-44759

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal...

6.1CVSS0.00172EPSS
Exploits0References2
CVE
CVE
added 3 days ago16 views

CVE-2026-44759

CVE-2026-44759 affects SAP NetWeaver Enterprise Portal. An unauthenticated attacker can inject malicious scripts into a URL parameter, with scripts reflected in server responses and executed in the user’s browser when the crafted URL is visited. This leads to theft of session information, manipul...

6.1CVSS6.1AI score0.00172EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago29 views

CVE-2026-44759 Cross Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal...

6.1CVSS0.00172EPSS
Exploits0References2
NVD
NVD
added 5 days ago15 views

CVE-2026-56259

Crawl4AI before 0.8.8 contains credential exfiltration vulnerabilities in the Docker API server that allow attackers to redirect LLM API calls to attacker-controlled endpoints and read arbitrary environment variables. Attackers can exploit the unauthenticated /md, /llm, and /llm/job endpoints by...

8.8CVSS0.00254EPSS
Exploits0References2
CVE
CVE
added 2026/07/09 5:24 p.m.18 views

CVE-2026-59721

Hoppscotch (open source API development ecosystem) contains a Rooted Command Execution risk before version 2026.6.0 due to the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepting an attacker-controlled MAILER_SMTP_URL. The validateSMTPUrl in utils.ts permits path, query, or f...

7.2CVSS6.2AI score0.00518EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/08 5:34 a.m.32 views

CVE-2026-14500 Bulk Order Update for WooCommerce <= 1.6 - Unauthenticated Arbitrary File Read via 'csv_url' Parameter

The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouwfetchcsvdata AJAX handler being registered on the wpajaxnopriv hook with no capability or nonce check, and passing the attacker-supplied...

5.3CVSS0.00333EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/08 5:34 a.m.6 views

EUVD-2026-42175

The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouwfetchcsvdata AJAX handler being registered on the wpajaxnopriv hook with no capability or nonce check, and passing the attacker-supplied...

5.3CVSS6.1AI score0.00333EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/08 4:30 a.m.34 views

CVE-2026-14244 Jssor Slider by jssor.com <= 3.1.24 - Unauthenticated Arbitrary File Read via 'url' Parameter

The Jssor Slider by jssor.com plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.1.24 via the 'url' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain...

7.5CVSS0.00692EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/07/07 7:35 p.m.9 views

@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)

Summary A known vulnerability CVE-2026-33060 indicated tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter had the risk of making HTTP requests to arbitrary endpoints without restriction. A fix was applied to filter out ip addresses. However, a method to bypass exist...

5.7CVSS6.1AI score0.00289EPSS
Exploits1References4Affected Software1
NVD
NVD
added 2026/07/06 11:16 a.m.11 views

CVE-2025-8591

The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can...

6.1CVSS0.00161EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 10:16 a.m.18 views

CVE-2025-8591

The CVE-2025-8591 entry describes a reflected cross-site scripting flaw in multiple WSO2 products, triggered by reflecting user-supplied input from a URL parameter without sufficient output encoding. The vulnerability allows an attacker to cause the user’s browser to redirect to a malicious site,...

6.1CVSS6AI score0.00161EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/06 10:16 a.m.6 views

CVE-2025-8591

The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can...

6.1CVSS6AI score0.00161EPSS
Exploits0References2Affected Software8
Cvelist
Cvelist
added 2026/07/06 10:16 a.m.35 views

CVE-2025-8591 Reflected Cross-Site Scripting via URL Parameter in Multiple WSO2 Products Enables UI Modification

The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can...

6.1CVSS0.00161EPSS
Exploits0References1
Rows per page
Query Builder