Lucene search
K

468 matches found

CVE
CVE
added yesterday8 views

CVE-2026-53690

Redeight CMS 1.0 is cited as vulnerable to an SQL Injection via the userEmail parameter on POST /admin/index.php. The root cause is lack of input sanitization and direct interpolation of user input into SQL queries without prepared statements, enabling unauthenticated remote attackers to run arbi...

9.3CVSS6.2AI score
Exploits0References1
EUVD
EUVD
added yesterday5 views

EUVD-2026-40292

An SQL Injection vulnerability exists in Redeight CMS version 1.0 via the "userEmail" parameter in the POST "/admin/index.php" login endpoint. The application fails to sanitize user input and directly interpolates it into SQL queries without using prepared statements, which allows unauthenticated...

9.3CVSS6.2AI score
Exploits0References1
Cvelist
Cvelist
added yesterday24 views

CVE-2026-53690 SQL Injection in Redeight CMS

An SQL Injection vulnerability exists in Redeight CMS version 1.0 via the "userEmail" parameter in the POST "/admin/index.php" login endpoint. The application fails to sanitize user input and directly interpolates it into SQL queries without using prepared statements, which allows unauthenticated...

9.3CVSS
Exploits0References1
Cvelist
Cvelist
added 4 days ago33 views

CVE-2026-12415 Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via 'user_id' Parameter

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravelinvoiceeditaccount AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wpajaxnoprivpravelinvoiceeditaccount, accepts an attacker-controlled...

9.8CVSS0.00662EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 4 days ago15 views

CVE-2026-12415

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravelinvoiceeditaccount AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wpajaxnoprivpravelinvoiceeditaccount, accepts an attacker-controlled...

9.8CVSS5.8AI score0.00662EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago9 views

EUVD-2026-39943

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravelinvoiceeditaccount AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wpajaxnoprivpravelinvoiceeditaccount, accepts an attacker-controlled...

9.8CVSS5.8AI score0.00662EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/24 5:33 a.m.34 views

CVE-2026-9178 WP Forms Connector <= 1.8 - Missing Authorization to Unauthenticated Information Exposure via 'user/list' REST Endpoint

The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/ callback userDetail with permissioncallback set to 'returntrue', and the function's home-grown authentication only...

7.5CVSS0.00347EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/17 10:12 p.m.23 views

CVE-2024-27928 Vantage6: 2FA can be circumvented with hacked email access

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1 reset the password via email and then 2 reset the 2FA token via email. This way they reduce 2FA to 1FA email access. Note that...

5.9CVSS0.00278EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/15 9:30 p.m.7 views

EUVD-2026-36747

ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote...

5.5AI score0.00511EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.13 views

PT-2026-49287

Name of the Vulnerable Software and Affected Versions ThingsBoard version 4.3.0.1 Description An authentication bypass exists during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the '/login/oauth2/code/' endpoint...

9.8CVSS5.4AI score0.00511EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:49 p.m.9 views

CVE-2026-49433

The DeepAI endpoint 'https://api.deepai.org/changeuseremail' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20...

5CVSS5.5AI score0.00107EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:34 p.m.9 views

CVE-2026-10597

OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...

6.9CVSS5.5AI score0.00244EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/04 2:19 a.m.37 views

CVE-2026-10597 ITPison|OMICARD EDM - Insecure Direct Object Reference

OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...

6.9CVSS0.00244EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.13 views

PT-2026-46130

OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address...

6.9CVSS5.8AI score0.00244EPSS
Exploits0References3
NVD
NVD
added 2026/06/01 9:16 p.m.17 views

CVE-2026-49433

The DeepAI endpoint 'https://api.deepai.org/changeuseremail' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20...

5CVSS0.00107EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/01 7:59 p.m.29 views

CVE-2026-49433 DeepAI api.deepai.org/change_user_email CSRF

The DeepAI endpoint 'https://api.deepai.org/changeuseremail' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20...

5CVSS0.00107EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/01 7:59 p.m.13 views

CVE-2026-49433 DeepAI api.deepai.org/change_user_email CSRF

The DeepAI endpoint 'https://api.deepai.org/changeuseremail' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20...

5CVSS5.8AI score0.00107EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/01 7:59 p.m.10 views

CVE-2026-49433

The DeepAI endpoint 'https://api.deepai.org/changeuseremail' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20...

5CVSS5.8AI score0.00107EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/07 9:44 p.m.17 views

CVE-2026-39937 Global vanishing does not completely remove user email

Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the master branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1....

8.8CVSS0.00263EPSS
Exploits0References2
CVE
CVE
added 2026/04/07 9:44 p.m.6 views

CVE-2026-39937

CVE-2026-39937 concerns the Wikimedia Foundation’s MediaWiki CentralAuth Extension. The issue is an improper removal of sensitive information before storage or transfer, resulting in a Resource Leak Exposure. According to the connected documents, the vulnerability has been remediated on the maste...

8.8CVSS5.8AI score0.00263EPSS
Exploits0References2
Rows per page
Query Builder