Lucene search
K

2104 matches found

Nuclei
Nuclei
added 11 hours ago75 views

User Profile Picture < 2.5.0 - Sensitive Information Disclosure

The REST API endpoint getusers in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less...

7.5CVSS7AI score0.04788EPSS
Exploits2References3
CVE
CVE
added yesterday10 views

CVE-2026-61971

The CVE covers the WordPress plugin Metronet Profile Picture (Cozmoslabs User Profile Picture) insecure direct object references affecting versions

2.7CVSS6.1AI score0.00314EPSS
Exploits0References1
Nuclei
Nuclei
added 2026/07/07 4:50 p.m.114 views

WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of...

9.8CVSS7.4AI score0.89431EPSS
Exploits8References5
EUVD
EUVD
added 2026/06/30 11:48 a.m.7 views

EUVD-2026-40299

A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions FGAPv2 are enabled, an administrator who should only be able to search for users but not view their full details can use a...

4.3CVSS5.7AI score0.00173EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/26 3:32 p.m.8 views

EUVD-2026-39656

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details...

4.3CVSS5.8AI score0.00167EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/26 12:38 p.m.6 views

CVE-2026-57924

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details...

4.3CVSS5.8AI score0.00167EPSS
Exploits0References2
CVE
CVE
added 2026/06/26 12:38 p.m.22 views

CVE-2026-57924

CVE-2026-57924 affects JetBrains YouTrack prior to version 2026.2.16593, where a default role configuration exposed excessive user profile details. The root cause is not fully described beyond this exposure, but the impact implies potential disclosure of user profile information to unauthorized u...

5.3CVSS5.8AI score0.00167EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.11 views

PT-2026-52704

Name of the Vulnerable Software and Affected Versions JetBrains YouTrack versions prior to 2026.2.16593 Description The default role configuration allows for the exposure of excessive user profile details. Recommendations Update to version 2026.2.16593...

5.3CVSS5.8AI score0.00167EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/06/23 12:0 a.m.6 views

WordPress Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin <= 2.11.4 - Authenticated (Contributor+) Account Takeover vulnerability

Authenticated Contributor+ Account Takeover vulnerability discovered by tiborisaak in WordPress Plugin Ultimate Member versions = 2.11.4...

8.8CVSS5.8AI score0.00499EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/06/18 2:17 p.m.10 views

CVE-2026-54224

UBB.threads is vulnerable to Denial of Service DoS. By sending multiple concurrent requests to view any user profile on instances with many registered users, an authenticated attacker can easily exhaust database resources and completely deny access to the application for other users. Because vend...

7.1CVSS0.00272EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 2:23 p.m.9 views

CVE-2026-44205 Frappe: Stored Cross-Site Scripting (XSS) in User Profile through Image Upload

Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0...

6.9CVSS5.3AI score0.00258EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 2:23 p.m.27 views

CVE-2026-44205 Frappe: Stored Cross-Site Scripting (XSS) in User Profile through Image Upload

Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0...

6.9CVSS0.00258EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 2:23 p.m.17 views

CVE-2026-44205

CVE-2026-44205 affects the Frappe framework (prior to 15.106.0). The issue is a stored XSS in the user profile image upload path that allows an attacker to execute malicious scripts in the browsers of other users. The vulnerability is mitigated by upgrading to version 15.106.0, where it is patche...

6.9CVSS5.4AI score0.00258EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/06/10 5:38 p.m.11 views

keycloak: Keycloak: Information disclosure due to user profile permission bypass

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

2.7CVSS5.3AI score0.00348EPSS
Exploits0References4
FreeBSD
FreeBSD
added 2026/06/10 12:0 a.m.10 views

jenkins -- multiple vulnerabilities

Jenkins Security Advisory 2026-06-10: SECURITY-3707 / CVE-2026-53435: Deserialization vulnerability High SECURITY-3711+3755 / CVE-2026-53436, CVE-2026-53437: Open redirect vulnerability Medium SECURITY-3712 / CVE-2026-53438: Missing permission check allows canceling queue items Medium SECURITY-37...

8.8CVSS5.3AI score0.14907EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/06/07 12:43 a.m.13 views

CVE-2026-45778

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abuse the password reset functionality to email a link to an HTML page, which when visited by the...

8.6CVSS5.4AI score0.00147EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.13 views

CVE-2026-50213

The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings...

8.7CVSS5.4AI score0.00232EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:16 p.m.9 views

CVE-2026-42280

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0...

7.1CVSS5.4AI score0.00211EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/05 7:52 a.m.12 views

EUVD-2026-34790

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

2.7CVSS5.4AI score0.00348EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/05 7:52 a.m.9 views

CVE-2026-9088 Keycloak: keycloak: information disclosure due to user profile permission bypass

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

2.7CVSS5.4AI score0.00348EPSS
Exploits0References6
Rows per page
Query Builder