Lucene search
K

7165 matches found

EUVD
EUVD
added yesterday4 views

EUVD-2026-40409

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by...

8.7CVSS5.8AI score
Exploits0References3
CVE
CVE
added yesterday8 views

CVE-2026-13207

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by...

8.7CVSS5.8AI score
Exploits0References3
Patchstack
Patchstack
added yesterday9 views

WordPress Export User Data plugin <= 2.2.6 - Authenticated (Subscriber+) PHP Object Injection to Arbitrary File Deletion vulnerability

Authenticated Subscriber+ PHP Object Injection to Arbitrary File Deletion vulnerability discovered by Webbernaut in WordPress Plugin Export User Data versions = 2.2.6...

8CVSS5.8AI score0.00341EPSS
Exploits0References1Affected Software1
NVD
NVD
added yesterday8 views

CVE-2026-12240

The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unserialize function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delet...

8CVSS0.00341EPSS
Exploits0References2
CVE
CVE
added yesterday11 views

CVE-2026-12240

The CVE-2026-12240 entry concerns the WordPress Export User Data plugin (up to version 2.2.6). Affected component: the unserialize path validation in the plugin allows an authenticated subscriber+ to trigger arbitrary file deletions on the server by exporting user data, with a crafted serialized ...

8CVSS6.5AI score0.00341EPSS
Exploits0References2
EUVD
EUVD
added yesterday6 views

EUVD-2026-40260

The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unserialize function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delet...

8CVSS6.5AI score0.00341EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday16 views

ListingPro < 2.6.1 - Sensitive Data Disclosure

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the /listingpro-plugin/functions.php file. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, full names, email...

5.3CVSS6AI score0.01608EPSS
Exploits1References2
NVD
NVD
added 2 days ago8 views

CVE-2026-40522

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM0 POST parameter. Attackers can supply malicious SQL syntax through the...

7.1CVSS0.00148EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2 days ago4 views

CVE-2026-40522

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM0 POST parameter. Attackers can supply malicious SQL syntax through the...

7.1CVSS6AI score0.00148EPSS
Exploits0References5
Nuclei
Nuclei
added 3 days ago11 views

OneDev < 4.0.3 - User Access Token Leak

OneDev before version 4.0.3 contains an insecure endpoint that allows retrieval of arbitrary user details, including access tokens, due to missing security checks on /users/id, letting attackers leak sensitive data and impersonate users, exploit requires no special conditions. id: CVE-2021-21246...

8.6CVSS7.2AI score0.49051EPSS
Exploits0References4
EUVD
EUVD
added 5 days ago11 views

EUVD-2026-37807

CakePHP: View::element is missing a path containment check...

6.3CVSS5.8AI score0.00258EPSS
Exploits0References2
OSV
OSV
added 6 days ago4 views

UBUNTU-CVE-2026-53218

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftexthdr: fix register tracking for FPRESENT flag nftexthdrinit passes user-controlled priv-len to nftparseregisterstore, which marks that many bytes in the register bitmap as initialized. However, when...

4.8CVSS5.7AI score0.00184EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/06/24 6:0 a.m.35 views

CVE-2026-9709 Themeco Cornerstone < 7.8.9 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User Meta Disclosure

The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium co...

0.00219EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/24 5:33 a.m.7 views

EUVD-2026-38689

The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/ callback userDetail with permissioncallback set to 'returntrue', and the function's home-grown authentication only...

7.5CVSS6AI score0.00347EPSS
Exploits0References5
NVD
NVD
added 2026/06/23 5:16 p.m.6 views

CVE-2026-33760

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without...

8.8CVSS0.00291EPSS
Exploits1References1
CVE
CVE
added 2026/06/23 3:41 p.m.14 views

CVE-2026-54311

CVE-2026-54311 affects n8n, specifically multi-user instances where multiple users can create and run workflows containing the Merge node in SQL Query mode. The vulnerability arises because the sandbox context for the Merge node is cached and reused across all workflow executions on an instance, ...

7.7CVSS6AI score0.00316EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/22 12:47 p.m.28 views

CVE-2026-7166 Multiple vulnerabilities in the Assassin game by Gaudire

Vulnerability involving the exposure of sensitive data provided without adequate protection. The API exposes email and phone number data from the ‘email’ and ‘telefon’ fields. This vulnerability is also present in the local database, as it contains accessible sensitive information such as data on...

9.2CVSS0.00384EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/06/22 9:27 a.m.6 views

webkitgtk: An app may be able to access sensitive user data

A flaw was found in WebKitGTK. Processing or loading malicious web content can allow an app to access sensitive user data due to improper data protection...

5.5CVSS5.8AI score0.0014EPSS
Exploits0References5
The Hacker News
The Hacker News
added 2026/06/22 9:11 a.m.21 views

Canada’s Spy Agency Used First-of-Its-Kind Warrant to Clean Botnet-Infected Devices

Canada's spy service got a judge's permission to reach into infected servers, home routers, and IoT gear sitting on Canadian soil and neutralize two foreign-run botnets. The Federal Court released a public version of the ruling on June 15. It is the first time the Canadian Security Intelligence...

6AI score
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/06/22 8:26 a.m.4 views

CVE-2026-12862

Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file...

5.1CVSS5.8AI score0.00226EPSS
Exploits0References2
Rows per page
Query Builder