CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 6 days ago•19 views

CVE-2026-54105

The CVE concerns CVE-2026-54105 affecting the GAO EPDS and CBCA EDS systems. The vulnerability arises from the update-profile/ API endpoint, where a remote, unauthenticated attacker can supply an arbitrary user_id and receive a JSON response containing account-specific information, including the ...

6.9CVSS5.3AI score0.003EPSS

EUVD•added last week•7 views

EUVD-2025-210214

In overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

7.8CVSS5.5AI score0.00077EPSS

Exploits0References2

EUVD•added 2026/06/15 12:0 p.m.•6 views

EUVD-2016-10884

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL...

8.8CVSS6.1AI score0.0027EPSS

CVE•added 2026/06/15 12:0 p.m.•11 views

CVE-2016-20072

CVE-2016-20072 affects the BBS e-Franchise 1.1.1 WordPress plugin. The vulnerability is an SQL injection in the uid parameter used by the plugin’s shortcode, enabling unauthenticated attackers to craft requests (Union-based SQLi) to extract sensitive data (e.g., user information, taxonomy terms)....

8.8CVSS6.2AI score0.0027EPSS

NVD•added 2026/06/12 9:16 p.m.•10 views

CVE-2026-54396

An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.userid value from the submitted request data. An authenticated user with...

5.3CVSS0.00247EPSS

Cvelist•added 2026/06/12 8:48 p.m.•27 views

CVE-2026-54396 MISP AuthKey edit endpoint allows authenticated user email enumeration

5.3CVSS0.00247EPSS

EUVD•added 2026/06/10 12:31 a.m.•10 views

EUVD-2026-35877

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a userid parameter in the request. Attackers can pass another user's identifier to the...

8.6CVSS5.6AI score0.00294EPSS

NVD•added 2026/06/10 12:16 a.m.•10 views

CVE-2026-53673

8.6CVSS0.00294EPSS

Vulnrichment•added 2026/06/09 11:44 p.m.•11 views

CVE-2026-53673 BuddyPress 14.4.0 Private Message IDOR via REST API user_id Parameter

8.6CVSS5.5AI score0.00294EPSS

CVE•added 2026/06/09 11:44 p.m.•16 views

CVE-2026-53673

CVE-2026-53673 affects BuddyPress 14.4.0. The issue is an insecure direct object reference in the messages REST API where a user_id parameter can be supplied to read, reply to, or delete private messages. Attackers can pass another user’s identifier to get_item_permissions_check (which validates ...

8.6CVSS5.6AI score0.00294EPSS

Vulnrichment•added 2026/06/09 3:41 a.m.•8 views

CVE-2026-9185 6Storage Rentals <= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the userId parameter of the sixstoragegetuserinfo and sixstorageupdateprofile AJAX actions. This is due to the sixstoragegetUserInfo and...

7.5CVSS5.5AI score0.00403EPSS

Exploits0References11

Information Security Automation•added 2026/06/05 10:0 a.m.•12 views

About Remote Code Execution - PAN-OS (CVE-2026-0300) vulnerability

About Remote Code Execution - PAN-OS CVE-2026-0300 vulnerability. PAN-OS is an operating system for Palo Alto Networks firewalls and security platforms. User-ID™ Authentication Portal also known as Captive Portal is a non-default PAN-OS feature used to map IP addresses to usernames. By exploiting...

9.8CVSS6.7AI score0.36157EPSS

Exploits6

NVD•added 2026/06/04 4:16 p.m.•10 views

CVE-2026-10868

A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit. When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could cra...

9CVSS0.00239EPSS

Positive Technologies•added 2026/06/04 12:0 a.m.•11 views

PT-2026-46254

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description A mass assignment issue exists in the user edit functionality. The application fails to sufficiently filter user-supplied fields in the UsersController::edit function, allowing it to accept a...

9CVSS5.4AI score0.00239EPSS

CVE•added 2026/06/01 5:0 a.m.•15 views

CVE-2026-10226

CVE-2026-10226 affects the project raisulislamg4 student_management_system_by_php (file delete.php). The issue is a SQL injection that can be triggered by manipulating arguments such as user_id, course_id, teacher_id, student_id, or application_id. The vulnerability is exploitable remotely and ex...

7.5CVSS6.8AI score0.00263EPSS

Exploits0References6

RedhatCVE•added 2026/05/30 2:12 a.m.•11 views

CVE-2026-35671

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to...

8.8CVSS5.8AI score0.00303EPSS