Lucene search
K

1019 matches found

Nuclei
Nuclei
added yesterday57 views

mooSocial v.3.1.8 - Cross-Site Scripting

A cross-site Scripting XSS vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code by sending a crafted payload to the adminredirecturl parameter of the user login function. id: CVE-2023-44812 info: name: mooSocial v.3.1.8 - Cross-Site Scripting author: ritikchaddha...

6.1CVSS6.6AI score0.01897EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday7 views

LatePoint <= 5.0.12 - Authentication Bypass

LatePoint plugin for WordPress versions up to 5.0.12 contains an authentication bypass caused by insufficient verification of user during booking, letting unauthenticated attackers log in as any existing user if they have user ID access, exploit requires access to user ID, and the 'Use WordPress...

9.8CVSS6AI score0.02994EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday28 views

ZZcms - Cross-Site Scripting

ZZcms 2019 contains a cross-site scripting vulnerability in the user login page. An attacker can inject arbitrary JavaScript code in the referer header via user/login.php, which can allow theft of cookie-based credentials and launch of subsequent attacks. id: CVE-2020-20285 info: name: ZZcms -...

5.4CVSS6.3AI score0.01395EPSS
Exploits1References3
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-43156

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attacker...

5.3CVSS6.2AI score0.00361EPSS
Exploits0References12
OSV
OSV
added last week6 views

CVE-2026-49229 Actual: Disabled OpenID users keep access through existing session tokens

Actual is a local-first personal finance app. Prior to 26.6.0, in OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity, while existing Actual session tokens for the disabled user remain valid. The shared session validation path accepts any existing token row...

8.3CVSS6AI score0.00441EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/07 5:11 a.m.32 views

CVE-2026-57867

MicroRealEstate allows adversaries to bypass authentication due to a lack of token state management. This would permit adversaries targeting MicroRealEstate deployments to brute-force One-Time Passwords OTP to log in as any user. This issue affects MicroRealEstate: through 1.0.0-alpha3...

8.8CVSS0.00342EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/27 12:0 a.m.16 views

PT-2026-53059

Name of the Vulnerable Software and Affected Versions RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login versions prior to 6.0.8.7 Description An authentication bypass exists due to insufficient verification of data authenticity. The PayPal IPN callback...

5.3CVSS5.8AI score0.00232EPSS
Exploits0References20
RedhatCVE
RedhatCVE
added 2026/06/10 8:59 a.m.10 views

CVE-2026-10731

SQL injection in the ‘twostepsauthcode’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication 2FA functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queri...

9.3CVSS6AI score0.00349EPSS
Exploits0References1
NVD
NVD
added 2026/06/09 10:16 a.m.15 views

CVE-2026-10731

SQL injection in the ‘twostepsauthcode’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication 2FA functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queri...

9.3CVSS0.00349EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/09 8:57 a.m.16 views

EUVD-2026-35387

SQL injection in the ‘twostepsauthcode’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication 2FA functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queri...

9.3CVSS6AI score0.00349EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/09 8:57 a.m.8 views

CVE-2026-10731 SQL injection in Nemon products

SQL injection in the ‘twostepsauthcode’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication 2FA functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queri...

9.3CVSS6AI score0.00349EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/09 8:57 a.m.36 views

CVE-2026-10731 SQL injection in Nemon products

SQL injection in the ‘twostepsauthcode’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication 2FA functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queri...

9.3CVSS0.00349EPSS
Exploits0References1
CVE
CVE
added 2026/06/09 8:57 a.m.20 views

CVE-2026-10731

CVE-2026-10731 describes a SQL injection flaw in the two_steps_auth_code parameter processed by the twoStepsAuthVerification function in the /user-login endpoint of Nemon products. The vulnerability allows unauthenticated attackers to execute arbitrary SQL on the backend database, potentially ena...

9.3CVSS6AI score0.00349EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.24 views

PT-2026-47729

SQL injection in the ‘two steps auth code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication 2FA functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL...

9.3CVSS6AI score0.00349EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.9 views

CVE-2026-3655

The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...

9.8CVSS5.5AI score0.00492EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:11 p.m.14 views

CVE-2026-8360

Function calls to WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface in various DLLs i.e., WOSProfileMgrModule.dll, WOSWebDavModule.dll can return a NULL pointer i.e., when no user is logged into the Triofox Server Agent Management Console. The returned NULL pointer is not checked before being...

7.5CVSS5.5AI score0.00275EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/27 5:31 a.m.12 views

EUVD-2026-32079

The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the firebaseauth function authenticating the request as the WordPress user whose email is supplied in the useremail POST parameter without...

8.8CVSS6AI score0.00283EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/19 12:59 p.m.43 views

CVE-2026-42098 Authorization Bypass in Sparx Enterprise Architect

Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior e.g. using a debugger and log in as any other user or administrator - then it is possible to do every...

8.7CVSS0.00401EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/12 10:23 p.m.10 views

Reliance on Untrusted Inputs in a Security Decision

Overview sillytavern is a LLM Frontend for Power Users Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the headerUserLogin function. An attacker can gain unauthorized access to any user account, including administrators, by injecting...

9.8CVSS5.8AI score0.00218EPSS
Exploits0References5
CVE
CVE
added 2026/04/28 5:9 p.m.11 views

CVE-2026-5794

The CVE-2026-5794 entry concerns Cryptobox. A vulnerability in the detailed versions of Cryptobox allows an authenticated user to cause an account lockout for another user by sending a specially crafted request. The documented impact is on availability (high) with no confidentiality or integrity ...

7.1CVSS5.3AI score0.00256EPSS
Exploits0References1
Rows per page
Query Builder