Lucene search
K

1392 matches found

Cvelist
Cvelist
added 2026/03/02 12:0 a.m.18 views

CVE-2026-24112

An issue was discovered in Tenda W20E V4.0brV15.11.0.6. Attackers may exploit the vulnerability by specifying the value of userInfo. When userInfo is passed into the addWewifiWhiteUser function and processed by sscanf without size validation, it could lead to a buffer overflow vulnerability...

0.00531EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/02 12:0 a.m.19 views

CVE-2026-24109

An issue was discovered in Tenda W20E V4.0brV15.11.0.6. Attackers may exploit the vulnerability by controlling the value of picName. When this value is used in sprintf without validating variable sizes, it could lead to a buffer overflow vulnerability...

0.00649EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/03/02 12:0 a.m.6 views

Tenda W20E 安全漏洞

The Tenda W20E is a router produced by the Chinese company Tenda. The Tenda W20E V4.0brV15.11.0.6 version contains a security vulnerability. This vulnerability stems from the lack of size validation when processing data related to addDhcpRules, which may lead to a buffer overflow...

9.8CVSS6.2AI score0.00425EPSS
Exploits1References3
EUVD
EUVD
added 2026/02/27 9:31 p.m.8 views

EUVD-2018-21615

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject...

6.1AI score0.00404EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/02/27 4:15 p.m.6 views

CVE-2026-2293 NestJS 11.1.13 - Lack of data validation allowing authentication/authorization bypass

A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled. This issue affects nest.Js: 11.1.13...

8.2CVSS5.9AI score0.00666EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/02/27 12:0 a.m.7 views

openDCIM 操作系统命令注入漏洞

openDCIM is an open-source data center inventory management DCIM application. Version 23.04 of openDCIM contains a vulnerability related to operating system command injection. This vulnerability stems from the lack of validation or cleanup of user input in the reportnetworkmap.php file, which may...

9.8CVSS5.8AI score0.05648EPSS
Exploits2References8
OSV
OSV
added 2026/02/26 3:18 p.m.4 views

GHSA-MPF7-P9X7-96R3 Mailpit is Vulnerable to Server-Side Request Forgery (SSRF) via Link Check API

Summary The Link Check API /api/v1/message/ID/link-check is vulnerable to Server-Side Request Forgery SSRF. The server performs HTTP HEAD requests to every URL found in an email without validating target hosts or filtering private/internal IP addresses. The response returns status codes and statu...

5.8CVSS5.9AI score0.00468EPSS
Exploits1References5
CVE
CVE
added 2026/02/26 2:23 a.m.27 views

CVE-2026-2356

CVE-2026-2356 (User Registration & Membership – WordPress) is a discovered Insecure Direct Object Reference affecting the plugin up to version 5.1.2. The issue arises from missing validation on a user-controlled key (member_id/register_member), enabling unauthenticated deletion of newly created u...

5.3CVSS5.5AI score0.00187EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/26 12:0 a.m.24 views

CVE-2025-56605

A reflected Cross-Site Scripting XSS vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. The mobile POST parameter is improperly validated and echoed back in the HTTP response without sanitization, allowing an attacker to inject and execute...

0.00189EPSS
Exploits0References1
NVD
NVD
added 2026/02/25 10:16 a.m.17 views

CVE-2026-2410

The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the showPageContent function. This makes it possible for unauthenticated attackers to a...

4.3CVSS0.00131EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/02/25 4:6 a.m.6 views

CVE-2026-26198

Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into sqlalchemy.text without any validation or sanitization. The min and max methods in the QuerySet class...

9.8CVSS5.9AI score0.00915EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2026/02/25 12:0 a.m.10 views

PT-2026-21895

The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the showPageContent function. This makes it possible for unauthenticated attackers to a...

4.3CVSS5.4AI score0.00131EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/02/24 9:5 p.m.1 views

CVE-2026-25882

Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route...

7.5CVSS5.9AI score0.00594EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/02/23 10:12 p.m.6 views

ormar is vulnerable to SQL Injection through aggregate functions min() and max()

Report of SQL Injection Vulnerability in Ormar ORM A SQL Injection attack can be achieved by passing a crafted string to the min or max aggregate functions. Brief description When performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly int...

9.8CVSS6.3AI score0.00915EPSS
Exploits2References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/23 8:45 a.m.6 views

CVE-2026-23552

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss issuer claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy...

5.3AI score0.00398EPSS
Exploits2References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/22 6:0 a.m.2 views

CVE-2026-1369 Conditional CAPTCHA <= 4.0.0 - Open Redirect

The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue...

5.3AI score0.00156EPSS
Exploits0References1
CVE
CVE
added 2026/02/21 6:38 a.m.21 views

CVE-2026-27471

CVE-2026-27471 affects ERP, an open-source ERP tool. Versions up to 15.98.0 and 16.0.0-rc.1 through 16.6.0 have endpoints without proper access validation, allowing unauthorized document access. This has been fixed in 15.98.1 and 16.6.1. The impact is unauthorized access to documents via exposed ...

9.3CVSS5.4AI score0.00324EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/02/21 6:38 a.m.7 views

CVE-2026-27471 ERP: Document access through endpoints due to missing validation

ERP is a free and open source Enterprise Resource Planning tool. In versions up to 15.98.0 and 16.0.0-rc.1 and through 16.6.0, certain endpoints lacked access validation which allowed for unauthorized document access. This issue has been fixed in versions 15.98.1 and 16.6.1...

9.3CVSS5.4AI score0.00324EPSS
Exploits0References4
CVE
CVE
added 2026/02/20 11:10 p.m.12 views

CVE-2026-27146

GetSimple CMS is affected by a CSRF on the administrative file upload endpoint across all versions due to missing CSRF protection. An attacker can craft a malicious page that silently triggers a file upload from an authenticated admin user’s browser without a token or origin validation, enabling ...

7.1CVSS5.9AI score0.00174EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/20 10:28 p.m.7 views

CVE-2026-27122

svelte performance oriented web framework. Prior to 5.51.5, when using in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output...

5CVSS5.5AI score0.00189EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder