Lucene search
K

1392 matches found

RedhatCVE
RedhatCVE
added 2026/02/11 1:33 a.m.7 views

CVE-2026-25814

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization...

9.8CVSS5.4AI score0.00337EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/02/11 12:0 a.m.4 views

PT-2026-7622

Name of the Vulnerable Software and Affected Versions Shenzhen Zhibotong Electronics ZBT WE2001 version 23.09.27 Description A missing session validation check within the web API component allows unauthenticated remote attackers to access administrative functions designed for authorized users...

5.5AI score0.00324EPSS
Exploits0References6
CVE
CVE
added 2026/02/11 12:0 a.m.8 views

CVE-2025-65127

Affects Shenzhen Zhibotong Electronics ZBT WE2001 (version 23.09.27). The web API component lacks session validation, enabling remote unauthenticated access to administrative information-retrieval functions via get_* calls. Attackers can retrieve device configuration data, including plaintext cre...

6.5CVSS5.6AI score0.00324EPSS
Exploits0References2
OSV
OSV
added 2026/02/10 10:17 p.m.6 views

AZL-77454 CVE-2026-26007 affecting package python-cryptography for versions less than 42.0.5-4

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the publickeyfromnumbers or EllipticCurvePublicNumbers.publickey, EllipticCurvePublicNumbers.publickey, loadderpublickey and loadpempublickey functions do not verify that the...

8.2CVSS6.9AI score0.00341EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/02/10 9:27 p.m.30 views

cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves

Vulnerability Summary The publickeyfromnumbers or EllipticCurvePublicNumbers.publickey, EllipticCurvePublicNumbers.publickey, loadderpublickey and loadpempublickey functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an...

8.2CVSS5.6AI score0.00341EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/02/10 12:25 a.m.5 views

GHSA-Q4F2-39GR-45JH Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint

Summary Adminer v5.4.1 has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version parameter which P...

7.5CVSS5.7AI score0.01586EPSS
Exploits1References5
ATTACKERKB
ATTACKERKB
added 2026/02/09 9:26 p.m.5 views

CVE-2026-25892

Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from a...

7.5CVSS5.6AI score0.01586EPSS
Exploits1References4Affected Software1
Debian CVE
Debian CVE
added 2026/02/09 9:26 p.m.3 views

CVE-2026-25892

Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from a...

7.5CVSS5.6AI score0.01586EPSS
Exploits1
ATTACKERKB
ATTACKERKB
added 2026/02/09 9:5 p.m.4 views

CVE-2026-25814

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization...

9.3CVSS5.4AI score0.00337EPSS
Exploits0References2
CVE
CVE
added 2026/02/09 9:0 p.m.14 views

CVE-2026-25811

CVE-2026-25811 affects PlaciPy 1.0.0. Root cause: tenant identifiers are derived from user email domains without validating domain ownership/registration, enabling cross-tenant data access. Impact is cross-tenant data exposure; CVSS notes indicate high confidentiality/integrity impact in some vec...

9.1CVSS5.5AI score0.00269EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/02/09 8:58 p.m.11 views

CVE-2026-25809

CVE-2026-25809 affects PlaciPy 1.0.0. The code evaluation endpoint does not validate the assessment lifecycle state (whether started, expired, or submission window open), potentially allowing execution without proper sequencing. This is documented across multiple feeds (NVD, Red Hat, CVE records,...

9.8CVSS5.6AI score0.0031EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/02/09 8:15 p.m.6 views

CVE-2026-25057

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration courses//assignments/uploadconfigfiles. The uploaded zip file entry names are used to create paths to...

9.1CVSS0.00469EPSS
Exploits0References3
CVE
CVE
added 2026/02/07 9:58 p.m.15 views

CVE-2026-25566

The connected documents confirm a concrete vulnerability in WeKan versions prior to 8.19: an authorization flaw in the card move logic allows a user to specify a destination board, list, or swimlane without proper authorization checks and without validating that the destination items belong to th...

7.1CVSS5.4AI score0.00222EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/02/07 9:58 p.m.30 views

CVE-2026-25566 WeKan < 8.19 Cross-board Card Move Without Destination Authorization

WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially...

7.1CVSS0.00222EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/07 8:26 a.m.26 views

CVE-2026-1082 TITLE ANIMATOR <= 1.0 - Cross-Site Request Forgery to Settings Update

The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in inc/settings-page.php. This makes it possible for unauthenticated attackers to modify plugin...

4.3CVSS0.00151EPSS
Exploits0References3
NVD
NVD
added 2026/02/07 6:16 a.m.8 views

CVE-2025-15491

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks...

5.5CVSS0.00259EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/02/06 12:0 a.m.15 views

PT-2026-6692

Name of the Vulnerable Software and Affected Versions Code Snippets plugin for WordPress versions up to and including 3.9.4 Description The Code Snippets plugin for WordPress is susceptible to Cross-Site Request Forgery. This is a result of a lack of nonce validation on the cloud snippet download...

4.3CVSS5.5AI score0.00191EPSS
Exploits0References10
OSV
OSV
added 2026/02/03 6:42 p.m.6 views

GHSA-R7X9-8PH7-W8CG Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing

Summary An Insecure Direct Object Reference CWE-639 has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation o...

6.9CVSS5.7AI score0.00366EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/03 5:31 p.m.12 views

RustFS has SourceIp bypass via spoofed X-Forwarded-For/Real-IP headers

Summary IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. Details - Vulnerable code: rustfs/src/auth.rs:289-304 sets...

8.7CVSS5.5AI score0.00211EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/03 11:39 a.m.6 views

CVE-2026-1664 Insecure Direct Object Reference (IDOR) via Header-Based Email Routing

Summary An Insecure Direct Object Reference has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation or origin...

6.9CVSS5.5AI score0.00366EPSS
Exploits0References1
Rows per page
Query Builder