Lucene search
K

1408 matches found

ATTACKERKB
ATTACKERKB
added 2026/02/09 9:26 p.m.5 views

CVE-2026-25892

Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from a...

7.5CVSS5.6AI score0.01586EPSS
Exploits1References4Affected Software1
Debian CVE
Debian CVE
added 2026/02/09 9:26 p.m.3 views

CVE-2026-25892

Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from a...

7.5CVSS5.6AI score0.01586EPSS
Exploits1
ATTACKERKB
ATTACKERKB
added 2026/02/09 9:5 p.m.4 views

CVE-2026-25814

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, User-controlled query parameters are passed directly into DynamoDB query/filter construction without validation or sanitization...

9.3CVSS5.4AI score0.00337EPSS
Exploits0References2
CVE
CVE
added 2026/02/09 9:0 p.m.15 views

CVE-2026-25811

CVE-2026-25811 affects PlaciPy 1.0.0. Root cause: tenant identifiers are derived from user email domains without validating domain ownership/registration, enabling cross-tenant data access. Impact is cross-tenant data exposure; CVSS notes indicate high confidentiality/integrity impact in some vec...

9.1CVSS5.5AI score0.00269EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/02/09 8:58 p.m.12 views

CVE-2026-25809

CVE-2026-25809 affects PlaciPy 1.0.0. The code evaluation endpoint does not validate the assessment lifecycle state (whether started, expired, or submission window open), potentially allowing execution without proper sequencing. This is documented across multiple feeds (NVD, Red Hat, CVE records,...

9.8CVSS5.6AI score0.0031EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/02/09 8:15 p.m.6 views

CVE-2026-25057

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration courses//assignments/uploadconfigfiles. The uploaded zip file entry names are used to create paths to...

9.1CVSS0.00469EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/07 9:58 p.m.30 views

CVE-2026-25566 WeKan < 8.19 Cross-board Card Move Without Destination Authorization

WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially...

7.1CVSS0.00222EPSS
Exploits0References3
CVE
CVE
added 2026/02/07 9:58 p.m.16 views

CVE-2026-25566

The connected documents confirm a concrete vulnerability in WeKan versions prior to 8.19: an authorization flaw in the card move logic allows a user to specify a destination board, list, or swimlane without proper authorization checks and without validating that the destination items belong to th...

7.1CVSS5.4AI score0.00222EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/02/07 8:26 a.m.27 views

CVE-2026-1082 TITLE ANIMATOR <= 1.0 - Cross-Site Request Forgery to Settings Update

The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in inc/settings-page.php. This makes it possible for unauthenticated attackers to modify plugin...

4.3CVSS0.00151EPSS
Exploits0References3
NVD
NVD
added 2026/02/07 6:16 a.m.9 views

CVE-2025-15491

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks...

5.5CVSS0.00259EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/02/06 12:0 a.m.22 views

PT-2026-6692

Name of the Vulnerable Software and Affected Versions Code Snippets plugin for WordPress versions up to and including 3.9.4 Description The Code Snippets plugin for WordPress is susceptible to Cross-Site Request Forgery. This is a result of a lack of nonce validation on the cloud snippet download...

4.3CVSS5.5AI score0.00191EPSS
Exploits0References10
OSV
OSV
added 2026/02/03 6:42 p.m.6 views

GHSA-R7X9-8PH7-W8CG Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing

Summary An Insecure Direct Object Reference CWE-639 has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation o...

6.9CVSS5.7AI score0.00366EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/03 5:31 p.m.13 views

RustFS has SourceIp bypass via spoofed X-Forwarded-For/Real-IP headers

Summary IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. Details - Vulnerable code: rustfs/src/auth.rs:289-304 sets...

8.7CVSS5.5AI score0.00211EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/03 11:39 a.m.6 views

CVE-2026-1664 Insecure Direct Object Reference (IDOR) via Header-Based Email Routing

Summary An Insecure Direct Object Reference has been found to exist in createHeaderBasedEmailResolver function within the Cloudflare Agents SDK. The issue occurs because the Message-ID and References headers are parsed to derive the target agentName and agentId without proper validation or origin...

6.9CVSS5.5AI score0.00366EPSS
Exploits0References1
EUVD
EUVD
added 2026/02/03 6:38 a.m.8 views

EUVD-2026-5291

The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the createorupdatenote function. This makes it possible for unauthenticated attackers to create or update contact notes via a...

5.4CVSS5.3AI score0.00162EPSS
Exploits0References6
NVD
NVD
added 2026/02/03 3:15 a.m.4 views

CVE-2026-24935

A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle MitM attacker can intercept or redirect the NAT tunnel establishment. This could...

6.3CVSS0.00144EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/02/03 12:0 a.m.9 views

WordPress plugin Mail Mint 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

5.4CVSS5.7AI score0.00162EPSS
Exploits0References7
EUVD
EUVD
added 2026/02/03 12:0 a.m.5 views

EUVD-2025-206702

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achie...

8.4CVSS6.4AI score0.00143EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/02 9:16 p.m.2 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via insufficient validation of the return parameter in the OAuth login initialization endpoint. An attacker can redirect users to external malicious websites by crafting a specially crafted authentication URL. Remediation...

6.1CVSS5.5AI score
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/01/29 3:19 p.m.14 views

CVE-2025-14616

The Recooty – Job Widget Old Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recootysavemaybe function. This makes it possible for unauthenticated attackers to update the...

4.3CVSS5.8AI score0.00128EPSS
Exploits0References1
Rows per page
Query Builder