Lucene search
K

3149 matches found

CVE
CVE
added yesterday28 views

CVE-2026-48801

Linkify-it (linkify-it) prior to version 5.0.1 has an O(N^2) scan loop in LinkifyIt.prototype.match, making inputs with many fuzzy links or emails vulnerable to resource exhaustion on a request hot path that renders untrusted Markdown with linkify: true. The issue arises from re-slicing input and...

8.7CVSS6.1AI score
Exploits0References2
Nuclei
Nuclei
added yesterday46 views

JoomSport <= 5.7.7 - SQL Injection

The JoomSport WordPress plugin through 5.7.7 is vulnerable to unauthenticated time-based blind SQL injection via the 'sortf' GET parameter in the player list view. The parameter value is backtick-wrapped and directly concatenated into an ORDER BY clause. id: CVE-2026-42647 info: name: JoomSport =...

9.3CVSS6.1AI score0.01323EPSS
Exploits1References4
NVD
NVD
added 2 days ago5 views

CVE-2026-61970

Server-Side Request Forgery SSRF vulnerability in Themeisle Auto Featured Image Auto Post Thumbnail auto-post-thumbnail allows Server Side Request Forgery.This issue affects Auto Featured Image Auto Post Thumbnail: from n/a through = 5.0.4...

4.9CVSS0.00119EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago27 views

CVE-2026-57695 WordPress Document Gallery plugin <= 5.1.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Dan Rossiter Document Gallery document-gallery allows Reflected XSS.This issue affects Document Gallery: from n/a through = 5.1.0...

7.1CVSS0.00184EPSS
Exploits0References1
CVE
CVE
added 2 days ago12 views

CVE-2026-11964

Affected software: User Registration & Membership WordPress plugin (prior to 5.2.2). Vulnerability: The plugin does not verify the authenticity of incoming payment-provider webhook notifications, enabling unauthenticated attackers to forge a payment-approved event. Impact: This can activate a pai...

9.1CVSS6.1AI score0.00261EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2 days ago3 views

Linux Distros Unpatched Vulnerability : CVE-2026-40468

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Integer overflow vulnerability has been found in builtin.c program file of gawk. This issue may lead to memory exhaustion on the hosting operating system and...

9.1CVSS6AI score0.00201EPSS
Exploits0References3
NVD
NVD
added 5 days ago7 views

CVE-2026-57584

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier /., and the same construct is produced by the /:params placeholder and the CLI...

8.7CVSS0.00419EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago30 views

CVE-2026-57584 Phalcon: Catastrophic backtracking (ReDoS) in the default Phalcon Router route lead to remote unauthenticated DoS

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier /., and the same construct is produced by the /:params placeholder and the CLI...

8.7CVSS0.00419EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago31 views

CVE-2026-54736 Phalcon: Non-constant-time HMAC verification in `Encryption\Crypt::decrypt` (timing side-channel)

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first...

8.2CVSS0.00147EPSS
Exploits0References5
OSV
OSV
added 5 days ago4 views

CVE-2026-54736 Phalcon: Non-constant-time HMAC verification in `Encryption\Crypt::decrypt` (timing side-channel)

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first...

8.2CVSS6.1AI score0.00147EPSS
Exploits0References7
CVE
CVE
added 5 days ago7 views

CVE-2026-54736

Technical details (affected versions, root cause specifics, and remediation beyond what is in the Initial Description) are not publicly available in the provided documents; monitor for updates.

8.2CVSS6.1AI score0.00147EPSS
Exploits0References5
OSV
OSV
added 5 days ago3 views

CVE-2026-46388 osquery: Unprivileged users can temporarily read file carve contents

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not...

4.4CVSS6.2AI score0.00094EPSS
Exploits0References6
CVE
CVE
added 5 days ago9 views

CVE-2026-13010

The CVE-2026-13010 entry concerns the JoomSport plugin for WordPress (Team & League, Football, Hockey & more). Affected versions: all up to and including 5.7.9. Vulnerability type: time-based SQL Injection via the 'event' shortcode attribute, caused by insufficient escaping of the user-supplied p...

6.5CVSS6.1AI score0.00254EPSS
Exploits0References4
EUVD
EUVD
added 5 days ago8 views

EUVD-2026-42860

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based SQL Injection via 'event' Shortcode Attribute in all versions up to, and including, 5.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient...

6.5CVSS6.1AI score0.00254EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago10 views

PT-2026-57164

Name of the Vulnerable Software and Affected Versions Lucee CFML Server versions 5.3.x Lucee CFML Server versions 6.1.x Lucee CFML Server versions 6.2.x Lucee CFML Server versions 7.0.x Description Reflected cross-site scripting occurs during URL path parsing, allowing unauthenticated remote...

8.2CVSS6.3AI score0.00386EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 5 days ago9 views

PT-2026-57261

Name of the Vulnerable Software and Affected Versions Prowler versions prior to 5.30.3 Description The SAML authentication flow trusts the email domain asserted in a SAMLResponse to determine the recipient tenant of the final token. Additionally, the ACS finish logic in the endpoint...

9.6CVSS6.1AI score0.00296EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-57332

Name of the Vulnerable Software and Affected Versions Phalcon versions prior to 5.15.0 Description In Phalcon MVC applications using a default router, the CLI router, or the /:params placeholder, a built-in route is registered with a compiled PCRE Perl Compatible Regular Expressions pattern...

8.7CVSS6.1AI score0.00419EPSS
Exploits0References8
OSV
OSV
added 6 days ago2 views

CVE-2026-54002 Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins that use the writer or list fields or call Dom::sanitize, Sane::sanitize, Sane::Html::sanitize, Sane::Svg::sanitize, Sane::Xml::sanitize, Sane::sanitizeFile, or file sanitizeContents with untruste...

8.5CVSS5.8AI score0.00409EPSS
Exploits0References9
NVD
NVD
added 6 days ago10 views

CVE-2026-61343

LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0...

8.6CVSS0.0084EPSS
Exploits1References5
CVE
CVE
added 6 days ago15 views

CVE-2026-61343

CVE-2026-61343 — LibreBooking : The email template editor’s save action passes the submitted template name directly into the destination file path. This allows an administrator-authenticated attacker to write arbitrary files outside the template directory and execute code. This vulnerability affe...

8.6CVSS6.2AI score0.0084EPSS
Exploits1References5
Rows per page
Query Builder