Lucene search
K

105 matches found

NVD
NVD
added 2026/06/17 2:17 p.m.7 views

CVE-2025-69166

Unauthenticated Local File Inclusion in Gunslinger = 1.7 versions...

8.1CVSS0.00435EPSS
Exploits0References1
NVD
NVD
added 2026/06/17 1:19 p.m.11 views

CVE-2025-69108

Unauthenticated PHP Object Injection in Hot Coffee = 1.7 versions...

9.8CVSS0.00525EPSS
Exploits0References1
CVE
CVE
added 2026/06/16 8:57 p.m.10 views

CVE-2026-39557

CVE-2026-39557 describes an unauthenticated PHP Object Injection in the WordPress NeoBeat theme, version ≤ 1.7. The underlying issue is a PHP object injection vulnerability in NeoBeat’s code path, enabling unauthenticated attackers to potentially manipulate objects and achieve arbitrary code exec...

8.1CVSS5.3AI score0.00395EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.12 views

PT-2026-50103

Unauthenticated PHP Object Injection in NeoBeat = 1.7 versions...

8.1CVSS5.4AI score0.00395EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:28 p.m.8 views

CVE-2026-4141

The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quranplaylistoptions function that handles the plugin's settings page. The function processes POST requests to update...

4.3CVSS5.3AI score0.0016EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.10 views

CVE-2026-41649

Outline is a service that allows for collaborative documentation. The shares.create API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both collectionId and documentId are provided in the request, the authorization logic only checks...

7.7CVSS5.5AI score0.00293EPSS
Exploits1References1
CVE
CVE
added 2026/06/05 5:53 p.m.39 views

CVE-2026-45745

Termix Desktop (Electron) versions starting with 1.7.0 have disabled TLS certificate validation, enabling network-level MITM to intercept/modify HTTPS traffic to the Termix server and potentially steal credentials and JWT/session data during login and normal use. No patched versions are publicly ...

8CVSS5.5AI score0.00168EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2026/06/02 2:0 a.m.21 views

CVE-2026-10567

The CVE concerns 1Panel-dev CordysCRM up to version 1.4.1. The vulnerability is in ModuleFormController/ModuleFormService.java (Save function); manipulating the Description argument leads to cross-site scripting (XSS). Exploitation is possible remotely and the exploit has been disclosed publicly....

5.1CVSS4.1AI score0.00237EPSS
Exploits0References9
Patchstack
Patchstack
added 2026/05/26 7:51 a.m.10 views

WordPress Hot Coffee theme <= 1.7 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Hot Coffee versions = 1.7...

5.8AI score0.00525EPSS
Exploits0Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 6:44 a.m.6 views

CVE-2026-6271

The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes...

9.8CVSS6.4AI score0.00665EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/05/14 6:44 a.m.40 views

CVE-2026-6271 Career Section <= 1.7 - Unauthenticated Arbitrary File Upload

The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes...

9.8CVSS0.00665EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.14 views

PT-2026-40890

The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. This is due to missing file type validation. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes...

9.8CVSS6.4AI score0.00665EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/05/11 9:6 p.m.9 views

CVE-2026-43886 Outline: OAuth Scope Validation Logic Error Allows Privilege Escalation to Wildcard API Access

Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, a logic error in OAuthInterface.validateScope uses Array.some to validate requested OAuth scopes, causing the function to accept the entire scope array if any single scope is valid. An attacker can smuggle the...

8.2CVSS5.8AI score0.00211EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/22 7:45 a.m.26 views

CVE-2026-4133 TextP2P Texting Widget <= 1.7 - Cross-Site Request Forgery to Settings Update

The TextP2P Texting Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.7. This is due to missing nonce validation in the imTextP2POptionPage function which processes settings updates. The form at line 314 does not include a wpnoncefield,...

4.3CVSS0.00156EPSS
Exploits0References5
Amazon
Amazon
added 2026/04/13 12:0 a.m.11 views

Important: ecs-init

Issue Overview: url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which t...

9.1CVSS6AI score0.01557EPSS
Exploits1
CNNVD
CNNVD
added 2026/04/12 12:0 a.m.5 views

Heatmiser Wifi Thermostat 跨站请求伪造漏洞

The Heatmiser Wifi Thermostat is an intelligent temperature control device from the British company Heatmiser, capable of wireless connection and remote control. Version 1.7 of the Heatmiser Wifi Thermostat contains a cross-site request forgery vulnerability. This vulnerability stems from...

5.3CVSS5.8AI score0.00129EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/09 12:0 a.m.6 views

PT-2026-31715

Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run ...

6.8CVSS5.9AI score0.00182EPSS
Exploits0References4
NVD
NVD
added 2026/04/08 7:16 a.m.4 views

CVE-2026-4141

The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quranplaylistoptions function that handles the plugin's settings page. The function processes POST requests to update...

4.3CVSS0.0016EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/03/30 12:0 a.m.2 views

CVE-2026-29924

Grav CMS v1.7.x and before is vulnerable to XML External Entity XXE through the SVG file upload functionality in the admin panel and File Manager plugin...

7.6CVSS5.9AI score0.00339EPSS
Exploits0References2
OSV
OSV
added 2026/03/27 8:58 p.m.5 views

CVE-2026-33907 Ella Core Panics during NAS Authentication Response/Failure with missing IEs

Ella Core is a 5G core designed for private networks. Versions prior to 1.7.0 panic when processing Authentication Response and Authentication Failure NAS message missing IEs. An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all...

6.5CVSS5.9AI score0.00236EPSS
Exploits0References5
Rows per page
Query Builder