Lucene search
+L

253 matches found

Vulnrichment
Vulnrichment
added 2026/03/24 2:53 p.m.6 views

CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

6.9CVSS5.8AI score0.00302EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/23 7:15 p.m.29 views

CVE-2026-33548 MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline

Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline myviewpage.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has...

8.6CVSS0.00196EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/22 1:38 p.m.5 views

CVE-2019-25599 Backup Key Recovery 2.2.4 Denial of Service via Name Field

Backup Key Recovery 2.2.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a buffer of 300 or more characters into the Name field during registration to trigger a crash wh...

6.9CVSS6AI score0.00123EPSS
Exploits0References3
NVD
NVD
added 2026/03/21 12:16 a.m.5 views

CVE-2026-3572

The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing...

6.1CVSS0.00269EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/03/21 12:0 a.m.7 views

PT-2026-26850

The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or blogname', 'or blogdescription', and 'or admin email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation o...

8.8CVSS5.9AI score0.00341EPSS
Exploits0References4
CVE
CVE
added 2026/03/20 2:42 p.m.9 views

CVE-2026-33312

Vikunja open‑source self-hosted task management platform. Affected: versions 0.20.2 through 2.1.x (prior to 2.2.0). Issue: the DELETE /api/v1/projects/:project/background endpoint checks CanRead instead of CanUpdate, allowing any user with read‑only access to a project to permanently delete its b...

5.4CVSS5.8AI score0.00211EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/16 7:32 a.m.3 views

CVE-2026-4225

A security flaw has been discovered in CMS Made Simple up to 2.2.21. Impacted is an unknown function of the file admin/listusers.php of the component User Management Module. Performing a manipulation of the argument Message results in cross site scripting. The attack is possible to be carried out...

4.8CVSS4AI score0.00206EPSS
Exploits0References4
NVD
NVD
added 2026/03/13 7:55 p.m.5 views

CVE-2026-32427

Missing Authorization vulnerability in vowelweb VW Education Lite vw-education-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Education Lite: from n/a through = 2.2.0...

5.3CVSS0.00243EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/13 12:0 a.m.7 views

WordPress plugin Responsive Blocks 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There ar...

5.3CVSS5.8AI score0.00182EPSS
Exploits0References1
NVD
NVD
added 2026/03/12 5:16 p.m.13 views

CVE-2026-31841

Hyperterse is a tool-first MCP framework for building AI-ready backend surfaces from declarative config. Prior to v2.2.0, the search tool allows LLMs to search for tools using natural language. While returning results, Hyperterse also returned the raw SQL queries, exposing statements which were...

6.5CVSS0.00178EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/11 11:32 p.m.4 views

CVE-2026-3965 whyour qinglong API express.ts protection mechanism

A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The...

6.5CVSS6.1AI score0.00441EPSS
Exploits0References9
RedhatCVE
RedhatCVE
added 2026/03/07 7:59 a.m.6 views

CVE-2026-28683

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, if a malicious authenticated user uploads SVG and creates a hotlink for it, they can achieve stored XSS. This issue has been patched in version 2.2.3...

8.7CVSS5.7AI score0.00189EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/06 7:55 a.m.4 views

CVE-2026-27541

Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through = 2.2.6...

7.1CVSS5.8AI score0.00241EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/06 4:45 a.m.41 views

CVE-2026-29061 Gokapi: Privilege escalation via incomplete API-key permission revocation on user rank demotion

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permission...

5.4CVSS0.00116EPSS
Exploits0References2
CVE
CVE
added 2026/03/05 5:53 a.m.24 views

CVE-2026-22479

CVE-2026-22479 describes a missing authorization flaw in the WordPress plugin Easy Post Submission (versions up to 2.4.0). The issue is a Broken Access Control vulnerability allowing exploitation of misconfigured access levels, with the CVSSv3.1 base score of 7.5 (HIGH) and an attack vector of NE...

7.5CVSS5.9AI score0.00323EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/23 6:32 a.m.4 views

CVE-2026-2976

A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function downloadcontroller of the file /backend/app/api/v1/modulecommon/file/controller.py of the component Download Endpoint. This manipulation of the argument filepath causes information disclosure. It is...

5.3CVSS4.8AI score0.0031EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/02/23 12:0 a.m.9 views

FastAPI Admin 代码问题漏洞

FastAPI Admin is an open-source management dashboard based on FastAPI and TortoiseORM. Versions of FastAPI Admin 2.2.0 and earlier have code vulnerabilities. These vulnerabilities stem from improper handling of the useravatarUploadController function in the file...

8.8CVSS6.7AI score0.00294EPSS
Exploits1References4
CVE
CVE
added 2026/02/20 4:49 p.m.16 views

CVE-2026-26093

CVE-2026-26093 affects Owl opds 2.2.0.4, where improper neutralization of special elements in commands leads to a Command Injection via a crafted network request. The issue is documented across multiple feeds (NVD, Red Hat, OSV, CVE lists) with high-severity metrics (CVSS 3.1: 9.8; CVSS 4.0: 8.7)...

9.8CVSS5.5AI score0.01105EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2026/02/20 12:0 a.m.10 views

Owl Cyber Defense OPDS 安全漏洞

Owl Cyber Defense OPDS is a network isolation device developed by Owl Cyber Defense Corporation in the United States. Version 2.2.0.4 of Owl Cyber Defense OPDS contains a security vulnerability, which stems from improper allocation of permissions for critical resources, potentially leading to fil...

6.8CVSS5.8AI score0.00089EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.14 views

PT-2026-20700

Missing Authorization vulnerability in Fahad Mahmood Endless Posts Navigation endless-posts-navigation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Endless Posts Navigation: from n/a through = 2.2.9...

5.5AI score0.00272EPSS
Exploits0References1
Rows per page
Query Builder