Lucene search
+L

3154 matches found

EUVD
EUVD
added 10 hours ago5 views

EUVD-2026-45122

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping of uploaded image attachment titles. This makes it possible for authenticated attackers, with...

6.4CVSS6.2AI score
Exploits0References3
Nuclei
Nuclei
added yesterday46 views

JoomSport <= 5.7.7 - SQL Injection

The JoomSport WordPress plugin through 5.7.7 is vulnerable to unauthenticated time-based blind SQL injection via the 'sortf' GET parameter in the player list view. The parameter value is backtick-wrapped and directly concatenated into an ORDER BY clause. id: CVE-2026-42647 info: name: JoomSport =...

9.3CVSS6.1AI score0.01323EPSS
Exploits1References4
CVE
CVE
added 3 days ago32 views

CVE-2026-48801

Linkify-it (linkify-it) prior to version 5.0.1 has an O(N^2) scan loop in LinkifyIt.prototype.match, making inputs with many fuzzy links or emails vulnerable to resource exhaustion on a request hot path that renders untrusted Markdown with linkify: true. The issue arises from re-slicing input and...

8.7CVSS6.1AI score0.00445EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago28 views

CVE-2026-58475 Sustainable Irrigation Platform 5.2.16 Stored XSS via Program Name

Sustainable Irrigation Platform SIP through version 5.2.16 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject arbitrary JavaScript by supplying malicious script payloads within program names submitted via HTTP requests. Attackers can exploit the...

6.1CVSS0.00214EPSS
Exploits2References2
NVD
NVD
added 4 days ago7 views

CVE-2026-61970

Server-Side Request Forgery SSRF vulnerability in Themeisle Auto Featured Image Auto Post Thumbnail auto-post-thumbnail allows Server Side Request Forgery.This issue affects Auto Featured Image Auto Post Thumbnail: from n/a through = 5.0.4...

4.9CVSS0.00119EPSS
Exploits0References1
Cvelist
Cvelist
added 4 days ago28 views

CVE-2026-57695 WordPress Document Gallery plugin <= 5.1.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Dan Rossiter Document Gallery document-gallery allows Reflected XSS.This issue affects Document Gallery: from n/a through = 5.1.0...

7.1CVSS0.00184EPSS
Exploits0References1
CVE
CVE
added 4 days ago12 views

CVE-2026-11964

Affected software: User Registration & Membership WordPress plugin (prior to 5.2.2). Vulnerability: The plugin does not verify the authenticity of incoming payment-provider webhook notifications, enabling unauthenticated attackers to forge a payment-approved event. Impact: This can activate a pai...

9.1CVSS6.1AI score0.00261EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 4 days ago5 views

Linux Distros Unpatched Vulnerability : CVE-2026-40468

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Integer overflow vulnerability has been found in builtin.c program file of gawk. This issue may lead to memory exhaustion on the hosting operating system and...

9.1CVSS6AI score0.00201EPSS
Exploits0References3
NVD
NVD
added last week8 views

CVE-2026-57584

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier /., and the same construct is produced by the /:params placeholder and the CLI...

8.7CVSS0.00419EPSS
Exploits0References4
Cvelist
Cvelist
added last week32 views

CVE-2026-57584 Phalcon: Catastrophic backtracking (ReDoS) in the default Phalcon Router route lead to remote unauthenticated DoS

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier /., and the same construct is produced by the /:params placeholder and the CLI...

8.7CVSS0.00419EPSS
Exploits0References4
Cvelist
Cvelist
added last week32 views

CVE-2026-54736 Phalcon: Non-constant-time HMAC verification in `Encryption\Crypt::decrypt` (timing side-channel)

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first...

8.2CVSS0.00147EPSS
Exploits0References5
OSV
OSV
added last week4 views

CVE-2026-54736 Phalcon: Non-constant-time HMAC verification in `Encryption\Crypt::decrypt` (timing side-channel)

Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first...

8.2CVSS6.1AI score0.00147EPSS
Exploits0References7
CVE
CVE
added last week9 views

CVE-2026-54736

Technical details (affected versions, root cause specifics, and remediation beyond what is in the Initial Description) are not publicly available in the provided documents; monitor for updates.

8.2CVSS6.1AI score0.00147EPSS
Exploits0References5
OSV
OSV
added last week4 views

CVE-2026-46388 osquery: Unprivileged users can temporarily read file carve contents

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not...

4.4CVSS6.2AI score0.00094EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/10 9:32 a.m.8 views

EUVD-2026-42860

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based SQL Injection via 'event' Shortcode Attribute in all versions up to, and including, 5.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient...

6.5CVSS6.1AI score0.00254EPSS
Exploits0References4
CVE
CVE
added 2026/07/10 9:32 a.m.9 views

CVE-2026-13010

The CVE-2026-13010 entry concerns the JoomSport plugin for WordPress (Team & League, Football, Hockey & more). Affected versions: all up to and including 5.7.9. Vulnerability type: time-based SQL Injection via the 'event' shortcode attribute, caused by insufficient escaping of the user-supplied p...

6.5CVSS6.1AI score0.00254EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.10 views

PT-2026-57164

Name of the Vulnerable Software and Affected Versions Lucee CFML Server versions 5.3.x Lucee CFML Server versions 6.1.x Lucee CFML Server versions 6.2.x Lucee CFML Server versions 7.0.x Description Reflected cross-site scripting occurs during URL path parsing, allowing unauthenticated remote...

8.2CVSS6.3AI score0.00386EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.6 views

PT-2026-57332

Name of the Vulnerable Software and Affected Versions Phalcon versions prior to 5.15.0 Description In Phalcon MVC applications using a default router, the CLI router, or the /:params placeholder, a built-in route is registered with a compiled PCRE Perl Compatible Regular Expressions pattern...

8.7CVSS6.1AI score0.00419EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/10 12:0 a.m.10 views

PT-2026-57261

Name of the Vulnerable Software and Affected Versions Prowler versions prior to 5.30.3 Description The SAML authentication flow trusts the email domain asserted in a SAMLResponse to determine the recipient tenant of the final token. Additionally, the ACS finish logic in the endpoint...

9.6CVSS6.1AI score0.00296EPSS
Exploits0References9
OSV
OSV
added 2026/07/09 6:34 p.m.3 views

CVE-2026-54002 Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites and plugins that use the writer or list fields or call Dom::sanitize, Sane::sanitize, Sane::Html::sanitize, Sane::Svg::sanitize, Sane::Xml::sanitize, Sane::sanitizeFile, or file sanitizeContents with untruste...

8.5CVSS5.8AI score0.00409EPSS
Exploits0References9
Rows per page
Query Builder