Lucene search
K

125 matches found

Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.15 views

PT-2026-50801

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.4 Description Missing authorization in the public API allows users to bypass role permission checks. The system only verifies a shared API key header via the hasValidToken function instead of validating individua...

6.5CVSS5.9AI score0.0024EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/06/15 5:15 p.m.6 views

NPM: JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases

NPM: JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases vulnerability discovered by ? in WordPress Npm js-yaml versions = 4.1.1...

5.3CVSS5.8AI score0.00259EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.13 views

PT-2026-48851

A further incomplete fix for a previous advisory CVE-2026-44417 Untrusted JMS configuration can lead to RCE for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions...

5.7AI score0.00646EPSS
Exploits0References2
OSV
OSV
added 2026/06/09 11:16 p.m.6 views

DEBIAN-CVE-2026-46373

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any...

7.5CVSS5.5AI score0.00263EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/06 2:28 a.m.13 views

EUVD-2026-34947

The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP...

6.6CVSS5.9AI score0.0045EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/06/05 7:49 p.m.10 views

CVE-2026-5840

A security flaw has been discovered in PHPGurukul News Portal Project 4.1. Impacted is an unknown function of the file /admin/checkavailability.php. Performing a manipulation of the argument Username results in sql injection. Remote exploitation of the attack is possible. The exploit has been...

5.8CVSS5.4AI score0.00202EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.14 views

PT-2026-45758

Name of the Vulnerable Software and Affected Versions Elementor Website Builder versions prior to 4.1.0 Description A missing authorization issue allows for the exploitation of incorrectly configured access control security levels. Recommendations Update to a version later than 4.1.0...

5.4CVSS5.8AI score0.00145EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/27 12:0 a.m.10 views

CVE-2026-49009

Northern.tech Mender Server v4.1.0, v4.0.1 and below, and fixed in v4.1.1 and v4.0.2 allows Directory Traversal...

5.8AI score0.0052EPSS
Exploits2References2
Vulnrichment
Vulnrichment
added 2026/05/12 7:51 p.m.6 views

CVE-2026-44217 sse-channel: SSE Injection via unsanitized event fields

sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id fields are susceptible to event spoofing, where an attacker could inject arbitrary messages into t...

8.7CVSS5.9AI score0.0041EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/04/11 5:55 p.m.8 views

Malicious code in @b2b-portal/uch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 89eb419e1f7beb102007973e2d226cb2cb5f534096cbc2be8dc538324f3f19db The package @b2b-portal/uch was found to contain malicious code. Source: ghsa-malware e559f0d2d934ad98bda8c11ca6613644ecf3f2584bee7e75c7edf59ecda35d3...

5.7AI score
Exploits0References1
AlpineLinux
AlpineLinux
added 2026/04/06 4:22 p.m.5 views

CVE-2026-34986

Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption JWE, JSON Web Signature JWS, and JSON Web Token JWT standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption JWE object will panic if t...

7.5CVSS7.1AI score0.00651EPSS
Exploits0
NVD
NVD
added 2026/04/02 3:16 p.m.6 views

CVE-2026-34729

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, there is a stored XSS vulnerability via Regex Bypass in Filter::removeAttributes. This issue has been patched in version 4.1.1...

6.1CVSS0.00241EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/02 2:44 p.m.5 views

CVE-2026-34728

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any...

8.7CVSS5.7AI score0.00693EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/03/15 1:19 a.m.9 views

CVE-2026-1883

CVE-2026-1883 affects the WordPress plugin Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types. It states that all versions up to 4.1.0 are vulnerable to an Insecure Direct Object Reference (IDOR) in the delete_folders() function due to missing validation on a user-controlle...

4.3CVSS5.8AI score0.00233EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/15 1:19 a.m.46 views

CVE-2026-1883 Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion

The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the deletefolders function due to missing validation on a user controlled key. This makes it possibl...

4.3CVSS0.00233EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/05 5:54 a.m.2 views

CVE-2026-27417 WordPress Sweet Date theme < 4.0.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in SeventhQueen Sweet Date sweetdate allows Object Injection.This issue affects Sweet Date: from n/a through 4.0.1...

5.8AI score0.00375EPSS
Exploits0References1
NVD
NVD
added 2026/03/04 7:16 a.m.6 views

CVE-2026-2732

The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versions up to, and including, 4.1.7. This makes it possible for authenticated attackers, with...

5.4CVSS0.00223EPSS
Exploits0References5
OSV
OSV
added 2026/02/18 4:16 a.m.6 views

AZL-78014 CVE-2026-27171 affecting package ogdi 4.1.0-9

zlib before 1.3.2 allows CPU consumption via crc32combine64 and crc32combinegen64 because x2nmodp can do right shifts within a loop that has no termination condition...

5.5CVSS5.7AI score0.00204EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/02/17 1:38 a.m.6 views

CVE-2026-2525

A vulnerability has been found in Free5GC up to 4.1.0. This affects an unknown function of the component PFCP UDP Endpoint. Such manipulation leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used...

7.5CVSS5.2AI score0.00493EPSS
Exploits1References1
CVE
CVE
added 2026/02/16 1:2 a.m.20 views

CVE-2026-2525

CVE-2026-2525 affects Free5GC up to release 4.1.0. The issue is in an unknown function of the PFCP UDP Endpoint component, where manipulation leads to a remote denial of service. Public disclosure of the exploit is noted, with exploitation maturity described as a Proof-of-Concept in some sources....

7.5CVSS5.4AI score0.00493EPSS
Exploits1References6Affected Software1
Rows per page
Query Builder