Lucene search
K

111 matches found

CVE
CVE
added 4 days ago7 views

CVE-2025-69154

CVE-2025-69154 affects the SpaLab | Beauty Salon WordPress Theme up to version 6.7. It is an unauthenticated Cross-Site Scripting (XSS) vulnerability in the theme. The CVSS v3.1 base score is 7.1 (HIGH) with network attack, no privileges required, user interaction required, and low impacts to con...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-54967

Name of the Vulnerable Software and Affected Versions SpaLab Beauty Salon WordPress Theme versions 6.7 and earlier Description An unauthenticated Cross Site Scripting XSS issue exists, allowing attackers to execute malicious scripts in the browser of other users without requiring prior...

7.1CVSS6AI score0.0018EPSS
Exploits0References3
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-359 InvokeAI has External Control of File Name or Path

Path Traversal Vulnerability in InvokeAI A path traversal vulnerability in InvokeAI versions 6.7.0 allows an unauthenticated remote attacker to read files outside the intended media directory via the bulk downloads API. The endpoint accepts a user-controlled file/item name and concatenates it int...

9.8CVSS7.5AI score0.00353EPSS
Exploits0References8
EUVD
EUVD
added 2026/06/23 4:14 p.m.6 views

EUVD-2026-38500

A missing validation of user input exists when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low‑privileged user could add an unexpected component parameter and inject malicious PHP code into the compiledlimitations field, which would then be executed during banner delivery...

8.8CVSS6.6AI score0.0045EPSS
Exploits1References1
NVD
NVD
added 2026/06/15 9:17 p.m.10 views

CVE-2026-49078

Unauthenticated Other Vulnerability Type in WP Travel Engine = 6.7.10 versions...

7.5CVSS0.00252EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/15 8:19 p.m.7 views

EUVD-2026-36877

Unauthenticated Other Vulnerability Type in WP Travel Engine = 6.7.10 versions...

7.5CVSS5.2AI score0.00252EPSS
Exploits0References1
NVD
NVD
added 2026/06/10 10:17 p.m.10 views

CVE-2026-48011

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue...

3.7CVSS0.00223EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.14 views

PT-2026-46068

Name of the Vulnerable Software and Affected Versions Active IQ Config Advisor version 6.7.3 Description Hard-coded credentials exist within the software, which could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations. Recommendations At the moment,...

8.8CVSS5.8AI score0.00237EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/05/13 8:42 p.m.9 views

CVE-2026-45054 CubeCart: Authenticated SQL Injection via `sort[]` Parameter in Admin Orders Transactions Listing

CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page admin.php?g=orders&node=transactions builds a raw ORDER BY SQL fragment from the attacker-controlled $GET'sort' array without column or direction validation. Both the column key and the directio...

4.9CVSS6.1AI score0.00239EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/13 8:42 p.m.49 views

CVE-2026-45054 CubeCart: Authenticated SQL Injection via `sort[]` Parameter in Admin Orders Transactions Listing

CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page admin.php?g=orders&node=transactions builds a raw ORDER BY SQL fragment from the attacker-controlled $GET'sort' array without column or direction validation. Both the column key and the directio...

4.9CVSS0.00239EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/13 8:42 p.m.8 views

EUVD-2026-30171

CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page admin.php?g=orders&node=transactions builds a raw ORDER BY SQL fragment from the attacker-controlled $GET'sort' array without column or direction validation. Both the column key and the directio...

4.9CVSS6.1AI score0.00239EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/13 8:40 p.m.7 views

CVE-2026-44376 CubeCart: Reflected XSS in Store Search Bar

CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.php, user input is reflected without sanitization only when a search returns exactly one product...

6.1CVSS5.8AI score0.00697EPSS
Exploits2References2
Snyk
Snyk
added 2026/05/06 11:14 p.m.8 views

Improper Verification of Cryptographic Signature

Overview axonflow is an AxonFlow Python SDK - Enterprise AI Governance in 3 Lines of Code Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the lack of exposure of the HMAC-SHA256 signing key in the SDK's typed API, which prevents...

8.2CVSS5.8AI score
Exploits0References3
Cvelist
Cvelist
added 2026/05/02 11:16 a.m.33 views

CVE-2026-6817 Quiz Maker by AYS <= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting via 'rate_reason'

The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ratereason' parameter in all versions up to, and including, 6.7.1.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

5.8CVSS0.00228EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/04 8:25 a.m.3 views

CVE-2026-2437

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wtetriptax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS6.1AI score0.00159EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/13 8:3 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...

9.3CVSS5.9AI score0.00258EPSS
Exploits1References2
NVD
NVD
added 2026/03/13 7:54 p.m.14 views

CVE-2026-32342

Cross-Site Request Forgery CSRF vulnerability in Ays Pro Quiz Maker quiz-maker allows Cross Site Request Forgery.This issue affects Quiz Maker: from n/a through = 6.7.1.2...

4.3CVSS0.00107EPSS
Exploits0References1
CVE
CVE
added 2026/03/06 6:46 a.m.33 views

CVE-2026-28804

CVE-2026-28804 affects pypdf prior to 6.7.5. A crafted PDF that uses the /ASCIIHexDecode filter can cause long runtimes (DoS) when decoding streams. This vulnerability is resolved by upgrading to pypdf 6.7.5 or later, as noted in multiple sources (NVD/NIST entry, IBM Watson Discovery Cartridge ad...

6.9CVSS5.8AI score0.00399EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/27 9:43 p.m.3 views

CVE-2026-28414 Gradio has Absolute Path Traversal on Windows with Python 3.13+

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ change...

7.5CVSS6AI score0.03095EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/02/27 9:43 p.m.23 views

CVE-2026-28414 Gradio has Absolute Path Traversal on Windows with Python 3.13+

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ change...

7.5CVSS0.03095EPSS
Exploits1References1
Rows per page
Query Builder