Lucene search
K

1696 matches found

Cvelist
Cvelist
added yesterday19 views

CVE-2026-57744 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Object Injection.This issue affects RT-Theme 18 | Extensions: from n/a through = 2.5...

9.8CVSS0.00564EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday11 views

Giga Messenger WordPress - Cross-Site Scripting

Giga Messenger WordPress plugin = 2.3.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...

6.1CVSS7AI score0.00567EPSS
Exploits1References2
CVE
CVE
added 4 days ago6 views

CVE-2026-59193

Grav CMS is a file-based web platform. Before version 2.0.0, an authenticated admin.super user could trigger a denial of service by uploading a specially crafted ZIP via the Direct Install tool, because Installer::unZip uses ZipArchive::extractTo without limits on uncompressed size, entry count, ...

6.9CVSS6.1AI score0.0039EPSS
Exploits1References3Affected Software1
NVD
NVD
added 4 days ago7 views

CVE-2026-54149

MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chatpipeline/step/chatstep/impl/basechatstep.py do not consistently validate MCP transport type, allowing an...

8.8CVSS0.00384EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-42809

A security flaw has been discovered in zhayujie CowAgent up to 2.1.0. The impacted element is an unknown function of the file channel/channel.py of the component Message Endpoint. The manipulation results in missing authorization. The attack may be launched remotely. The exploit has been released...

6.5CVSS6.2AI score0.00209EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 4 days ago7 views

CVE-2026-15330

A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function buildimagecontent/downloadtodataurl of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack c...

7.5CVSS6.6AI score0.00352EPSS
Exploits0References9Affected Software1
NVD
NVD
added 5 days ago8 views

CVE-2026-6910

The Bookero.pl – system rezerwacji online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bookeroproducts shortcode's hideproducts and filterproducts attributes in versions up to and including 2.2. This is due to insufficient input sanitization and output escaping in the...

6.4CVSS0.00212EPSS
Exploits0References6
NVD
NVD
added 6 days ago10 views

CVE-2026-59892

OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx- HTTP header values with decodeURIComponent without handling decode errors, allowing an unauthenticated remote attacker to send a malformed...

7.5CVSS0.00436EPSS
Exploits0References3
CVE
CVE
added 6 days ago10 views

CVE-2026-55668

The CVE affects File Browser’s ScopedFs component prior to version 2.63.16. An authenticated user with Create and Modify permissions can trigger ScopedFs to validate the nearest existing ancestor of a dangling symlink and then follow the symlink during file creation, allowing attacker‑controlled ...

6.3CVSS6AI score0.00269EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 6 days ago9 views

PT-2026-56564

Name of the Vulnerable Software and Affected Versions NATS Server versions prior to 2.14.0 NATS Server versions prior to 2.12.7 NATS Server versions prior to 2.11.16 Description An authenticated user can receive messages on denied subjects. This occurs when a wildcard subscription overlaps with a...

6.5CVSS6.1AI score0.00465EPSS
Exploits0References12
Cvelist
Cvelist
added last week28 views

CVE-2026-50530 DataEase: Token with Overly Broad Privileges in Share Mode: Access to Unshared Datasets

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing...

7.1CVSS0.00238EPSS
Exploits0References3
OSV
OSV
added last week3 views

PYSEC-2026-1041 TensorFlow vulnerable to `CHECK` fail in `FractionalMaxPoolGrad`

Impact FractionalMaxPoolGrad validates its inputs with CHECK failures instead of with returning errors. If it gets incorrectly sized inputs, the CHECK failure can be used to trigger a denial of service attack: python import tensorflow as tf overlapping = True originput = tf.constant.453409232,...

5.9CVSS5.9AI score0.00396EPSS
Exploits0References7
CVE
CVE
added 2026/07/06 8:59 p.m.14 views

CVE-2026-14468

Terraform Enterprise contains a vulnerability in its VCS ingestion of registry modules where the boundary on packaged module content was not correctly enforced. An authenticated user could include files from outside the intended repository content in a module and then download them, potentially e...

7.7CVSS6AI score0.00295EPSS
Exploits0References1
Snyk
Snyk
added 2026/07/04 11:13 a.m.5 views

Improper Resource Shutdown or Release

Overview Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the RRCInactiveTransitionReport function of the NGAP Message Handler component. An attacker can cause a service disruption by sending specially crafted messages remotely. Remediation Upgrade...

5.3CVSS6AI score0.00522EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/04 11:13 a.m.5 views

Improper Resource Shutdown or Release

Overview Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the RRCInactiveTransitionReport function of the NGAP Message Handler component. An attacker can cause a service disruption by sending specially crafted messages remotely. Remediation Upgrade...

5.3CVSS6AI score0.00522EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/04 10:15 a.m.9 views

EUVD-2026-41663

A vulnerability was identified in omec-project amf up to 2.0.2/2.1.1. Impacted is an unknown function of the file /go/src/amf/ngap/handler.go of the component NGSetupRequest Handler. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit is public...

5.3CVSS5.4AI score0.00317EPSS
Exploits0References8
EUVD
EUVD
added 2026/07/03 7:53 a.m.7 views

EUVD-2026-41521

The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value...

5.4CVSS6.3AI score0.00255EPSS
Exploits0References4
CVE
CVE
added 2026/07/02 7:43 p.m.13 views

CVE-2026-59100

CVE-2026-59100 affects LobeChat up to version 2.2.9. It describes a broken object level authorization allowing authenticated attackers to access and modify other users’ chat-group agent data by supplying arbitrary group identifiers. Attackers can call getGroupAgents, updateAgentInGroup, and remov...

5CVSS5.9AI score0.0018EPSS
Exploits0References4
NVD
NVD
added 2026/07/02 12:17 p.m.4 views

CVE-2026-57357

Unauthenticated Cross Site Scripting XSS in Search Atlas SEO = 2.6.6 versions...

7.1CVSS0.00191EPSS
Exploits0References1
NVD
NVD
added 2026/07/02 11:16 a.m.11 views

CVE-2026-54431

In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...

5.1CVSS0.00128EPSS
Exploits0References3
Rows per page
Query Builder