Lucene search
K

78 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.10 views

CVE-2026-45192

A bug in the GET /api/v2/connections/connectionid REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's extra JSON blob under field names not present in the redaction allowlist DEFAULTSENSITIVEFIELDS —...

6.5CVSS5.4AI score0.0041EPSS
Exploits0References1
Packet Storm
Packet Storm
added 2026/06/05 12:0 a.m.44 views

📄 Lyrion Music Server 9.2.0 Arbitrary Directory Listing

Lyrion Music Server version 9.2.0 exposes a readdirectory query through both its CLI service TCP port 9090 and its HTTP JSON-RPC endpoint /jsonrpc.js that takes a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default...

6.9CVSS5.7AI score0.00294EPSS
Exploits2
Vulnrichment
Vulnrichment
added 2026/05/28 6:45 a.m.12 views

CVE-2026-8682 3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint

The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS5.9AI score0.00232EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/05/26 2:45 a.m.42 views

CVE-2026-9524 xianrendzw EasyReport REST Endpoint execute sql injection

A flaw has been found in xianrendzw EasyReport up to 2.0.17.0522Beta. Affected by this issue is the function execute of the component REST Endpoint. Executing a manipulation of the argument reportParams can lead to sql injection. The attack can be launched remotely. The vendor was contacted early...

6.5CVSS0.00246EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.10 views

MaxKB 访问控制错误漏洞

MaxKB is an open-source question-answering system based on large language models and RAG, developed by 1Panel-dev. Prior to MaxKB 2.9.0, there was an access control vulnerability. This vulnerability stemmed from the Webhook trigger endpoint/api/trigger/v1/webhook/triggerid, which allowed access...

7.5CVSS5.9AI score0.00271EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.10 views

PT-2026-43180

A flaw has been found in xianrendzw EasyReport up to 2.0.17.0522 Beta. Affected by this issue is the function execute of the component REST Endpoint. Executing a manipulation of the argument reportParams can lead to sql injection. The attack can be launched remotely. The vendor was contacted earl...

6.5CVSS6.4AI score0.00246EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/21 7:35 a.m.12 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query. An attacker can access sensitive information, including model names, version descriptions, source URIs, tags, and other...

7.1CVSS6.6AI score0.00441EPSS
Exploits1References2
EUVD
EUVD
added 2026/05/20 8:23 a.m.10 views

EUVD-2026-31072

SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters 'modelname', 'modelid', 'integrationid', 'provider' on the REST API endpoint '/surecart/v1/integrations/id'. The root cause is a flawed escaping bypass in the query builder 'wp-query-builder'...

9.3CVSS6AI score0.00338EPSS
Exploits0References1
NVD
NVD
added 2026/05/20 7:16 a.m.19 views

CVE-2026-7385

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses...

5.8CVSS0.00271EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/30 12:0 a.m.8 views

4D Server 代码问题漏洞

4D Server is a database server platform developed by the French company 4D. There are code vulnerabilities in 4D Server. These vulnerabilities stem from weaknesses in the XML parser function of the SOAP endpoint, allowing unauthenticated attackers to gain read access to files on the application...

8.7CVSS6.1AI score0.00447EPSS
Exploits2References2
Vulnrichment
Vulnrichment
added 2026/04/23 8:28 a.m.5 views

CVE-2026-5464 ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process

The ExactMetrics – Google Analytics Dashboard for WordPress Website Stats Plugin plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboardingkey' transient to a...

7.2CVSS5.8AI score0.00695EPSS
Exploits0References5
NVD
NVD
added 2026/04/07 7:16 a.m.4 views

CVE-2026-1900

The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates...

6.5CVSS0.00186EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/07 6:0 a.m.25 views

CVE-2026-1900 Link Whisper Free < 0.9.1 - Unauthenticated Settings and User Meta Update

The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates...

0.00186EPSS
Exploits1References1
NVD
NVD
added 2026/04/06 7:16 a.m.5 views

CVE-2026-5632

A vulnerability was found in assafelovic gpt-researcher up to 3.4.3. This impacts an unknown function of the component HTTP REST API Endpoint. Performing a manipulation results in missing authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be...

7.5CVSS0.00414EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/04/06 6:45 a.m.0 views

CVE-2026-5632 assafelovic gpt-researcher HTTP REST API Endpoint missing authentication

A vulnerability was found in assafelovic gpt-researcher up to 3.4.3. This impacts an unknown function of the component HTTP REST API Endpoint. Performing a manipulation results in missing authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be...

7.5CVSS6.7AI score0.00414EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/01 12:31 p.m.4 views

EUVD-2026-17855

Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint...

6.9CVSS6AI score0.00341EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:8 p.m.5 views

CVE-2026-2375

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the verifyrole function in AuthTrails.php explicitly whitelisting the wcfmvendor role alongside subscriber and...

6.5CVSS5.8AI score0.0028EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/21 1:24 a.m.2 views

CVE-2026-4302 WowOptin: Next-Gen Popup Maker <= 1.4.29 - Unauthenticated Server-Side Request Forgery via 'link' Parameter in REST API

The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint optn/v1/integration-action with a permissioncallback of returntrue that...

7.2CVSS5.9AI score0.00299EPSS
Exploits0References10
CVE
CVE
added 2026/03/21 1:24 a.m.9 views

CVE-2026-4302

The WowOptin: Next-Gen Popup Maker plugin for WordPress is affected by Server-Side Request Forgery (SSRF) in versions up to and including 1.4.29. The vulnerability stems from a publicly accessible REST API endpoint (optn/v1/integration-action) that uses a permissive permission_callback (__return_...

7.2CVSS5.9AI score0.00299EPSS
Exploits0References10
CNNVD
CNNVD
added 2026/03/18 12:0 a.m.5 views

StudioCMS 安全漏洞

StudioCMS is StudioCMS open source a content management system . StudioCMS suffers from an information disclosure vulnerability that stems from the use of an attacker-controlled rank query parameter in the REST API getUsers endpoint, which can be exploited by an attacker to cause an administrator...

2.7CVSS5.7AI score0.00375EPSS
Exploits1References3
Rows per page
Query Builder