Lucene search
K

56 matches found

Cvelist
Cvelist
added 5 days ago30 views

CVE-2026-4275 Divi Torque Lite <= 4.2.3 - Cross-Site Request Forgery to Arbitrary Plugin Installation via 'install_plugin' REST Endpoint

The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of 'returntrue' as the permissioncallback for the /installplugin and /activateplugin REST API endpoint...

8.8CVSS0.00187EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added last week6 views

CVE-2026-48947 Joomla! Core - [20260701] - Incorrect Access Control in com_media webservice endpoints

An improper access check allows privileged users to overwrite media files without editing permissions...

6.4CVSS6AI score0.00197EPSS
Exploits0References1
Cvelist
Cvelist
added last week33 views

CVE-2026-48947 Joomla! Core - [20260701] - Incorrect Access Control in com_media webservice endpoints

An improper access check allows privileged users to overwrite media files without editing permissions...

6.4CVSS0.00197EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added last week6 views

CVE-2026-48958

An improper access check allows unauthorized users to create custom fields via webservices endpoints...

6.4CVSS6AI score0.00262EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added last week7 views

CVE-2026-48958 Joomla! Core - [20260712] - Incorrect Access Control in com_fields webservice endpoints

An improper access check allows unauthorized users to create custom fields via webservices endpoints...

6.4CVSS6AI score0.00262EPSS
Exploits0References1
CVE
CVE
added 2026/07/03 4:30 a.m.21 views

CVE-2026-12557

CVE-2026-12557 affects the Ninja Forms - File Uploads plugin for WordPress. All versions up to 3.3.29 allow an unauthenticated user to bypass authorization, enabling reads of plugin debug logs stored in the wp_nf3_log table and permanent deletion of log rows via the debug-log/delete-all and debug...

5.3CVSS5.8AI score0.00223EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/10 2:59 p.m.13 views

CVE-2026-8045

CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side file contents when an attacker with a Data Center Expert user account submits crafted XML payloads to SOAP service endpoints...

7.1CVSS5.4AI score0.00233EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/06 3:28 a.m.9 views

CVE-2026-8839 MapPress Maps for WordPress <= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints

The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via MappressApi::restapiinit, where the GET...

5.3CVSS5.5AI score0.00813EPSS
Exploits0References24
RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.11 views

CVE-2026-35223

An improper access check allows unauthorized access to comconfig webservice endpoints...

9.8CVSS5.5AI score0.00348EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/05 6:31 p.m.13 views

EUVD-2026-34887

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::getuserpermissions, which returns the same null sentinel f...

9.8CVSS5.4AI score0.02841EPSS
Exploits1References9
ATTACKERKB
ATTACKERKB
added 2026/06/05 6:31 p.m.9 views

CVE-2026-10580

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::getuserpermissions, which returns the same null sentinel f...

9.8CVSS5.4AI score0.02841EPSS
Exploits1References10
ATTACKERKB
ATTACKERKB
added 2026/05/28 8:29 p.m.10 views

CVE-2026-42071

Mantis Bug Tracker MantisBT is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user REPORTER+ to download attachments on private bugnotes they should not be able to access, via the REST API endpoint...

7.2CVSS5.8AI score0.0026EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/05/27 7:45 a.m.13 views

EUVD-2026-32115

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notifyccss and /wp-json/litespeed/v1/notifyucss REST API endpoints in all versions up to, and including, 7.7. These endpoints accept CSS content from QUIC.cloud callback notificatio...

7.2CVSS5.8AI score0.00359EPSS
Exploits0References8
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.12 views

Joomla! CMS 访问控制错误漏洞

Joomla! CMS is a content management system developed under the open source Joomla! framework. The Joomla! CMS has a vulnerability related to access control, which stems from improper access checks. This vulnerability may allow unauthorized access to the comconfig web service endpoints...

9.8CVSS5.8AI score0.00348EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.12 views

Joomla! CMS 访问控制错误漏洞

Joomla! CMS is a content management system developed under the open source Joomla! framework. The Joomla! CMS has a vulnerability related to access control. This vulnerability arises from improper access checks, allowing unauthorized users to elevate their privileges by editing Web service...

9.8CVSS5.8AI score0.00292EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/26 12:0 a.m.42 views

CVE-2026-38587

An Insecure Direct Object Reference IDOR vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions User or Guest to retrieve sensitive information, such as the Owner's unique...

0.00221EPSS
Exploits0References1
Veracode
Veracode
added 2026/05/16 5:38 a.m.15 views

Resource Exhaustion

XWiki Platform is vulnerable to Resource Exhaustion. The vulnerability is due to missing query limits in REST API endpoints that enumerate database list properties, which allows an attacker to exhaust server resources by triggering large unbounded queries on large wiki instances...

8.2CVSS5.8AI score0.00405EPSS
Exploits0References3Affected Software2
ATTACKERKB
ATTACKERKB
added 2026/04/15 12:1 a.m.5 views

CVE-2026-40104

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as...

6.9CVSS5.8AI score0.00405EPSS
Exploits0References4Affected Software2
RedhatCVE
RedhatCVE
added 2026/04/02 10:53 a.m.5 views

CVE-2026-23899

An improper access check allows unauthorized access to webservice endpoints...

8.8CVSS5.9AI score0.00401EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/01 12:31 p.m.4 views

EUVD-2026-17863

An improper access check allows unauthorized access to webservice endpoints...

8.6CVSS5.9AI score0.00401EPSS
Exploits0References2
Rows per page
Query Builder