Lucene search
+L

1313 matches found

Nuclei
Nuclei
added yesterday41 views

LibreChat <= 0.7.9 - HTML Injection via Accept-Language Header

danny-avila/librechat 0.7.9 contains a stored XSS caused by improper sanitization of the Accept-Language header, letting logged-in users inject arbitrary HTML into the html lang= tag, exploit requires user to be logged in. id: CVE-2025-8848 info: name: LibreChat marker"...

5.4CVSS5.2AI score0.00417EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday11 views

Accept Donations with PayPal <= 1.5.2 - Open Redirect

The Accept Donations with PayPal & Stripe plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.5.2. This is due to insufficient validation on the redirect url supplied. This makes it possible for unauthenticated attackers to redirect users to potentially...

4.7CVSS5.2AI score0.00448EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday47 views

Webmin < 1.920 - Authenticated Remote Code Execution

rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialisevariable makes an eval call. NOTE: the WebminServersIndex documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must...

8.8CVSS8.1AI score0.38038EPSS
Exploits4References5
NVD
NVD
added 2 days ago8 views

CVE-2026-49215

Symfony UX is a JavaScript ecosystem for Symfony. From 2.22.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest gates LiveAction invocations on Accept: application/vnd.live-component+html, but the Accept header is CORS-safelisted and...

2.1CVSS0.00179EPSS
Exploits0References4
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-45218

Symfony UX is a JavaScript ecosystem for Symfony. From 2.22.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest gates LiveAction invocations on Accept: application/vnd.live-component+html, but the Accept header is CORS-safelisted and...

2.1CVSS5.3AI score0.00179EPSS
Exploits0References4
CVE
CVE
added 2 days ago27 views

CVE-2026-49215

The CVE-2026-49215 issue affects symfony/ux-live-component in Symfony UX. The vulnerability stems from isLiveComponentRequest() gating #[LiveAction] based on Accept: application/vnd.live-component+html, a CORS-safelisted header that can be set cross-origin without preflight, allowing forged cross...

2.1CVSS5.3AI score0.00179EPSS
Exploits0References4
Cvelist
Cvelist
added 2 days ago39 views

CVE-2026-49215 Symfony UX: CSRF Protection Bypass in symfony/ux-live-component — Accept Header is CORS-Safelisted

Symfony UX is a JavaScript ecosystem for Symfony. From 2.22.0 until 2.36.0 and 3.1.0, Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest gates LiveAction invocations on Accept: application/vnd.live-component+html, but the Accept header is CORS-safelisted and...

2.1CVSS0.00179EPSS
Exploits0References4
CVE
CVE
added 6 days ago9 views

CVE-2026-15559

CodeAstro Simple Online Leave Management System 1.0 contains a SQL injection vulnerability in the POST handler: /SimpleOnlineLeave/admin/accept.php, caused by manipulating the argument appid. This allows remote exploitation and is publicly available. The CVE documents do not provide patch/version...

6.5CVSS6.5AI score0.002EPSS
Exploits0References6
NVD
NVD
added 2026/07/10 3:16 p.m.11 views

CVE-2026-56312

Capgo before 12.128.2 contains an improper validation vulnerability in the acceptinvitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...

6.9CVSS0.00275EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/10 1:57 p.m.7 views

EUVD-2026-42884

Capgo before 12.128.2 contains an improper validation vulnerability in the acceptinvitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...

6.9CVSS6.1AI score0.00275EPSS
Exploits0References2
CVE
CVE
added 2026/07/10 1:57 p.m.8 views

CVE-2026-56312

Capgo before 12.128.2 is affected by an improper validation vulnerability in the accept_invitation endpoint. The issue allows bypassing captcha validation to create user accounts, potentially wasting invite links and enabling unauthorized account creation. Affected product/version: Capgo prior to...

6.9CVSS6.1AI score0.00275EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/10 1:57 p.m.30 views

CVE-2026-56312 Capgo - Account Creation Before CAPTCHA Validation in accept_invitation Endpoint

Capgo before 12.128.2 contains an improper validation vulnerability in the acceptinvitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...

6.9CVSS0.00275EPSS
Exploits0References2
OSV
OSV
added 2026/07/10 1:57 p.m.4 views

CVE-2026-56312 Capgo - Account Creation Before CAPTCHA Validation in accept_invitation Endpoint

Capgo before 12.128.2 contains an improper validation vulnerability in the acceptinvitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...

6.9CVSS6.1AI score0.00275EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/02 12:34 p.m.38 views

CVE-2026-5524 Divi Form Builder <= 5.1.8 - Unauthenticated Arbitrary File Upload Leading to Remote Code Execution via 'acceptFileTypes' Parameter

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the doimageupload function where user-supplied input from the acceptFileTypes POST...

9.8CVSS0.00542EPSS
Exploits0References2
CVE
CVE
added 2026/07/02 12:34 p.m.27 views

CVE-2026-5524

The Divi Form Builder plugin for WordPress (versions up to and including 5.1.8) is vulnerable to Unauthenticated Arbitrary File Upload leading to Remote Code Execution. The root cause is insufficient file extension validation in the do_image_upload() function where user-supplied input from accept...

9.8CVSS6AI score0.00542EPSS
In wildExploits0References2
EUVD
EUVD
added 2026/07/02 12:34 p.m.9 views

EUVD-2026-41368

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the doimageupload function where user-supplied input from the acceptFileTypes POST...

9.8CVSS6AI score0.00542EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/07/02 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-53357

"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Bluetooth: fix UAF in l2capsockcleanuplisten vs l2capconndel btacceptdequeue unlinks a not- yet-accepted child from the parent accept queue and releasesocks it...

8CVSS7.1AI score0.00249EPSS
Exploits0References3
NVD
NVD
added 2026/06/30 11:17 p.m.11 views

CVE-2026-56331

Capgo before 12.128.2 contains improper error handling in the /private/acceptinvitation endpoint that returns HTTP 500 instead of safe 4xx errors when magicinvitestring is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magicinvitestring values ...

6.9CVSS0.0025EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/30 10:8 p.m.24 views

CVE-2026-56331 Capgo - Improper Error Handling in Accept Invitation Endpoint via Invalid Magic String

Capgo before 12.128.2 contains improper error handling in the /private/acceptinvitation endpoint that returns HTTP 500 instead of safe 4xx errors when magicinvitestring is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magicinvitestring values ...

6.9CVSS0.0025EPSS
Exploits0References2
CVE
CVE
added 2026/06/30 10:8 p.m.19 views

CVE-2026-56331

Capgo before 12.128.2 is affected by improper error handling in the /private/accept_invitation endpoint. The vulnerability causes HTTP 500 errors instead of safe 4xx responses when magic_invite_string is invalid, potentially leaking internal processing details. Attackers can trigger this using on...

6.9CVSS5.8AI score0.0025EPSS
Exploits0References2
Rows per page
Query Builder