572787 matches found
CVE-2026-61426
PrasionAI prior to 1.7.3 uses insecure defaults: it binds to all interfaces with no API key and permissive CORS, allowing unauthenticated access. Attacks can read agent instructions/system prompts via GET /api/agents or invoke /api/chat via POST without auth. No explicit remediation details are p...
EUVD-2026-43176
PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication...
EUVD-2026-43177
PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and...
CVE-2026-56296
Cap-go before 12.128.2 has an information disclosure flaw in the public.transfer_app RPC that returns distinct error messages for existing versus non-existing app IDs. This enables unauthenticated attackers to enumerate valid app IDs by observing error message differences when calling transfer_ap...
EUVD-2026-43171
Capgo before 12.128.2 contains an information disclosure vulnerability in the findapikeybyvalue PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attackers can call this function via the /rest/v1/rpc/findapikeybyvalue endpoint to retrieve sensitive API k...
CVE-2026-56303
Capgo before 12.128.2 contains an information disclosure in the PostgreSQL function find_apikey_by_value (marked SECURITY DEFINER) that can be executed by the anon role. An unauthenticated caller can hit the /rest/v1/rpc/find_apikey_by_value endpoint to retrieve API key metadata such as user_id, ...
The vulnerability of the Directum RX ECM system, related to deficiencies in access control, allows a perpetrator to compromise data integrity.
The vulnerability of the Directum RX ECM system is related to deficiencies in access control. Exploiting this vulnerability could allow a remote attacker to compromise data integrity...
The vulnerability of the MmMapIoSpace() function in the ThrottleBlood.sys driver allows a hacker to escalate their privileges, execute arbitrary code, or cause a service failure.
The vulnerability of the MmMapIoSpace function in the ThrottleBlood.sys driver, as part of the ThrottleStop utility, is related to open IOCTLs with insufficient access control. Exploiting this vulnerability could allow an attacker to enhance their privileges, execute arbitrary code, or cause...
EUVD-2026-43166
The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolvesetOpt function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-leve...
CVE-2026-9282
The connected documents confirm a directory traversal vulnerability in the W3 Total Cache WordPress plugin, affecting all versions up to and including 2.9.4. The issue arises through the setupSources function, enabling unauthenticated attackers to read arbitrary server files that may contain sens...
CVE-2026-15010
The CVE-2026-15010 entry concerns the bbp Style Pack plugin for WordPress, vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 6.4.5 via the Topic Form Additional Fields feature. Root causes are insufficient input sanitization in bsp_topic_fields_form_save(), which wri...
EUVD-2026-43165
The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsptopicfieldsformsave which writes $POST'bsptopicfieldslabeln' directly to...
EUVD-2026-43164
The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive...
CVE-2026-9017
The CVE describes an authorization bypass in the NEX-Forms – Ultimate Forms Plugin for WordPress (vulnerable up to and including 9.2.2). The underlying issue is that the plugin does not properly verify that a user is authorized to perform an action, enabling unauthenticated attackers to overwrite...
CVE-2026-6939
The CVE-2026-6939 entry concerns the CorvusPay WooCommerce Payment Gateway for WordPress. It is vulnerable to Unauthenticated Stored Cross-Site Scripting via the approval_code parameter in all versions up to 2.7.4 due to insufficient input sanitization and output escaping. An unauthenticated REST...
CVE-2026-10041
The CVE-2026-10041 entry concerns the WCFM – Frontend Manager for WooCommerce WordPress plugin (versions
EUVD-2026-43162
The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfmproductarchive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...
CVE-2026-15155
The CVE-2026-15155 entry concerns the WordPress plugin Essential Addons for Elementor (
EUVD-2026-43160
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget...
EUVD-2026-43159
The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...