Lucene search
K

7057 matches found

CVE
CVE
added 4 hours ago5 views

CVE-2026-15067

Snowflake Terraform Provider before 2.18.0 is affected by SQL injection via an unsanitized data source input that can cause arbitrary SQL execution within the provider’s privileged Snowflake session, potentially enabling data exfiltration and creation of long‑lived credentials. DDL injection in u...

8.8CVSS6.2AI score
Exploits0References1
Cvelist
Cvelist
added 4 hours ago6 views

CVE-2026-15067 Multiple Security Vulnerabilities in Terraform Provider for Snowflake Could Allow Privilege Escalation and Unauthorized Snowflake Account Takeover

Snowflake Terraform Provider versions prior to 2.18.0 contain several security vulnerabilities, including SQL injection via an unsanitized data source input could result in arbitrary SQL execution under the provider's privileged Snowflake session, potentially enabling sensitive data exfiltration...

8.8CVSS
Exploits0References1
Nuclei
Nuclei
added 14 hours ago78 views

WWBN AVideo 11.6 - Cross-Site Scripting

A reflected XSS vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff, allowing arbitrary Javascript execution. id: CVE-2023-48728 info: name: WWBN AVideo 11.6 - Cross-Site Scripting author: ritikchaddha severity: medium...

9.6CVSS7AI score0.02268EPSS
Exploits1References2
Nuclei
Nuclei
added 14 hours ago36 views

WordPress Stacks Mobile App Builder <=5.2.3 - Authentication Bypass

Stacks Mobile App Builder WordPress plugin ≤ 5.2.3 suffers from an authentication bypass vulnerability via improper handling of query parameters, allowing attackers to impersonate arbitrary users. id: CVE-2024-50477 info: name: WordPress Stacks Mobile App Builder =5.2.3 - Authentication Bypass...

9.8CVSS6AI score0.07959EPSS
Exploits3References4
Nuclei
Nuclei
added 14 hours ago73 views

ARMember < 3.4.8 - Unauthenticated Admin Account Takeover

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover even the administrator due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username. id:...

8.1CVSS7.3AI score0.0852EPSS
Exploits1References5
Nuclei
Nuclei
added 14 hours ago88 views

Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover

The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to chan...

9.8CVSS7.5AI score0.18241EPSS
Exploits3References4
Nuclei
Nuclei
added 14 hours ago43 views

Apache StreamPipes <= 0.93.0 - Use of Cryptographically Weak PRNG in Recovery Token Generation

Apache StreamPipes from version 0.69.0 through 0.93.0 uses a cryptographically weak Pseudo-Random Number Generator PRNG in the recovery token generation mechanism. Given a valid token it's possible to predict all past and future generated tokens. id: CVE-2024-29868 info: name: Apache StreamPipes ...

9.1CVSS5.9AI score0.05995EPSS
Exploits1References4
NVD
NVD
added 14 hours ago9 views

CVE-2026-9701

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the eventerverificationcode user meta field when a user requests a password reset. The plaintext key...

9.8CVSS
Exploits0References2
NVD
NVD
added yesterday5 views

CVE-2026-55076

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string...

7.4CVSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-55076

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string...

7.4CVSS6AI score
Exploits0References8Affected Software1
Cvelist
Cvelist
added yesterday22 views

CVE-2026-55076 Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string...

7.4CVSS
Exploits0References7
CVE
CVE
added yesterday12 views

CVE-2026-55076

Coder’s CVE-2026-55076 describes an OIDC callback flaw where the email_verified claim was checked with a direct Go bool assertion. If an IdP returns a non-boolean value (e.g., "false") or omits the claim, the check can pass incorrectly, in combination with an unconditional email-based account fal...

7.4CVSS6AI score
Exploits0References7
NVD
NVD
added yesterday5 views

CVE-2026-55075

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link...

7.4CVSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-55075

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link...

7.4CVSS6AI score
Exploits0References8Affected Software1
CVE
CVE
added yesterday12 views

CVE-2026-55075

Coder’s OIDC login flaw leads to account takeover via email-based user matching and improper handling of email_verified. Before versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two issues exist: (1) email-based matching could link by email without confirming an existing link to a different IdP subjec...

7.4CVSS6AI score
Exploits0References7
Cvelist
Cvelist
added yesterday19 views

CVE-2026-55075 Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, two flaws in Coder's OIDC login chained into account takeover. Email-based user matching fell back to linking by email without checking for an existing link...

7.4CVSS
Exploits0References7
NVD
NVD
added yesterday7 views

CVE-2026-13020

A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an...

8.1CVSS
Exploits0References1
Nuclei
Nuclei
added yesterday67 views

Flowise <= 3.0.5 - Account Takeover

Flowise versions 3.0.5 and earlier had a vulnerability in the forgot-password endpoint, which returned valid reset tokens without authentication—allowing attackers to reset passwords and take over accounts. id: CVE-2025-58434 info: name: Flowise = 3.0.5 - Account Takeover author:...

9.8CVSS6.8AI score0.50118EPSS
Exploits14References2
Nuclei
Nuclei
added yesterday55 views

SysAid On-Prem <= 23.3.40 - XML External Entity

SysAid On-Prem versions = 23.3.40 are vulnerable to an unauthenticated XML External Entity XXE vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives. id: CVE-2025-2776 info: name: SysAid On-Prem = 23.3.40 - XML External Enti...

9.8CVSS7.4AI score0.72971EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday58 views

ClinicCases 7.3.3 Cross-Site Scripting

ClinicCases 7.3.3 is susceptible to multiple reflected cross-site scripting vulnerabilities that could allow unauthenticated attackers to introduce arbitrary JavaScript by crafting a malicious URL. This can result in account takeover via session token theft. id: CVE-2021-38704 info: name:...

6.1CVSS6.4AI score0.03521EPSS
Exploits1References5
Rows per page
Query Builder