Lucene search
K

14 matches found

Cvelist
Cvelist
added 2026/06/24 5:33 a.m.39 views

CVE-2026-12416 Invoice Generator <= 1.0.0 - Unauthenticated Account Takeover via Weak Password Reset Validation via 'reset_user_id' Parameter

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the pravelinvoicechangepassword function being registered as a nopriv AJAX handler with no nonce verification and no authorization check, and...

9.8CVSS0.00364EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.11 views

PT-2026-51674

Name of the Vulnerable Software and Affected Versions Invoice Generator plugin for WordPress versions prior to 1.0.1 Description The Invoice Generator plugin for WordPress allows unauthenticated account takeover through a flaw in the password reset process. The pravel invoice change password...

9.8CVSS5.9AI score0.00364EPSS
Exploits1References15
CVE
CVE
added 2026/05/28 4:25 p.m.26 views

CVE-2026-9095

Casdoor CVE-2026-9095 affects versions 2.362.0 and earlier. The ParseSamlResponse() in object/saml_sp.go maps retrieved SAML assertions directly to user sessions without replay protection, lacking an assertion ID cache, OneTimeUse enforcement, or replay detection in the SAML SP code path. This en...

8.1CVSS5.9AI score0.00298EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2025/11/18 6:24 p.m.10 views

LibreNMS has Weak Password Policy

Summary A Weak Password Policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and...

3.7CVSS7.4AI score0.00227EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2025/11/01 4:27 a.m.11 views

CVE-2025-5949 Service Finder Bookings <= 6.0 - Authenticated (Subscriber+) Privilege Escalation via change_candidate_password

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's identity prior to processing a password change request. This makes it possible for...

8.8CVSS0.00342EPSS
Exploits0References2
OSV
OSV
added 2025/10/24 12:0 a.m.4 views

CVE-2025-60954

Microweber CMS 2.0 has Weak Password Requirements. The application does not enforce minimum password length or complexity during password resets. Users can set extremely weak passwords, including single-character passwords, which can lead to account compromise, including administrative accounts...

8.3CVSS6.9AI score0.00417EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2025/08/20 5:33 p.m.25 views

CVE-2025-55296

librenms is a community-based GPL-licensed network monitoring system. A stored Cross-Site Scripting XSS vulnerability exists in LibreNMS = 25.6.0 in the Alert Template creation feature. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the template...

5.5CVSS5.1AI score0.00817EPSS
Exploits1References1
NVD
NVD
added 2025/08/18 6:15 p.m.7 views

CVE-2025-55296

librenms is a community-based GPL-licensed network monitoring system. A stored Cross-Site Scripting XSS vulnerability exists in LibreNMS = 25.6.0 in the Alert Template creation feature. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the template...

5.5CVSS0.00817EPSS
Exploits1References2
CNNVD
CNNVD
added 2025/04/10 12:0 a.m.5 views

Octopus Deploy 安全漏洞

Octopus Deploy is an automation tool for .NET, Java and other application development and deployment from Octopus Australia. A security vulnerability exists in Octopus Deploy that stems from the fact that the server can be induced to send requests containing authentication material, which could...

8.8CVSS6.9AI score0.00328EPSS
Exploits0References1
BDU FSTEC
BDU FSTEC
added 2023/06/26 12:0 a.m.6 views

The software vulnerabilities of the EcoStruxure EV Charging Expert parking charging stations allow a violator to modify system settings or user accounts.

The vulnerability of the EcoStruxure EV Charging Expert parking charging station software is related to incorrect restrictions on the visible layers or frames of the user interface. Exploiting this vulnerability could allow an attacker to remotely modify system settings or user accounts...

8.5CVSS7.2AI score0.00938EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2023/04/28 8:47 p.m.14 views

CVE-2023-29058

A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions...

6.4CVSS6.5AI score0.0036EPSS
Exploits0References1
OSV
OSV
added 2022/01/10 4:15 p.m.2 views

CVE-2021-25032

The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a...

9.8CVSS5.9AI score0.06745EPSS
Exploits2References2
BDU FSTEC
BDU FSTEC
added 2016/09/19 12:0 a.m.4 views

The vulnerability of Google Chrome browser allows a perpetrator to exploit it to access user accounts.

The vulnerability of the net/proxy/proxyservice.cc file for Google Chrome Proxy Auto-Config PAC extensions does not guarantee that the information is limited to a script, host, and port. Exploiting this vulnerability could allow a malicious actor to access user accounts by manipulating the server...

4.3CVSS7.7AI score0.0152EPSS
Exploits0References4Affected Software1
BDU FSTEC
BDU FSTEC
added 2016/07/06 12:0 a.m.8 views

The vulnerability of the Windows operating system, allowing a perpetrator to execute arbitrary code

The vulnerability in GDI+, related to the processing of specially crafted images, allows for remote execution of code provided that the user opens a specially crafted image. Exploiting this vulnerability enables a malicious individual to gain full control over the system. They can then install...

9.3CVSS5.9AI score0.2022EPSS
Exploits0References3
Rows per page
Query Builder