Lucene search
K

6296 matches found

Nuclei
Nuclei
added 15 hours ago35 views

MStore API <= 3.9.1 - Authentication Bypass

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated...

9.8CVSS7AI score0.03805EPSS
Exploits0References3
Nuclei
Nuclei
added 15 hours ago19 views

Emby Server - Authentication Bypass

Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may allow administrative access to an Emby Server system,...

9.1CVSS6.9AI score0.01713EPSS
Exploits0References2
Nuclei
Nuclei
added 15 hours ago17 views

OpenBullet2 <= 0.3.2 - Authentication Bypass

OpenBullet2 = 0.3.2 contains an authentication bypass caused by improper API key authentication middleware handling empty X-Api-Key header, letting unauthenticated attackers gain admin access, exploit requires sending empty X-Api-Key header. id: CVE-2026-25555 info: name: OpenBullet2 = 0.3.2 -...

9.8CVSS6.1AI score0.01509EPSS
Exploits1References2
Nuclei
Nuclei
added 15 hours ago13 views

FUXA <= 1.2.7 - Hardcoded JWT Secret Authentication Bypass

FUXA v1.2.7 contains a hardcoded credentials vulnerability caused by use of a hard-coded secret key in server/api/jwt-helper.js, letting remote attackers forge admin tokens and bypass authentication, exploit requires no special conditions. id: CVE-2025-69971 info: name: FUXA = 1.2.7 - Hardcoded J...

9.8CVSS6.1AI score0.02036EPSS
Exploits0References3
Nuclei
Nuclei
added 15 hours ago25 views

Four-Faith F3x36 - Authentication Bypass

Four-Faith F3x36 router with firmware v2.0.0 contains an authentication bypass caused by hard-coded credentials in the administrative web server, letting attackers with knowledge of credentials gain administrative access via crafted HTTP requests. id: CVE-2024-9643 info: name: Four-Faith F3x36 -...

9.8CVSS7AI score0.0293EPSS
Exploits0References2
Nuclei
Nuclei
added 15 hours ago10 views

AffiliateImporterEb <= 1.0.6 - Reflected XSS

AffiliateImporterEb WordPress plugin through 1.0.6 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12732 info: name: AffiliateImporterEb =...

6.1CVSS6.1AI score0.00521EPSS
Exploits1References1
Nuclei
Nuclei
added 15 hours ago30 views

WP Directory Kit <= 1.4.4 - Authentication Bypass

The WP Directory Kit plugin for WordPress version 1.4.4 and below contains an authentication bypass vulnerability in its auto-login functionality. The vulnerability allows unauthenticated attackers to gain administrative access by exploiting a cryptographically weak token generation mechanism tha...

10CVSS7AI score0.0472EPSS
Exploits3References4
Nuclei
Nuclei
added 15 hours ago66 views

The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass

The Plus Addons for Elementor plugin before version 4.1.7 allowed attackers to bypass authentication, gain admin access, and create accounts with elevated roles, even when registration was disabled and the Login widget was inactive. id: CVE-2021-24175 info: name: The Plus Addons for Elementor Pag...

9.8CVSS7AI score0.14462EPSS
Exploits3References2
Nuclei
Nuclei
added 15 hours ago16 views

Profile Builder < 3.4.9 - Improper Authentication

The Profile Builder plugin before 3.4.9 for WordPress allows unauthenticated attackers to gain administrative access by exploiting an improper authentication vulnerability in the password reset functionality. An attacker can reset the password of any user, including administrators, without proper...

10CVSS7AI score0.07696EPSS
Exploits2References2
Nuclei
Nuclei
added 15 hours ago71 views

Controlled Admin Access WordPress Plugin <= 1.4.0 - Improper Access Control & Privilege Escalation

An Improper Access Control vulnerability was discovered in the plugin. Uncontrolled access to the website customization functionality and global CMS settings, like /wp-admin/customization.php and /wp-admin/options.php, can lead to a complete compromise of the target resource. id: CVE-2021-24215...

10CVSS7AI score0.09733EPSS
Exploits2References5
Nuclei
Nuclei
added 15 hours ago74 views

ARMember < 3.4.8 - Unauthenticated Admin Account Takeover

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover even the administrator due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username. id:...

8.1CVSS7.1AI score0.0852EPSS
Exploits1References5
Nuclei
Nuclei
added 15 hours ago26 views

Simple User Registration <= 6.3 - Unauthenticated Privilege Escalation

The Simple User Registration plugin ≤ 6.3 is vulnerable to privilege escalation. It lacks proper restrictions on user meta values during registration. Unauthenticated attackers can exploit this to register as administrators. id: CVE-2025-4334 info: name: Simple User Registration = 6.3 -...

9.8CVSS6.1AI score0.02055EPSS
Exploits5References1
Nuclei
Nuclei
added 15 hours ago16 views

WSO2 - Server Side Request Forgery

WSO2 products contain SSRF and reflected XSS vulnerabilities in the deprecated Try-It feature accessible only to administrative users, caused by improper URL validation and direct content reflection, letting attackers trick admins into executing arbitrary JavaScript and querying internal services...

5.9CVSS6.2AI score0.00583EPSS
Exploits0References1
Nuclei
Nuclei
added 15 hours ago74 views

ReCrystallize Server - Authentication Bypass

This vulnerability allows an attacker to bypass authentication in the ReCrystallize Server application by manipulating the 'AdminUsername' cookie. This gives the attacker administrative access to the application's functionality, even when the default password has been changed. id: CVE-2024-26331...

7.5CVSS6AI score0.49322EPSS
Exploits0References4
CVE
CVE
added yesterday24 views

CVE-2026-62422

CVE-2026-62422 affects JetBrains YouTrack, with authentication bypass via direct database access that enables administrative access. Affects: YouTrack builds listed in the entry (before 2026.1.13757; 2025.3.148033; 2025.2.148048; 2025.1.148120; 2024.3.148430; 2024.2.148429). The entry does not pr...

10CVSS6.1AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2025-15665

The Ultimate Before After Image Slider & Gallery WordPress plugin before 4.7.1 does not escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end the value is passed through doshortcode, which echoes non-shortcode content verbatim, allowing users with...

5.4CVSS6.1AI score0.00158EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago28 views

CVE-2026-61500 Rejetto HFS < 3.2.1 Session Forgery via Predictable Signing Key

Rejetto HFS 3.0.0 through 3.2.0 derives its session-cookie signing key from the non-cryptographic Math.random generator and discloses outputs of the same generator to unauthenticated clients during login. A remote attacker can collect a small number of login responses, reconstruct the generator's...

9.8CVSS0.00747EPSS
Exploits0References2
OSV
OSV
added 2 days ago5 views

CVE-2026-61500 Rejetto HFS < 3.2.1 Session Forgery via Predictable Signing Key

Rejetto HFS 3.0.0 through 3.2.0 derives its session-cookie signing key from the non-cryptographic Math.random generator and discloses outputs of the same generator to unauthenticated clients during login. A remote attacker can collect a small number of login responses, reconstruct the generator's...

9.3CVSS6.5AI score0.00747EPSS
Exploits0References5
NVD
NVD
added 4 days ago5 views

CVE-2026-14262

The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the payload parameter. The vulnerability exists because AuthenticateService::generatePayload only...

8.8CVSS0.00393EPSS
Exploits0References6
NVD
NVD
added 5 days ago7 views

CVE-2026-59155

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud...

6.9CVSS0.00304EPSS
Exploits0References3
Rows per page
Query Builder