Lucene search
K

2419 matches found

Nuclei
Nuclei
added 2 days ago404 views

JFrog Artifactory 6.7.3 - Admin Login Bypass

JFrog Artifactory 6.7.3 is vulnerable to an admin login bypass issue because by default the access-admin account is used to reset the password of the admin account. While this is only allowable from a connection directly from localhost, providing an X-Forwarded-For HTTP header to the request allo...

9.8CVSS7AI score0.53879EPSS
Exploits3References5
Nuclei
Nuclei
added 2 days ago28 views

SonicWall Email Security <= 10.0.9.x - Unauthenticated Admin Account Creation

SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. id: CVE-2021-20021 info: name: SonicWall Email Security = 10.0.9.x - Unauthenticated Admin Account Creation author: pussycat0x severity: critical...

9.8CVSS7.1AI score0.83425EPSS
Exploits0References2
CVE
CVE
added 3 days ago6 views

CVE-2026-12761

Summary (CVE-2026-12761) The miniOrange Social Login and Register plugin for WordPress is vulnerable through the Profile Completion OTP flow in versions up to and including 7.7.0. The flow accepts an arbitrary email via the email_field POST parameter and does not verify that the email belongs to ...

9.8CVSS6.2AI score0.00463EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-57277

Name of the Vulnerable Software and Affected Versions miniOrange Social Login and Register Discord, Google, Twitter, LinkedIn versions prior to 7.7.1 Description An authentication bypass exists in the Profile Completion flow that allows for account takeover. The issue occurs because the plugin...

9.8CVSS6.2AI score0.00463EPSS
Exploits0References12
CVE
CVE
added 4 days ago7 views

CVE-2026-55207

CVE-2026-55207 affects Pimcore: an unauthenticated attacker who knows a valid admin username can hijack an admin account by abusing a malicious resetPasswordUrl in a password reset request. The server generates a real cryptographic recovery token, appends it to the attacker-controlled URL, emails...

8.8CVSS6AI score0.0035EPSS
Exploits0References5
Cvelist
Cvelist
added 4 days ago33 views

CVE-2026-54801

A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.20, SICORE Base system All versions V26.20.0. The affected application contains insufficient validation of authentication credentials when processing administrative account modifications through the we...

8.6CVSS0.0034EPSS
Exploits0References1
NVD
NVD
added 4 days ago4 views

CVE-2026-14245

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the umresetpasswordprocesshook function performing no server-side...

9.8CVSS0.00586EPSS
Exploits0References10
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-42543

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the umresetpasswordprocesshook function performing no server-side...

9.8CVSS6AI score0.00586EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 4 days ago6 views

PT-2026-56933

Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 2025.4.6 Pimcore versions prior to 2026.1.6 Description An unauthenticated attacker who knows a valid admin username can take over an admin account by sending a password reset request containing an attacker-controlled...

8.8CVSS6.1AI score0.0035EPSS
Exploits0References7
Nuclei
Nuclei
added 2026/07/03 1:39 p.m.55 views

Palo Alto Expedition - Admin Account Takeover

Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. id: CVE-2024-5910 info: name: Palo Alto Expedition - Admin Account Takeover author: johnk3r severity: critical...

9.8CVSS7.4AI score0.91783EPSS
Exploits9References3
EUVD
EUVD
added 2026/06/27 4:30 a.m.9 views

EUVD-2026-39943

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravelinvoiceeditaccount AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wpajaxnoprivpravelinvoiceeditaccount, accepts an attacker-controlled...

9.8CVSS5.8AI score0.00662EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/27 12:30 a.m.17 views

EUVD-2026-39925

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access...

9.3CVSS5.8AI score0.00569EPSS
Exploits0References3
NVD
NVD
added 2026/06/26 11:17 p.m.14 views

CVE-2026-31928

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access...

9.8CVSS0.00569EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/26 10:52 p.m.38 views

CVE-2026-31928 Daktronics Controller Firmware Use of Hard-coded Credentials

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access...

9.3CVSS0.00569EPSS
Exploits0References2
CVE
CVE
added 2026/06/26 10:52 p.m.18 views

CVE-2026-31928

The CVE-2026-31928 entry concerns DMP-5000 devices shipped with a default administrative web account and weak authentication controls that are not required to be changed during initial configuration or operation, enabling full system access if exploited. The issue is tied to hard-coded/default cr...

9.8CVSS5.8AI score0.00569EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.15 views

PT-2026-52988

Name of the Vulnerable Software and Affected Versions DMP-5000 affected versions not specified Description Devices are shipped with a default administrative web account that utilizes weak authentication controls. These credentials are not required to be changed during the initial configuration or...

9.8CVSS5.8AI score0.00569EPSS
Exploits0References8
CVE
CVE
added 2026/06/25 7:8 p.m.26 views

CVE-2026-57520

Bitwarden Server prior to 2026.5.0 is affected by a privilege-escalation vulnerability in the bulk user-remove endpoint. The issue arises from a missing role hierarchy check, allowing authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by supplying...

7.1CVSS5.9AI score0.00354EPSS
Exploits1References5Affected Software1
Snyk
Snyk
added 2026/06/18 3:4 p.m.2 views

External Initialization of Trusted Variables or Data Stores

Overview Affected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores in the installation process when the Forwarded, X-Client-IP, or X-Real-IP headers are set by a reverse proxy. An attacker can gain unauthorized administrative access by remotel...

9.1CVSS5.7AI score0.00545EPSS
Exploits0References2
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.238 views

Ivanti Endpoint Manager Mobile (EPMM) - Authentication Bypass

Ivanti Endpoint Manager Mobile EPMM, formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass, as exploited in the wild in July 2023. A patch is available. id: CVE-2023-35078 info...

10CVSS8.8AI score0.99999EPSS
Exploits14References5
NVD
NVD
added 2026/06/15 8:16 a.m.14 views

CVE-2026-8935

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin acces...

9.8CVSS0.00268EPSS
Exploits0References1
Rows per page
Query Builder