Lucene search
K

25 matches found

Cvelist
Cvelist
added 2026/05/23 4:27 a.m.17 views

CVE-2026-6898 WishList Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Generate API Secret Key via 'wlm3_generate_api_key' AJAX action

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3Hooks::generateapikey' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS0.00244EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/04 12:0 a.m.11 views

Nginx UI 访问控制错误漏洞

Nginx UI is a web interface for Nginx developed by Jacky. In versions 2.0.0 to 2.3.8 of Nginx UI, there was an access control vulnerability. This vulnerability stemmed from the fact that the public/api/install endpoint required no authentication during the first run, allowing unauthenticated...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References2
OSV
OSV
added 2026/04/01 10:9 p.m.3 views

GHSA-FC4P-P49V-R948 CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise

Summary A critical Stored Cross-Site Scripting Stored XSS vulnerability exists in the backend user management functionality. The application fails to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript cod...

9.9CVSS6.2AI score0.00393EPSS
Exploits1References4
Tenable Nessus
Tenable Nessus
added 2026/03/27 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-23921

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL...

8.7CVSS6.2AI score0.0024EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/24 6:28 p.m.3 views

CVE-2026-23921

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data...

8.7CVSS6.1AI score0.0024EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/24 12:0 a.m.3 views

PT-2026-27475

Name of the Vulnerable Software and Affected Versions Zabbix versions prior to 7.4.6 Description A Zabbix user with API access can exploit a blind SQL injection in the CApiService.php file. The issue resides in the sortfield parameter, allowing an attacker to execute arbitrary SQL selects. While...

8.7CVSS6.1AI score0.0024EPSS
Exploits0References15
RedhatCVE
RedhatCVE
added 2026/01/09 10:6 a.m.8 views

CVE-2019-20804

Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account...

8.8CVSS5.9AI score0.01081EPSS
Exploits3References1
Cvelist
Cvelist
added 2025/11/24 9:11 a.m.11 views

CVE-2025-12739 Cross-Site Scripting (XSS) in Looker's Extension Loader leading to Admin Account Compromise

An attacker with viewer permissions in Looker could craft a malicious URL that, when opened by a Looker admin, would execute an attacker-supplied script. Exploitation required at least one Looker extension installed on the instance. Looker-hosted and Self-hosted were found to be vulnerable. This...

7.3CVSS0.00268EPSS
Exploits0References1
CVE
CVE
added 2025/11/24 9:11 a.m.14 views

CVE-2025-12739

CVE-2025-12739 involves a Cross-Site Scripting (XSS) vulnerability in Looker’s Extension Loader. An attacker with viewer permissions can craft a malicious URL that, when opened by a Looker administrator, could run attacker-supplied script. Exploitation requires at least one Looker extension insta...

7.3CVSS6.6AI score0.00268EPSS
Exploits0References1
NVD
NVD
added 2025/10/30 6:15 p.m.9 views

CVE-2025-56313

A Reflected Cross-Site Scripting XSS vulnerability was discovered in the /publix/run endpoint of JATOS 3.7.1 through 3.9.6 inclusive. This allows remote attackers to execute arbitrary JavaScript in a user's web browser by including a malicious payload in the "code" URL parameter. When an...

6.1CVSS0.0022EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2019-11341

Malware in sbrugna...

8.8CVSS8.7AI score0.01081EPSS
Exploits3References5
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2019-4019

Malware in sbrugna...

8.8CVSS8.6AI score0.01634EPSS
Exploits1References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.8 views

EUVD-2018-1826

Malware in sbrugna...

5.4CVSS5.5AI score0.00667EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2025/02/21 10:48 p.m.33 views

Leantime allows Stored Cross-Site Scripting (XSS)

Description Leantime allows stored cross-site scripting XSS in the API key name while generating the API key. Impact Any low privileged user like manager, or editor, can create an API key with XSS payload. When admin will visit the Company page, the XSS will automatically get triggerred leading t...

5.2AI score
Exploits0References2Affected Software1
NVD
NVD
added 2022/06/28 2:15 p.m.14 views

CVE-2022-30560

When an attacker obtaining the administrative account and password, or through a man-in-the-middle attack, the attacker could send a specified crafted packet to the vulnerable interface then lead the device to crash...

7.4CVSS0.00789EPSS
Exploits0References1
RubySec
RubySec
added 2021/04/14 12:0 a.m.18 views

Cross-Site Request Forgery (CSRF) in trestle-auth

Impact A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account...

8.1CVSS5.9AI score0.00657EPSS
Exploits0References1Affected Software1
Prion
Prion
added 2020/05/21 10:15 p.m.19 views

Cross site request forgery (csrf)

Gila CMS before 1.11.6 allows CSRF with resultant XSS via the admin/themes URI, leading to compromise of the admin account...

6.8CVSS8.2AI score0.01081EPSS
Exploits3References3Affected Software1
Schneier on Security
Schneier on Security
added 2020/04/06 4:26 p.m.37 views

Emotet Malware Causes Physical Damage

Microsoft is reporting that an Emotet malware infection shut down a network by causing computers to overheat and then crash. The Emotet payload was delivered and executed on the systems of Fabrikam -- a fake name Microsoft gave the victim in their case study -- five days after the employee's user...

1.6AI score
Exploits0
Pen Test Partners Blog
Pen Test Partners Blog
added 2019/12/04 7:36 a.m.54 views

Nuclear Satcoms

The Fukushima Daiichi nuclear incident in 2011 has led to safety changes that may have an interesting knock-on effect on reactor security. Loss of telemetry during the flooding, as a result of the subsequent loss of power, made assessment of the incident hard to manage. Critical data about the...

7.9AI score
Exploits0
CNVD
CNVD
added 2018/03/14 12:0 a.m.2 views

WolfCMS Cross-Site Scripting Vulnerability (CNVD-2018-07056)

Wolf CMS is a lightweight content management system written in PHP. A stored cross-site scripting vulnerability exists in WolfCMS 0.8.3.1 in the Layout Name under the Layout tab. A low-privileged user can exploit this vulnerability to steal cookies from administrative users and compromise the...

5.4CVSS6AI score0.00667EPSS
Exploits1References1
Rows per page
Query Builder