Lucene search
+L

664 matches found

Nuclei
Nuclei
added yesterday24 views

Company Visitor Management System 1.0 - SQL Injection

Company Visitor Management System 1.0 contains a SQL injection vulnerability via the login page in the username parameter. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id...

9.8CVSS7AI score0.02351EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday43 views

Zoo Management System 1.0 - SQL Injection

Zoo Management System 1.0 contains a SQL injection vulnerability via the username parameter on the login page. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id:...

9.8CVSS7AI score0.01721EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday14 views

KevinLAB BEMS 1.0 - SQL Injection

KevinLAB BEMS 1.0 contains a SQL injection vulnerability. Input passed through inputid POST parameter in /http/index.php is not properly sanitized before being returned to the user or used in SQL queries. An attacker can possibly obtain sensitive information from a database, modify data, and...

9.8CVSS7.1AI score0.08146EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday65 views

ZKTeco BioTime <= 9.0.1 - Privilege Escalation

BioTime default employee credentials password 123456 allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files. id: CVE-2023-38952 info: name: ZKTeco BioTime = 9.0.1 - Privilege Escalation author: riteshs4hu severity: high...

9.8CVSS6.9AI score0.03258EPSS
Exploits2References3
CVE
CVE
added 2 days ago19 views

CVE-2026-50183

CVE-2026-50183 refers to a stored XSS in WWBN/AVideo via the YouTubeAPI plugin (versions 29.0 and below). The vulnerability occurs because the plugin renders YouTube data API field snippet.title into the homepage gallery without HTML encoding, allowing an attacker who controls a YouTube video mat...

4.7CVSS6AI score0.00162EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago37 views

CVE-2026-50183 WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section

WWBN AVideo is an open source video platform. Versions 29.0 and below contain a stored Cross-Site Scripting vulnerability in the YouTubeAPI plugin. The plugin renders the snippet.title field returned by the YouTube Data API into the homepage gallery markup with no HTML encoding. The title is set ...

4.7CVSS0.00162EPSS
Exploits0References2
CVE
CVE
added 3 days ago6 views

CVE-2026-58476

Sustainable Irrigation Platform (SIP) 5.2.16 is affected by a CSRF vulnerability that allows a remote attacker to trigger state-changing administrative actions by enticing a logged-in administrator to visit a malicious page. The issue arises because HTTP GET requests lack CSRF token validation or...

8.1CVSS6.1AI score0.00228EPSS
Exploits2References2Affected Software1
Cvelist
Cvelist
added 3 days ago26 views

CVE-2026-58319 Apache Doris: Improper Authentication in Frontend HTTP API

Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to...

0.00614EPSS
Exploits0References1
CVE
CVE
added 3 days ago11 views

CVE-2026-58319

CVE-2026-58319 concerns Apache Doris Frontend (FE) HTTP REST administrative APIs that were reachable without authentication. The available data states an unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially compromis...

9.1CVSS6.1AI score0.00614EPSS
Exploits0References2Affected Software1
NVD
NVD
added 4 days ago6 views

CVE-2026-61502

Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions including account creation and configuration changes leading to code execution - by causing a...

5.1CVSS0.00182EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-61502 Rejetto HFS < 3.2.1 Cross-Site Request Forgery via GET Requests

Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions including account creation and configuration changes leading to code execution - by causing a...

5.1CVSS0.00182EPSS
Exploits0References2
CVE
CVE
added 4 days ago8 views

CVE-2026-61502

CVE-2026-61502 affects Rejetto HFS versions 3.0.0 through 3.2.0. The root cause is that state-changing API requests can be issued via GET and are exempt from the anti-CSRF header check, enabling a remote attacker to perform administrative actions (e.g., account creation, configuration changes) an...

5.1CVSS6.4AI score0.00182EPSS
Exploits0References2
OSV
OSV
added 4 days ago4 views

CVE-2026-61502 Rejetto HFS < 3.2.1 Cross-Site Request Forgery via GET Requests

Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions including account creation and configuration changes leading to code execution - by causing a...

5.1CVSS6.4AI score0.00182EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/22 7:32 p.m.11 views

CVE-2026-10601

A flaw was found in the Tempo and Loki datasource plugins. A remote attacker with a Viewer role could exploit a path traversal vulnerability by manipulating user-supplied input in URL paths. This could allow the attacker to capture sensitive administrator-configured datasource credentials, invoke...

5.4CVSS5.9AI score0.00258EPSS
Exploits0References4
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.47 views

TeamCity < 2023.11.4 - Authentication Bypass

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible id: CVE-2024-27199 info: name: TeamCity 2023.11.4 - Authentication Bypass author: DhiyaneshDk severity: high description: | In JetBrains TeamCity before 2023.11.4 path traversal allowing t...

9.8CVSS8.4AI score0.99991EPSS
Exploits25References2
Cvelist
Cvelist
added 2026/06/15 12:0 p.m.34 views

CVE-2016-20083 WordPress More Fields Plugin 2.1 Cross-Site Request Forgery

WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxe...

6.9CVSS0.00138EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/15 12:0 p.m.11 views

EUVD-2016-10895

WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxe...

6.9CVSS5.2AI score0.00138EPSS
Exploits0References3
NVD
NVD
added 2026/06/13 6:16 p.m.20 views

CVE-2026-12183

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability CWE-287 in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 administrator in response to any HTTP POST request that supplie...

9.8CVSS0.00548EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/13 5:36 p.m.31 views

CVE-2026-12183

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability CWE-287 in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 administrator in response to any HTTP POST request that supplie...

9.8CVSS0.00548EPSS
Exploits0References4
CVE
CVE
added 2026/06/13 5:36 p.m.52 views

CVE-2026-12183

CVE-2026-12183 affects Nefteprodukttekhnika BUK TS-G Gas Station Automation System versions 2.9.1–2.10.2 on Linux. The vulnerability is an improper authentication (CWE-287) in the system configuration module: the /php/ajax-login.php endpoint can return userid=1 (administrator) for any HTTP POST w...

9.8CVSS5.7AI score0.00548EPSS
Exploits0References4
Rows per page
Query Builder