Lucene search
K

301 matches found

NVD
NVD
added 2026/05/14 3:16 p.m.28 views

CVE-2026-42457

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external...

9CVSS0.00312EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/14 2:48 p.m.6 views

CVE-2026-42457

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external...

9CVSS6AI score0.00312EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/14 2:48 p.m.9 views

EUVD-2026-30301

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external...

9CVSS6AI score0.00312EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/14 8:24 a.m.18 views

EUVD-2026-30257

The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the isadmincreationprocess method relying solely on the presence of action=createuser in the $REQUEST superglobal without performing any...

5.3CVSS5.8AI score0.00445EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.9 views

PT-2026-40894

Name of the Vulnerable Software and Affected Versions User Registration & Membership plugin for WordPress versions prior to 5.1.6 Description An issue exists where the is admin creation process function relies exclusively on the presence of the action=createuser parameter within the $ REQUEST...

5.3CVSS5.8AI score0.00445EPSS
Exploits1References4
NVD
NVD
added 2026/05/10 1:16 p.m.38 views

CVE-2021-47932

WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcpregisterandloginajax action with tcprole set to...

9.8CVSS0.00403EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/10 12:43 p.m.48 views

CVE-2021-47932 WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthenticated

WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcpregisterandloginajax action with tcprole set to...

9.8CVSS0.00403EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/04/20 7:22 p.m.7 views

CVE-2026-40350

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints /settings/users and use them to enumerate all users and create a new administrator account. This happens because the route...

8.8CVSS5.7AI score0.00441EPSS
Exploits1References1
NVD
NVD
added 2026/04/09 8:16 p.m.6 views

CVE-2026-35063

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

8.8CVSS0.0024EPSS
Exploits0References1
NVD
NVD
added 2026/04/07 11:16 a.m.5 views

CVE-2026-4420

Bludit is vulnerable to Stored Cross-Site Scripting XSS in its page creating functionality. An authenticated attacker with page creation privileges such as Author, Editor, or Administrator can embed a malicious JavaScript payload in the tags field of a newly created article. This payload will be...

5.4CVSS0.00161EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/07 10:46 a.m.2 views

CVE-2026-4420 Stored XSS via Page Creating functionality in Bludit

Bludit is vulnerable to Stored Cross-Site Scripting XSS in its page creating functionality. An authenticated attacker with page creation privileges such as Author, Editor, or Administrator can embed a malicious JavaScript payload in the tags field of a newly created article. This payload will be...

5.1CVSS5.8AI score0.00161EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/07 12:0 a.m.5 views

CVE-2026-31272

MRCMS 3.1.2 contains an access control vulnerability. The save method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication...

5.9AI score0.00577EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/03 9:37 p.m.6 views

Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity

Summary According to SignalK's security documentation, when a server is first initialized without security enabled, the /skServer/enableSecurity endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design. However, the critical...

9.4CVSS6AI score0.00418EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/03/17 9:31 a.m.5 views

EUVD-2026-12547

GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access certain APIs to create a new administrative account...

9.8CVSS5.9AI score0.0045EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/17 7:29 a.m.31 views

CVE-2026-4312 DrangSoft|GCB/FCB Audit Software - Missing Authentication

GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access certain APIs to create a new administrative account...

9.8CVSS0.0045EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2026/03/14 2:43 a.m.163 views

Exploit for Missing Encryption of Sensitive Data in Nginxui Nginx_Ui

CVE-2026-27944 POC: Nginx UI Unauthenticated Backup Download +...

9.8CVSS5.9AI score0.22162EPSS
Exploits13
NVD
NVD
added 2026/03/12 9:16 p.m.8 views

CVE-2026-3611

The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest level 100 context, granting read/write...

10CVSS0.05585EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/12 2:49 p.m.4 views

EUVD-2026-11375

StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts...

4.7CVSS5.8AI score0.003EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/03/12 2:49 p.m.9 views

StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts

Summary The REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts...

7.2CVSS5.9AI score0.003EPSS
Exploits1References3Affected Software1
GithubExploit
GithubExploit
added 2026/03/10 12:28 a.m.191 views

Exploit for CVE-2026-1492

CVE-2026-1492 CVE-2026-1492 poc -...

9.8CVSS7.5AI score0.25532EPSS
Exploits2
Rows per page
Query Builder