Lucene search
K

2481 matches found

OSV
OSV
added 2026/04/04 9:30 p.m.4 views

GHSA-3QCM-PJ6Q-W4C5 Nodcms contains a cross-site request forgery vulnerability

Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/usermanipulate and admin/settings/generall endpoints to...

5.3CVSS5.7AI score0.00106EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/04/04 7:59 p.m.3 views

CVE-2016-20054 Nodcms Cross Site Request Forgery via admin endpoints

Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/usermanipulate and admin/settings/generall endpoints to...

5.3CVSS5.9AI score0.00106EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/04 7:59 p.m.20 views

CVE-2016-20054 Nodcms Cross Site Request Forgery via admin endpoints

Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/usermanipulate and admin/settings/generall endpoints to...

5.3CVSS0.00106EPSS
Exploits1References1
NVD
NVD
added 2026/03/31 9:16 p.m.6 views

CVE-2026-3469

A denial-of-service DoS vulnerability exists due to improper input validation in the SonicWall Email Security appliance, allowing a remote authenticated attacker as admin user to cause the application to become unresponsive...

2.7CVSS0.00386EPSS
Exploits0References1
CVE
CVE
added 2026/03/31 8:19 p.m.10 views

CVE-2026-3470

CVE-2026-3470 concerns the SonicWall Email Security appliance, where improper input sanitization allows data corruption in the application database. The issue is triggered by crafted input that can be provided by a remote authenticated attacker who operates as an admin user. Affected component: t...

3.8CVSS5.9AI score0.00321EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/31 8:17 p.m.4 views

CVE-2026-3468

A stored Cross-Site Scripting XSS vulnerability has been identified in the SonicWall Email Security appliance due to improper neutralization of user-supplied input during web page generation, allowing a remote authenticated attacker as admin user to potentially execute arbitrary JavaScript code...

6AI score0.00226EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/31 8:17 p.m.21 views

CVE-2026-3468

A stored Cross-Site Scripting XSS vulnerability has been identified in the SonicWall Email Security appliance due to improper neutralization of user-supplied input during web page generation, allowing a remote authenticated attacker as admin user to potentially execute arbitrary JavaScript code...

0.00226EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.9 views

PT-2026-29322

Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none...

4.8CVSS5.9AI score0.00258EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.8 views

PT-2026-29346

Name of the Vulnerable Software and Affected Versions SonicWall Email Security affected versions not specified Description A flaw exists in the SonicWall Email Security appliance related to insufficient input validation. This could result in data corruption, potentially allowing a remote attacker...

3.8CVSS5.9AI score0.00321EPSS
Exploits0References4
OSV
OSV
added 2026/03/30 5:49 p.m.4 views

GHSA-73GR-R64Q-7JH4 AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php

Summary The categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is entirely skipped, exposing all non-private categories including those restrict...

5.3CVSS5.8AI score0.00319EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/03/26 3:19 p.m.5 views

CVE-2025-67039

An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The authentication on management pages can be bypassed by appending a specific suffix to the URL and by sending an Authorization header that uses "admin" as the username...

9.1CVSS5.8AI score0.00323EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:18 p.m.5 views

CVE-2026-3956

A vulnerability was detected in xierongwkhd weimai-wetapp up to 5fe9e8225be4f73f2c5087f134aff657bdf1c6f2. This affects the function getAdmins of the file source-code/src/main/java/com/moke/wp/wxweimai/controller/admin/AdminAdminUserController.java. Performing a manipulation of the argument keywor...

5.8CVSS5.6AI score0.00202EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:1 p.m.5 views

CVE-2026-1286

CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity and potential remote code execution on workstation when an admin authenticated user opens a malicious project file...

7CVSS6.5AI score0.00315EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/24 6:55 p.m.21 views

CVE-2026-33509 pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration

pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the setconfigvalue API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option...

7.5CVSS0.00529EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/18 6:31 p.m.6 views

EUVD-2026-12839

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated...

8.2CVSS5.8AI score0.00248EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/03/18 3:28 p.m.25 views

CVE-2026-2992 KiviCare <= 4.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated...

8.2CVSS0.00248EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/03/18 3:28 p.m.3 views

CVE-2026-2992

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated...

8.2CVSS5.8AI score0.00248EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/18 3:28 p.m.8 views

CVE-2026-2992 KiviCare <= 4.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated...

8.2CVSS5.8AI score0.00248EPSS
Exploits0References4
CVE
CVE
added 2026/03/18 3:28 p.m.12 views

CVE-2026-2992

The vulnerability affects the KiviCare – Clinic & Patient Management System (EHR) WordPress plugin up to version 4.1.2. A missing authorization flaw exists on the REST endpoint /wp-json/kivicare/v1/setup-wizard/clinic, enabling unauthenticated attackers to create a new clinic and a WordPress user...

8.2CVSS5.8AI score0.00248EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.7 views

PT-2026-26071

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated...

8.2CVSS5.8AI score0.00248EPSS
Exploits0References7
Rows per page
Query Builder