Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

86916 matches found

NVD
NVDadded 2026/05/11 5:16 p.m.13 views

CVE-2026-42842

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting XSS vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the...

5.4CVSS0.0015EPSS
Exploits0References2
CVE
CVEadded 2026/05/11 4:32 p.m.14 views

CVE-2026-42312

pyload-ng contains a vulnerability (CVE-2026-42312) where a non-admin user with SETTINGS permission can disable TLS peer/hostname verification by setting general.ssl_verify off. The root cause is that the option is not in the ADMIN_ONLY_CORE_OPTIONS allowlist, so set_config_value() writes are all...

6.8CVSS5.8AI score0.00174EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/05/11 4:32 p.m.8 views

CVE-2026-42312

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general",...

8.8CVSS5.8AI score0.00815EPSS
Exploits5References2Affected Software1
Vulnrichment
Vulnrichmentadded 2026/05/11 4:32 p.m.5 views

CVE-2026-42312 pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general",...

6.8CVSS5.8AI score0.00174EPSS
Exploits1References1
Cvelist
Cvelistadded 2026/05/11 4:32 p.m.36 views

CVE-2026-42312 pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general",...

6.8CVSS0.00174EPSS
Exploits1References1
EUVD
EUVDadded 2026/05/11 4:32 p.m.7 views

EUVD-2026-29120

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general",...

6.8CVSS5.8AI score0.00174EPSS
Exploits1References1
CVE
CVEadded 2026/05/11 4:30 p.m.9 views

CVE-2026-42313

Summary of CVE-2026-42313 / pyload-ng: A non-admin user with SETTINGS permission can enable a proxy and point pyload at any attacker-controlled host, causing all outbound traffic (downloads, captcha fetch, update checks, plugin HTTP calls) to be routed through that attacker. The vulnerability ste...

8.3CVSS5.8AI score0.00396EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/05/11 4:30 p.m.4 views

CVE-2026-42313

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The allowlist contains...

8.8CVSS5.8AI score0.00815EPSS
Exploits5References2Affected Software1
Vulnrichment
Vulnrichmentadded 2026/05/11 4:30 p.m.7 views

CVE-2026-42313 pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The allowlist contains...

8.3CVSS5.8AI score0.00396EPSS
Exploits1References1
Cvelist
Cvelistadded 2026/05/11 4:30 p.m.34 views

CVE-2026-42313 pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The allowlist contains...

8.3CVSS0.00396EPSS
Exploits1References1
OSV
OSVadded 2026/05/11 4:17 p.m.9 views

PYSEC-2026-148

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to f...

6.5CVSS5.8AI score0.00174EPSS
Exploits0References1
NVD
NVDadded 2026/05/11 4:17 p.m.17 views

CVE-2026-42613

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are included in the...

9.4CVSS0.00939EPSS
Exploits0References3
NVD
NVDadded 2026/05/11 4:17 p.m.10 views

CVE-2026-42611

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged with the ability to create a page user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visit...

8.9CVSS0.003EPSS
Exploits1References2
NVD
NVDadded 2026/05/11 4:17 p.m.12 views

CVE-2026-42610

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user EX: Content Editor with only pages.update permissions can bypass the existing Twig sandbox restrictions by utilizing the grav'accounts' service. Attacker can programmatically load administrative user objects and extra...

6.5CVSS0.0029EPSS
Exploits1References2
NVD
NVDadded 2026/05/11 4:17 p.m.15 views

CVE-2026-42609

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that alread...

8.1CVSS0.00463EPSS
Exploits1References4
Vulnrichment
Vulnrichmentadded 2026/05/11 3:54 p.m.11 views

CVE-2026-42843 grav-plugin-api: Grav API Privilege Escalation to Super Admin

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin UsersController::update allows any...

8.8CVSS5.8AI score0.0035EPSS
Exploits1References1
CVE
CVEadded 2026/05/11 3:54 p.m.10 views

CVE-2026-42843

The CVE-2026-42843 entry concerns Grav API Plugin for Grav CMS. It describes an insecure direct object reference and logic flaw in UsersController::update that lets any authenticated API user with api.access modify their own permission configuration, potentially escalating to Super Administrator ...

8.8CVSS5.8AI score0.0035EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/05/11 3:52 p.m.4 views

CVE-2026-44737

grav-plugin-admin is the admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.10.49.5, the application fails to properly validate and sanitize user input in the dataheadertitle parameter. As a result,...

6.2CVSS5.8AI score0.00256EPSS
Exploits0References3Affected Software1
CVE
CVEadded 2026/05/11 3:52 p.m.14 views

CVE-2026-44737

Grav grav-plugin-admin is affected by a XSS in the /admin/pages/[page] endpoint, via data[header][title], reported before upgrading to 1.10.49.5. The vulnerability arises from improper validation/sanitization of the data[header][title] parameter, leading to an injected script being reflected in t...

6.2CVSS5.8AI score0.00256EPSS
Exploits0References2
Cvelist
Cvelistadded 2026/05/11 3:52 p.m.34 views

CVE-2026-44737 grav-plugin-admin: Stored Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][title]

grav-plugin-admin is the admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.10.49.5, the application fails to properly validate and sanitize user input in the dataheadertitle parameter. As a result,...

6.2CVSS0.00256EPSS
Exploits0References2
Rows per page
Query Builder