Lucene search
K

87063 matches found

EUVD
EUVD
added 2026/04/10 2:15 a.m.5 views

EUVD-2026-21284

A security vulnerability has been detected in code-projects Simple IT Discussion Forum 1.0. This issue affects some unknown processing of the file /admin/user.php. Such manipulation of the argument fname leads to cross site scripting. The attack may be performed from remote. The exploit has been...

4.8CVSS4.2AI score0.00202EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/10 2:15 a.m.29 views

CVE-2026-6003 code-projects Simple IT Discussion Forum user.php cross site scripting

A security vulnerability has been detected in code-projects Simple IT Discussion Forum 1.0. This issue affects some unknown processing of the file /admin/user.php. Such manipulation of the argument fname leads to cross site scripting. The attack may be performed from remote. The exploit has been...

4.8CVSS0.00202EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/04/10 1:25 a.m.2 views

CVE-2026-4977

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the uploadfileremove AJAX handler whe...

4.3CVSS5.9AI score0.00297EPSS
Exploits0References9
CVE
CVE
added 2026/04/10 1:25 a.m.9 views

CVE-2026-4977

The Connected document describes a vulnerability in WordPress Plugin UsersWP (versions ≤ 1.2.58) titled “Authenticated (Subscriber+) Restricted Usermeta Modification via 'htmlvar' Parameter.” The issue allows an authenticated user (Subscriber+) to modify restricted user metadata through the HTMLV...

4.3CVSS5.9AI score0.00297EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/04/10 1:25 a.m.27 views

CVE-2026-4977 UsersWP <= 1.2.58 - Authenticated (Subscriber+) Restricted Usermeta Modification via 'htmlvar' Parameter

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the uploadfileremove AJAX handler whe...

4.3CVSS0.00297EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/04/10 1:24 a.m.3 views

CVE-2026-1263 Webling <= 3.9.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'title' Parameter

The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'weblingadminsaveform' and 'weblingadminsavememberlist' functions...

6.4CVSS5.9AI score0.00277EPSS
Exploits0References6
CVE
CVE
added 2026/04/10 1:24 a.m.14 views

CVE-2026-1263

CVE-2026-1263 affects the Webling WordPress plugin up to version 3.9.0. The vulnerability is a Stored Cross-Site Scripting in the title parameter via the functions webling_admin_save_form and webling_admin_save_memberlist . It enables authenticated users with Subscriber-level access and above to ...

6.4CVSS6.1AI score0.00277EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/10 1:24 a.m.7 views

EUVD-2026-21248

The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'weblingadminsaveform' and 'weblingadminsavememberlist' functions...

6.4CVSS6.1AI score0.00277EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/04/10 1:24 a.m.25 views

CVE-2026-1263 Webling <= 3.9.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'title' Parameter

The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'weblingadminsaveform' and 'weblingadminsavememberlist' functions...

6.4CVSS0.00277EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/04/10 1:24 a.m.1 views

CVE-2026-4057 Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal

The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the makeMediaPublic and makeMediaPrivate functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for editposts capability...

4.3CVSS5.8AI score0.00373EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/04/10 1:24 a.m.23 views

CVE-2026-2712 WP-Optimize <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update and Image Manipulation

The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the receiveheartbeat function in includes/class-wp-optimize-heartbeat.php in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly...

5.4CVSS0.00427EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/10 1:15 a.m.24 views

CVE-2026-5997 Totolink A7100RU CGI cstecgi.cgi setLoginPasswordCfg os command injection

A vulnerability was detected in Totolink A7100RU 7.4cu.2313b20191024. The impacted element is the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass results in os command injection. It is possible to launch the atta...

10CVSS0.01803EPSS
Exploits0References5
Fedora
Fedora
added 2026/04/10 1:2 a.m.5 views

[SECURITY] Fedora 43 Update: cockpit-360-1.fc43

The Cockpit Web Console enables users to administer GNU/Linux servers using a web browser. It offers network configuration, log inspection, diagnostic reports, SELinux troubleshooting, interactive command-line sessions, and more...

9.8CVSS5.9AI score0.142EPSS
Exploits3
EUVD
EUVD
added 2026/04/10 12:30 a.m.3 views

EUVD-2026-21225

Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via...

9.8CVSS6.5AI score0.00551EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/10 12:30 a.m.1 views

EUVD-2026-21142

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privilege...

8.1CVSS6AI score0.0028EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/10 12:30 a.m.3 views

EUVD-2026-21118

OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modifications. Attackers without admin privileges can execute mutating control-plane actions by directly invoking affected ACP commands to bypass authorization gates...

7.1CVSS6AI score0.00225EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/10 12:30 a.m.5 views

EUVD-2026-21134

OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation ...

8.8CVSS6.5AI score0.00458EPSS
Exploits0References5
OSV
OSV
added 2026/04/10 12:30 a.m.3 views

GHSA-M5JP-P3R5-MFQP Duplicate Advisory: OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h4jx-hjr3-fhgc. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback...

8.1CVSS5.8AI score0.0028EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/10 12:30 a.m.5 views

Duplicate Advisory: OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hf68-49fm-59cq. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows...

8.8CVSS6.3AI score0.00458EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/10 12:30 a.m.12 views

Duplicate Advisory: OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h4jx-hjr3-fhgc. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback...

8.8CVSS5.8AI score0.0028EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder