Lucene search
K

87071 matches found

ATTACKERKB
ATTACKERKB
added 2026/04/08 2:29 p.m.0 views

CVE-2026-39390

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting cMap field in compInfosPost sanitizes input using striptags with an allowlist and regex-based removal of...

5.5CVSS5.9AI score0.00235EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/04/08 9:31 a.m.7 views

EUVD-2026-20109

The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quranplaylistoptions function that handles the plugin's settings page. The function processes POST requests to update...

4.3CVSS5.8AI score0.0016EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/08 9:31 a.m.6 views

EUVD-2026-20119

The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Form Header' field in versions up to and including 1.0. This is due to insufficient input sanitization when saving via updateoption and lack of output escaping when displaying the stored...

4.4CVSS6.1AI score0.00254EPSS
Exploits0References8
NVD
NVD
added 2026/04/08 7:16 a.m.4 views

CVE-2026-3480

The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an adminpost action hook 'wp-blockade-shortcode-render' that maps to the rendershortcodepreview function. This function lacks any capability check...

6.5CVSS0.00342EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/04/08 6:43 a.m.2 views

CVE-2026-4808 Gerador de Certificados – DevApps <= 1.3.6 - Authenticated (Administrator+) Arbitrary File Upload

The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with Administrator-level access...

7.2CVSS6.6AI score0.00554EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/08 6:43 a.m.21 views

CVE-2026-5169 Inquiry form to posts or pages <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Form Header Field

The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Form Header' field in versions up to and including 1.0. This is due to insufficient input sanitization when saving via updateoption and lack of output escaping when displaying the stored...

4.4CVSS0.00254EPSS
Exploits0References7
CVE
CVE
added 2026/04/08 1:24 a.m.6 views

CVE-2026-3499

Product Feed PRO for WooCommerce (AdTribes) for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6–13.5.2.1 due to missing/incorrect nonce validation on AJAX endpoints: ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url...

8.8CVSS5.8AI score0.00165EPSS
Exploits0References2
OSV
OSV
added 2026/04/08 12:16 a.m.0 views

GHSA-92PP-H63X-V22M @hono/node-server: Middleware bypass via repeated slashes in serveStatic

Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...

5.3CVSS5.8AI score0.00376EPSS
Exploits0References5
NVD
NVD
added 2026/04/08 12:16 a.m.4 views

CVE-2026-4394

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field input.4 in all versions up to, and including, 2.9.30. This is due to the getvalueentrydetail method in the GFFieldCreditCard class outputting the card type value...

6.1CVSS0.00291EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/08 12:4 a.m.5 views

EUVD-2026-19736

pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng...

6.8CVSS5.9AI score0.00142EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/08 12:4 a.m.4 views

Incorrect Authorization

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Incorrect Authorization in the configuration for SSL certificate and key file paths due to incorrect option name checks. An attacker can gain unauthorized...

7.6CVSS5.9AI score0.00142EPSS
Exploits1References2
OSV
OSV
added 2026/04/08 12:4 a.m.6 views

GHSA-PPVX-RWH9-7RJ7 pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng

Summary The ADMINONLYCOREOPTIONS authorization set in setconfigvalue uses incorrect option names sslcert and sslkey, while the actual configuration option names are sslcertfile and sslkeyfile. This name mismatch causes the admin-only check to always evaluate to False, allowing any user with...

6.8CVSS5.9AI score0.00142EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.8 views

PT-2026-31103

Name of the Vulnerable Software and Affected Versions The Inquiry Form to Posts or Pages plugin for WordPress versions up to and including 1.0. Description The Inquiry Form to Posts or Pages plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'Form Header' field. This...

4.4CVSS5.9AI score0.00254EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.3 views

PT-2026-31317

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting cMap field in compInfosPost sanitizes input using strip tags with an allowlist and regex-based removal of...

5.5CVSS5.9AI score0.00235EPSS
Exploits0References2
CNVD
CNVD
added 2026/04/08 12:0 a.m.3 views

OpenClaw has an unspecified vulnerability (CNVD-2026-16694)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that can be exploited by an attacker to cause an authenticated operator with only operator.write privileges to access the administrator-specific browser profile management rout...

7.1CVSS5.7AI score0.00288EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.5 views

PT-2026-31280

Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...

5.3CVSS5.9AI score0.00376EPSS
Exploits0References5
CNVD
CNVD
added 2026/04/08 12:0 a.m.3 views

OpenClaw has an unspecified vulnerability (CNVD-2026-16698)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that can be exploited by an attacker to cause an attacker with operator.pairing privileges to cast tokens with broader privileges to obtain an operator.admin token and execute...

9.9CVSS7.7AI score0.0054EPSS
Exploits0
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.10 views

CI4MS 安全漏洞

CI4MS is an open-source blog page management tool developed by Ci4MS. Versions of CI4MS prior to 0.31.4.0 contained security vulnerabilities. These vulnerabilities stemmed from the improper storage and rendering of blacklist remark parameters into HTML attributes, potentially allowing...

4.8CVSS6.1AI score0.0023EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/08 12:0 a.m.18 views

CVE-2025-52222

D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G v17.12.20A1, DI-8200 v16.07.26A1, DI-8400 v16.07.26A1, DI-8004w v16.07.26A1, DI-8100 v16.07.26A1, and DI-8100G v17.12.20A1 were discovered to contain a buffer overflow via the rden, rdauth, rdacct, httphadmin,...

0.00326EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.4 views

PT-2026-31552

Name of the Vulnerable Software and Affected Versions PHPGurukul Online Course Registration version 3.1 Description A security issue exists in PHPGurukul Online Course Registration 3.1 related to the processing of the /admin/check availability.php file. Manipulation of the regno argument can lead...

7.5CVSS7.1AI score0.00254EPSS
Exploits0References12
Rows per page
Query Builder