Lucene search
K

87115 matches found

Talos Blog
Talos Blog
added 2026/04/07 12:3 p.m.5 views

Talos Takes: 2025's ransomware trends and zombie vulnerabilities

Join Amy and Pierre Cadieux as they unpack the ransomware and vulnerability trends that defined 2025. From the persistent ransomware threats targeting the manufacturing sector to the rise of stealthy living-off-the-land tactics, we break down what these shifts mean for your defense strategy. Why...

5.9AI score
Exploits0
NVD
NVD
added 2026/04/07 11:16 a.m.5 views

CVE-2026-4420

Bludit is vulnerable to Stored Cross-Site Scripting XSS in its page creating functionality. An authenticated attacker with page creation privileges such as Author, Editor, or Administrator can embed a malicious JavaScript payload in the tags field of a newly created article. This payload will be...

5.4CVSS0.00161EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/07 10:52 a.m.2 views

CVE-2026-5641

A vulnerability was found in PHPGurukul Online Shopping Portal Project 2.1. The impacted element is an unknown function of the file /admin/update-image1.php of the component Parameter Handler. The manipulation of the argument filename results in sql injection. The attack may be performed from...

6.5CVSS5.6AI score0.00196EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/07 10:52 a.m.4 views

CVE-2026-5639

A flaw has been found in PHPGurukul Online Shopping Portal Project 2.1. Impacted is an unknown function of the file /admin/update-image3.php of the component Parameter Handler. Executing a manipulation of the argument filename can lead to sql injection. The attack can be executed remotely. The...

6.5CVSS5.8AI score0.00246EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/07 10:51 a.m.5 views

CVE-2026-5643

A vulnerability was identified in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This impacts an unknown function of the file /admin/Add%20notice/notice.php of the component Admin Add Endpoint. Such manipulation of the argument $SERVER'PHPSELF' leads to cross...

4.8CVSS4.3AI score0.00206EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/07 10:51 a.m.5 views

CVE-2026-5647

A vulnerability was detected in code-projects Online Shoe Store 1.0. This affects an unknown part of the file /admin/adminfeature.php of the component Add Product Page. The manipulation of the argument productname results in cross site scripting. The attack may be launched remotely. The exploit i...

4.8CVSS4.4AI score0.00206EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/07 10:51 a.m.6 views

CVE-2026-5637

A security vulnerability has been detected in projectworlds Car Rental System 1.0. This vulnerability affects unknown code of the file /messageadmin.php of the component Parameter Handler. Such manipulation of the argument Message leads to sql injection. The attack may be launched remotely. The...

7.5CVSS5.8AI score0.00259EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/07 10:46 a.m.2 views

CVE-2026-4420 Stored XSS via Page Creating functionality in Bludit

Bludit is vulnerable to Stored Cross-Site Scripting XSS in its page creating functionality. An authenticated attacker with page creation privileges such as Author, Editor, or Administrator can embed a malicious JavaScript payload in the tags field of a newly created article. This payload will be...

5.1CVSS5.8AI score0.00161EPSS
Exploits0References2
CVE
CVE
added 2026/04/07 10:46 a.m.13 views

CVE-2026-4420

Summary: CVE-2026-4420 affects Bludit with a Stored XSS in the “page creating” flow. An authenticated user with page-creation privileges (Author/Editor/Admin) can insert a malicious script into the tags field when creating an article. The payload executes when a victim visits the uploaded resourc...

5.4CVSS5.8AI score0.00161EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/04/07 9:31 a.m.3 views

EUVD-2026-19574

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS7.2AI score0.0054EPSS
Exploits1References3
OSV
OSV
added 2026/04/07 8:43 a.m.6 views

BIT-DISCOURSE-2026-32143 Discourse: Admin-only report can be exported by moderators

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could expose sensitive operational data intended only for...

6.5CVSS5.7AI score0.00234EPSS
Exploits0References3
NVD
NVD
added 2026/04/07 7:16 a.m.8 views

CVE-2026-1114

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS0.0054EPSS
Exploits1References2
PyPA
PyPA
added 2026/04/07 7:16 a.m.10 views

PYSEC-2026-170

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS7.3AI score0.0054EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/04/07 7:16 a.m.2 views

CVE-2025-15611

The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the addoreditpopupbox function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create ...

5.4CVSS0.00136EPSS
Exploits1References1
OSV
OSV
added 2026/04/07 7:16 a.m.16 views

PYSEC-2026-170

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS5.8AI score0.0054EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/07 6:19 a.m.4 views

CVE-2026-1114

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS7.2AI score0.0054EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/04/07 6:19 a.m.2 views

CVE-2026-1114 Improper Access Control via Weak JWT Token in parisneo/lollms

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS7.2AI score0.0054EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/07 6:19 a.m.27 views

CVE-2026-1114 Improper Access Control via Weak JWT Token in parisneo/lollms

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS0.0054EPSS
Exploits1References2
CVE
CVE
added 2026/04/07 6:19 a.m.16 views

CVE-2026-1114

CVE-2026-1114 affects parisneo/lollms 2.1.0. The issue is an improper access control flaw caused by signing JWTs with a weak secret key, enabling an offline brute‑force to recover the key. With the cracked secret, an attacker can forge administrative tokens, modify the JWT payload, and resigns to...

9.8CVSS7.2AI score0.0054EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/07 6:0 a.m.1 views

CVE-2025-15611 Popup Box AYS Pro < 5.5.0 - Admin+ Stored Cross-Site Scripting (XSS) via CSRF

The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the addoreditpopupbox function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create ...

6AI score0.00136EPSS
Exploits1References1
Rows per page
Query Builder