Lucene search
K

87129 matches found

EUVD
EUVD
added 2026/04/07 9:31 a.m.3 views

EUVD-2026-19574

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS7.2AI score0.0054EPSS
Exploits1References3
OSV
OSV
added 2026/04/07 8:43 a.m.6 views

BIT-DISCOURSE-2026-32143 Discourse: Admin-only report can be exported by moderators

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3, and 2026.2.0 to before 2026.2.2, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could expose sensitive operational data intended only for...

6.5CVSS5.7AI score0.00234EPSS
Exploits0References3
NVD
NVD
added 2026/04/07 7:16 a.m.8 views

CVE-2026-1114

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS0.0054EPSS
Exploits1References2
PyPA
PyPA
added 2026/04/07 7:16 a.m.10 views

PYSEC-2026-170

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS7.3AI score0.0054EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/04/07 7:16 a.m.2 views

CVE-2025-15611

The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the addoreditpopupbox function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create ...

5.4CVSS0.00136EPSS
Exploits1References1
OSV
OSV
added 2026/04/07 7:16 a.m.16 views

PYSEC-2026-170

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS5.8AI score0.0054EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/07 6:19 a.m.4 views

CVE-2026-1114

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS7.2AI score0.0054EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/04/07 6:19 a.m.2 views

CVE-2026-1114 Improper Access Control via Weak JWT Token in parisneo/lollms

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS7.2AI score0.0054EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/07 6:19 a.m.27 views

CVE-2026-1114 Improper Access Control via Weak JWT Token in parisneo/lollms

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS0.0054EPSS
Exploits1References2
CVE
CVE
added 2026/04/07 6:19 a.m.16 views

CVE-2026-1114

CVE-2026-1114 affects parisneo/lollms 2.1.0. The issue is an improper access control flaw caused by signing JWTs with a weak secret key, enabling an offline brute‑force to recover the key. With the cracked secret, an attacker can forge administrative tokens, modify the JWT payload, and resigns to...

9.8CVSS7.2AI score0.0054EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/07 6:0 a.m.1 views

CVE-2025-15611 Popup Box AYS Pro < 5.5.0 - Admin+ Stored Cross-Site Scripting (XSS) via CSRF

The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the addoreditpopupbox function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create ...

6AI score0.00136EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/07 6:0 a.m.18 views

CVE-2025-15611 Popup Box AYS Pro < 5.5.0 - Admin+ Stored Cross-Site Scripting (XSS) via CSRF

The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the addoreditpopupbox function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create ...

0.00136EPSS
Exploits1References1
GithubExploit
GithubExploit
added 2026/04/07 12:16 a.m.114 views

Exploit for CVE-2026-39324

CVE-2026-39324 Rack::Session::Cookie decrypt failure falls...

5.8AI score0.0027EPSS
Exploits1
Cvelist
Cvelist
added 2026/04/07 12:0 a.m.16 views

CVE-2026-31272

MRCMS 3.1.2 contains an access control vulnerability. The save method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication...

0.00577EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/07 12:0 a.m.2 views

CVE-2026-31272

MRCMS 3.1.2 contains an access control vulnerability. The save method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication...

5.9AI score0.00577EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.7 views

ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 6.5.3 contained security vulnerabilities. These vulnerabilities stemmed from a cross-site scripting vulnerability in the group creation feature of the administration panel. This vulnerability could allow...

8CVSS5.7AI score0.00243EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.6 views

MRCMS 安全漏洞

MRCMS is a content management system developed by Marker individuals. Version MRCMS 3.1.2 has a security vulnerability, which stems from improper access control. This vulnerability could allow unauthorized users to add super administrator accounts without authentication...

9.8CVSS5.8AI score0.00577EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.6 views

xyOps 跨站脚本漏洞

xyOps is a multi-server task scheduling and execution platform developed by Joseph Huckaby. Versions of xyOps prior to 0.9.111 contained a cross-site scripting vulnerability. This vulnerability stemmed from servers failing to clean up the data stored in the job output fields, allowing...

6.1CVSS5.9AI score0.00171EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.7 views

PT-2026-30818

Name of the Vulnerable Software and Affected Versions Dolibarr ERP/CRM versions prior to 23.0.2 Description An authenticated remote code execution issue exists in the dol eval standard function. The system fails to apply forbidden string checks when operating in whitelist mode and does not detect...

8.6CVSS6.6AI score0.15527EPSS
Exploits2References14
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.7 views

ChurchCRM 跨站脚本漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from stored cross-site scripting in directory report forms, personnel editor default addresses, and external...

6.1CVSS5.7AI score0.00207EPSS
Exploits0References1
Rows per page
Query Builder