Lucene search
K

87121 matches found

CNNVD
CNNVD
added 2026/04/07 12:0 a.m.5 views

Emissary 跨站脚本漏洞

Emissary is a distributed P2P data-driven workflow framework developed by the National Security Agency. Versions of Emissary prior to 8.39.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the Mustache navigation template directly inserting configured link values...

4.8CVSS5.7AI score0.00176EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.3 views

PT-2026-31019

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create events and run events privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The...

5.3CVSS6AI score0.00171EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.5 views

PT-2026-30795

The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add or edit popupbox function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can crea...

5.4CVSS6AI score0.00136EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.6 views

PT-2026-30796

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions prior to 2.2.0 Description Session management is subject to improper access control because a weak secret key is used for signing JSON Web Tokens JWT. This allows an attacker to conduct an offline brute-force attack to...

9.8CVSS8.6AI score0.0054EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.3 views

PT-2026-30921

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassworduserId, password and deleteUseruserId in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute bot...

8.8CVSS6AI score0.00298EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.7 views

PT-2026-31005

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the start date and target date of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...

6.5CVSS5.9AI score0.00208EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.11 views

runZero Platform 安全漏洞

RunZero Platform is an asset discovery and attack surface management platform developed by the US company RunZero. Versions of RunZero Platform prior to 4.0.260203.0 contained security vulnerabilities. These vulnerabilities were due to improper authorization, which could allow administrators to...

6.8CVSS5.8AI score0.00191EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.6 views

PT-2026-30869

Name of the Vulnerable Software and Affected Versions Django versions 6.0 through 6.0.3, 5.2 through 5.2.12, and 4.2 through 4.2.29 Description A flaw exists in the permission validation process for inline model instances within GenericInlineModelAdmin when handling forged POST data. This could...

9.8CVSS5.8AI score0.00769EPSS
Exploits1References31
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.9 views

Django 安全漏洞

Django is a Python-based open-source web framework developed by the Django Foundation. This framework includes an object-oriented mapper, view system, template system, etc. Versions of Django prior to 6.0.4, 5.2.13, and 4.2.30 contained security vulnerabilities. These vulnerabilities stemmed from...

9.8CVSS5.8AI score0.00458EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.7 views

PT-2026-30818

Name of the Vulnerable Software and Affected Versions Dolibarr ERP/CRM versions prior to 23.0.2 Description An authenticated remote code execution issue exists in the dol eval standard function. The system fails to apply forbidden string checks when operating in whitelist mode and does not detect...

8.6CVSS6.6AI score0.15527EPSS
Exploits2References14
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.7 views

ChurchCRM 跨站脚本漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from stored cross-site scripting in directory report forms, personnel editor default addresses, and external...

6.1CVSS5.7AI score0.00207EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/07 12:0 a.m.16 views

CVE-2026-31272

MRCMS 3.1.2 contains an access control vulnerability. The save method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication...

0.00577EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.6 views

ChurchCRM 跨站脚本漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.1 had a cross-site scripting vulnerability. This vulnerability stemmed from storage-based cross-site scripting in the Group Remove control and Family Editor state/country fields, which could lead to...

6.1CVSS5.7AI score0.00252EPSS
Exploits1References2
SUSE CVE
SUSE CVE
added 2026/04/06 11:24 p.m.2 views

SUSE CVE-2026-34386

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet...

8.8CVSS6AI score0.00318EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/04/06 11:24 p.m.3 views

SUSE CVE-2026-34389

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

7.1CVSS5.9AI score0.00184EPSS
Exploits0References3
NVD
NVD
added 2026/04/06 10:16 p.m.3 views

CVE-2026-35450

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints kill.ffmpeg.json.php,...

5.3CVSS0.0037EPSS
Exploits1References1
NVD
NVD
added 2026/04/06 10:16 p.m.8 views

CVE-2026-35411

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication 2FA visits a...

4.3CVSS0.00256EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/06 9:46 p.m.4 views

CVE-2026-35450

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints kill.ffmpeg.json.php,...

5.3CVSS5.9AI score0.0037EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/06 9:33 p.m.3 views

CVE-2026-35411 Directus is an Open Redirect in Admin 2FA Setup Page

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication 2FA visits a...

4.3CVSS5.9AI score0.00256EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/06 9:33 p.m.8 views

CVE-2026-35411

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication 2FA visits a...

4.3CVSS5.9AI score0.00256EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder