Lucene search
K

87382 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/04 2:32 p.m.7 views

CVE-2026-43985

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose configUpdate as a state-changing administrator endpoint, but the route does not enforce POST and does not use any anti-CSRF token. In the default form and JWT-based authentication mode,...

8.8CVSS5.8AI score0.00146EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/04 2:32 p.m.17 views

CVE-2026-43985

Tautulli (Python-based Plex monitoring) before v2.17.1 exposes the admin-changing endpoint /configUpdate without enforcing POST or anti-CSRF checks. In default form/JWT modes, the SameSite=Lax cookie permits top-level cross-site requests, enabling an attacker to coerce a logged-in admin to submit...

8.8CVSS5.8AI score0.00146EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/04 2:28 p.m.39 views

CVE-2026-43984 Tautulli has stored XSS in logFile via guest-controlled log_js_errors input

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose logjserrors to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The...

8.9CVSS0.00207EPSS
Exploits0References2
NVD
NVD
added 2026/06/04 2:16 p.m.12 views

CVE-2026-43926

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint /client/reset-password-confirm/:hash is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to /api/ routes...

6.3CVSS0.00217EPSS
Exploits0References2
NVD
NVD
added 2026/06/04 2:16 p.m.12 views

CVE-2026-10854

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially...

5.3CVSS0.00176EPSS
Exploits0References1
NVD
NVD
added 2026/06/04 2:16 p.m.13 views

CVE-2019-25745

WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'tid' parameter. Attackers can send GET requests to the admin interface with malicious 'tid'...

8.8CVSS0.00262EPSS
Exploits0References3
NVD
NVD
added 2026/06/04 2:16 p.m.10 views

CVE-2019-25738

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hcajaxsaveoption action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to...

9.8CVSS0.00347EPSS
Exploits0References5
NVD
NVD
added 2026/06/04 2:16 p.m.15 views

CVE-2019-25737

Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie...

6.1CVSS0.00211EPSS
Exploits0References4
NVD
NVD
added 2026/06/04 2:16 p.m.12 views

CVE-2019-25731

Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to...

6.1CVSS0.00211EPSS
Exploits0References4
NVD
NVD
added 2026/06/04 2:16 p.m.12 views

CVE-2019-25734

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint...

5.1CVSS0.00887EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/04 1:22 p.m.7 views

CVE-2019-25745

WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'tid' parameter. Attackers can send GET requests to the admin interface with malicious 'tid'...

8.8CVSS5.9AI score0.00262EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/06/04 1:22 p.m.40 views

CVE-2019-25742 WordPress Theme Zoner Real Estate 4.1.1 Persistent XSS

WordPress Theme Zoner Real Estate 4.1.1 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through the Address input field when creating properties. Attackers can inject JavaScript payloads in the property creation form that execu...

5.4CVSS0.00171EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/04 1:22 p.m.8 views

EUVD-2019-20178

WordPress Theme Zoner Real Estate 4.1.1 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through the Address input field when creating properties. Attackers can inject JavaScript payloads in the property creation form that execu...

6.4CVSS5.7AI score0.00171EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/04 1:22 p.m.36 views

CVE-2019-25738 WordPress Hybrid Composer 1.4.6 Unauthenticated Settings Change

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hcajaxsaveoption action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to...

9.8CVSS0.00347EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/04 1:22 p.m.9 views

CVE-2019-25738

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hcajaxsaveoption action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to...

9.8CVSS5.8AI score0.00347EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/06/04 1:22 p.m.21 views

CVE-2019-25738

The CVE affects WordPress Hybrid Composer 1.4.6, where an unauthenticated attacker can exploit the hc_ajax_save_option action via admin-ajax.php to modify WordPress options, enabling user registration and setting the default role to administrator, potentially leading to account takeover. The issu...

9.8CVSS5.8AI score0.00347EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/06/04 1:22 p.m.11 views

CVE-2019-25738 WordPress Hybrid Composer 1.4.6 Unauthenticated Settings Change

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hcajaxsaveoption action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to...

9.8CVSS5.8AI score0.00347EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/04 1:22 p.m.11 views

EUVD-2019-20173

Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie...

7.2CVSS5.7AI score0.00211EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/04 1:22 p.m.40 views

CVE-2019-25737 Live Chat Unlimited 2.8.3 Stored Cross-Site Scripting

Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie...

6.1CVSS0.00211EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/04 1:22 p.m.10 views

CVE-2019-25737 Live Chat Unlimited 2.8.3 Stored Cross-Site Scripting

Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie...

6.1CVSS5.7AI score0.00211EPSS
Exploits0References4
Rows per page
Query Builder