Lucene search
K

87063 matches found

OSV
OSV
added 2026/05/04 9:24 p.m.6 views

GHSA-RPFR-X88X-XWCW Pelican Web UI Affected by a Privilege Escalation Attack

Background On April 2nd, 2026, a Claude coding agent alerted Pelican PI Brian Bockelman to a privilege escalation vulnerability affecting Pelican's Web User Interface WebUI for various versions between v7.21 and v7.24. Upon further investigation, the Pelican team discovered this attack allows any...

9CVSS5.7AI score0.0032EPSS
Exploits0References4
NVD
NVD
added 2026/05/04 9:16 p.m.18 views

CVE-2026-42221

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

9.8CVSS0.00346EPSS
Exploits1References2
OSV
OSV
added 2026/05/04 8:50 p.m.5 views

GHSA-VGRF-PR28-VF98 CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess

Summary The deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are passed directly to $forge-dropTable without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables from the theme's own migration...

6.9CVSS5.9AI score0.00344EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/04 8:50 p.m.9 views

CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess

Summary The deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are passed directly to $forge-dropTable without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables from the theme's own migration...

6.9CVSS5.9AI score0.00344EPSS
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.9 views

CVE-2026-7677

A vulnerability was determined in kerwincui FastBee up to 1.2.1. The impacted element is the function Add of the file springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNoticeController.java of the component System Notice Handler. This manipulation of the argument...

5.1CVSS4.3AI score0.00195EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.9 views

CVE-2026-6449

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking...

5.3CVSS5.8AI score0.00458EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.8 views

CVE-2026-5324

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when ...

7.2CVSS6AI score0.00401EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.7 views

CVE-2026-6963

The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmgsaveproviderconfig AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update...

8.8CVSS5.8AI score0.00396EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.7 views

CVE-2026-5110

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are...

7.2CVSS6AI score0.00247EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/04 8:9 p.m.41 views

CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

8.1CVSS0.00346EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/04 8:9 p.m.5 views

CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

8.1CVSS5.8AI score0.00346EPSS
Exploits1References2
CVE
CVE
added 2026/05/04 8:9 p.m.35 views

CVE-2026-42221

Summary: CVE-2026-42221 affects nginx-ui versions 2.0.0 through 2.3.7, where an unauthenticated attacker can claim the initial administrator account during first-run via the public /api/install endpoint. The installation flow and public keys are not authenticated, allowing an attacker to set admi...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/04 8:9 p.m.6 views

CVE-2026-42221

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

8.1CVSS5.8AI score0.00346EPSS
Exploits1References3Affected Software1
GithubExploit
GithubExploit
added 2026/05/04 7:17 p.m.92 views

Exploit for Missing Authentication for Critical Function in Cpanel

A recente vulnerabilidade CVE-2026-41940 trouxe grande preocupaç...

9.8CVSS6AI score0.981EPSS
Exploits64
vulnersOsv
vulnersOsv
added 2026/05/04 6:26 p.m.8 views

org.apache.polaris:polaris-admin (>=1.0.0-incubating <=1.4.0), org.apache.polaris:polaris-api-catalog-service (>=1.0.0-incubating <=1.4.0) +23 more potentially affected by CVE-2026-42811 via org.apache.polaris:polaris-core (>=1.0.0-incubating <=1.4.0)

org.apache.polaris:polaris-core MAVEN version =1.0.0-incubating, =1.0.0-incubating, =1.0.0-incubating, =1.0.0-incubating, =1.0.0-incubating, =1.0.0-incubating, =1.3.0-incubating, =1.3.0-incubating, =1.1.0-incubating, =1.1.0-incubating, =1.0.0-incubating, =1.0.0-incubating, =1.4.0 and more Source...

9.9CVSS5.8AI score0.00431EPSS
Exploits0
NVD
NVD
added 2026/05/04 6:16 p.m.10 views

CVE-2026-42084

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid...

8.1CVSS0.00305EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/05/04 5:21 p.m.7 views

CVE-2026-42088 OpenC3 COSMOS: Administrative Actions via the Script Runner Tool

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the...

9.6CVSS5.8AI score0.00341EPSS
Exploits1References3
EUVD
EUVD
added 2026/05/04 5:21 p.m.13 views

EUVD-2026-27065

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the...

9.6CVSS5.8AI score0.00341EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/05/04 5:11 p.m.5 views

CVE-2026-42084

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid...

8.1CVSS5.7AI score0.00305EPSS
Exploits1References5Affected Software1
GithubExploit
GithubExploit
added 2026/05/04 2:48 p.m.37 views

CVE

CVE-PENDING: Bdtask Multi-Store Inventory Management System 1...

5.9AI score
Exploits0
Rows per page
Query Builder