Lucene search
K

87132 matches found

ATTACKERKB
ATTACKERKB
added 2026/04/24 10:16 a.m.4 views

CVE-2026-41044

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to...

6.5AI score0.0098EPSS
Exploits0References2Affected Software3
Debian CVE
Debian CVE
added 2026/04/24 10:16 a.m.6 views

CVE-2026-41044

Improper Input Validation, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to...

8.8CVSS6.6AI score0.0098EPSS
Exploits0
GithubExploit
GithubExploit
added 2026/04/24 10:16 a.m.106 views

Black-Oracle

🖤 BLACK ORACLE 🖤 «The Eye That Sees Through Digital...

5.7AI score
Exploits0
OSV
OSV
added 2026/04/24 8:51 a.m.4 views

BIT-RCLONE-2026-41176 Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and pri...

9.8CVSS5.4AI score0.34734EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/04/24 7:45 a.m.32 views

CVE-2025-11762 HubSpot All-In-One Marketing - Forms, Popups, Live Chat <= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure

The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with...

4.3CVSS0.00193EPSS
Exploits0References3
CVE
CVE
added 2026/04/24 7:45 a.m.18 views

CVE-2025-11762

The CVE-2025-11762 entry concerns the HubSpot All-In-One Marketing – Forms, Popups, Live Chat WordPress plugin. Affected versions are up to and including 11.3.32. The issue is a Sensitive Information Exposure vulnerability in leadin/public/admin/class-adminconstants.php, allowing authenticated at...

4.3CVSS5.2AI score0.00193EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:29 a.m.5 views

CVE-2026-5347

The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the admininit hook that handles the permalink settings update at line 205-209 of wp-books-gallery.php...

5.3CVSS5.8AI score0.00323EPSS
Exploits0References7
NVD
NVD
added 2026/04/24 3:16 a.m.3 views

CVE-2026-33318

Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user including BASIC role can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowin...

8.8CVSS0.00472EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/24 3:14 a.m.5 views

CVE-2026-41068 Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability — the...

7.7CVSS8.6AI score0.00516EPSS
Exploits2References2
EUVD
EUVD
added 2026/04/24 2:13 a.m.8 views

EUVD-2026-25380

Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user including BASIC role can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowin...

8.8CVSS5.5AI score0.00472EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/24 2:13 a.m.6 views

CVE-2026-33318

Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user including BASIC role can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowin...

8.8CVSS5.8AI score0.00472EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/04/24 12:31 a.m.4 views

EUVD-2026-25359

A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these...

9.8CVSS5.7AI score0.00548EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/24 12:31 a.m.4 views

EUVD-2026-25361

A vulnerability exists in SenseLive X3050’s web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication attempts and configuration data, is transmitted in cleartext, an attacker with access to the same...

6.9CVSS5.8AI score0.0019EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/24 12:31 a.m.4 views

EUVD-2026-25347

A vulnerability in the browser-based remote management interface may allow an administrator to access sensitive information on the device via crafted requests, affecting certain production printers and office/small office multifunction printers...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/24 12:31 a.m.5 views

EUVD-2026-25343

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient acce...

7.1CVSS5.8AI score0.00232EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/24 12:31 a.m.6 views

Duplicate Advisory: OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-767m-xrhc-fxm7. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write...

8.8CVSS5.7AI score0.00232EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/24 12:31 a.m.3 views

GHSA-V3C2-39FM-JQ4H Duplicate Advisory: OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5h2w-qmfp-ggp6. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows...

5.4CVSS5.7AI score0.00209EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/24 12:31 a.m.5 views

EUVD-2026-25328

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or...

5.4CVSS5.7AI score0.00209EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/24 12:31 a.m.8 views

EUVD-2026-25323

OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks...

5.3CVSS5.8AI score0.00283EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/24 12:31 a.m.9 views

Duplicate Advisory: OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5h2w-qmfp-ggp6. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows...

8.8CVSS5.7AI score0.00209EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder