Lucene search
+L

9786 matches found

Nuclei
Nuclei
added yesterday18 views

Liferay Portal - Open Redirect

HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' U+FFFD, which allows remote...

6.1CVSS6.5AI score0.0096EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday64 views

AppServ Open Project <=2.5.10 - Cross-Site Scripting

AppServ Open Project 2.5.10 and earlier contains a cross-site scripting vulnerability in index.php which allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter. id: CVE-2008-2398 info: name: AppServ Open Project =2.5.11 or apply the necessary security patches...

4.3CVSS6.2AI score0.06232EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday160 views

SPIP <3.1.2 - Cross-Site Scripting

SPIP 3.1.2 and earlier contains a cross-site scripting vulnerability in validerxml.php which allows remote attackers to inject arbitrary web script or HTML via the varurl parameter in a validerxml action. id: CVE-2016-7981 info: name: SPIP 3.1.2 - Cross-Site Scripting author: pikpikcu severity:...

6.1CVSS6.8AI score0.08216EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday34 views

Cofax <=2.0RC3 - Cross-Site Scripting

Cofax 2.0 RC3 and earlier contains a cross-site scripting vulnerability in search.htm which allows remote attackers to inject arbitrary web script or HTML via the searchstring parameter. id: CVE-2005-4385 info: name: Cofax =2.0RC3 - Cross-Site Scripting author: geeknik severity: medium descriptio...

4.3CVSS6.2AI score0.08836EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday14 views

mcp-atlassian < 0.17.0 - Server-Side Request Forgery

MCP Atlassian 0.17.0 contains a server-side request forgery caused by improper validation of custom HTTP headers in the HTTP middleware, letting unauthenticated attackers force outbound requests to arbitrary URLs, exploit requires access to the mcp-atlassian HTTP endpoint. id: CVE-2026-27826 info...

9CVSS6.3AI score0.14958EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday30 views

WordPress Integrator 1.32 - Cross-Site Scripting

A cross-site scripting vulnerability in wp-integrator.php in the WordPress Integrator module 1.32 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirectto parameter to wp-login.php. id: CVE-2012-5913 info: name: WordPress Integrator 1.32 - Cross-Site Scripti...

4.3CVSS6.2AI score0.08732EPSS
Exploits1References5
NVD
NVD
added 2 days ago6 views

CVE-2026-58478

Sustainable Irrigation Platform SIP through version 5.2.16 contains a server-side request forgery SSRF vulnerability that allows unauthenticated attackers to make the device issue arbitrary HTTP requests by supplying a malicious callback URL when the optional Node-RED plugin is installed. Attacke...

6.5CVSS0.00261EPSS
Exploits2References2
Nuclei
Nuclei
added 2 days ago13 views

BMC FootPrints 'searchWeb' - Server-Side Request Forgery

BMC FootPrints versions 20.20.02 through 20.24.01.001 contain a Server-Side Request Forgery SSRF vulnerability in the /footprints/servicedesk/import/searchWeb endpoint. The 'url' parameter allows unauthenticated attackers to force the server to make HTTP requests to arbitrary URLs, enabling acces...

8.8CVSS6.3AI score0.3436EPSS
Exploits2References2
OSV
OSV
added 2026/06/18 9:13 p.m.6 views

GHSA-Q59X-JC9F-GFQF Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints

Summary signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery SSRF vulnerability in three administrative endpoints used for remote Signal K server connection management. The makeRemoteRequest function accepts attacker-controlled host, port, useTLS, and...

5.8CVSS5.7AI score
Exploits0References2
NVD
NVD
added 2026/06/11 6:16 p.m.13 views

CVE-2026-46698

Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wpajaxnoprivftfgetsiteinfo includes/SiteInfo.php that verified a nonce ftf-fediverse-embeds-nonce and then called filegethtml$siteurl on the...

5.3CVSS0.00229EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:16 p.m.8 views

CVE-2026-42860

The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin ro...

8.5CVSS5.6AI score0.00301EPSS
Exploits1References1
CVE
CVE
added 2026/06/05 10:15 a.m.28 views

CVE-2026-21037

Samsung Members (pre-5.8.01.5) is affected by improper input validation that enables local attackers to access an arbitrary URL and launch an arbitrary activity with Samsung Members privileges. The root cause is insufficient input validation within the app, leading to privilege escalation on the ...

7.1CVSS5.6AI score0.00105EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/05 12:31 a.m.12 views

EUVD-2026-34771

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.3 via the saveaigeneratedimage function. This makes it possible for authenticated attackers, with Author-level...

7.2CVSS5.9AI score0.00213EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/06/05 12:0 a.m.9 views

WPDeveloper Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns 服务端请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

7.2CVSS6.1AI score0.00213EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/05 12:0 a.m.13 views

SAMSUNG Members 安全漏洞

Samsung Members is a community platform app developed by South Korea’s Samsung Corporation. Versions of Samsung Members prior to 5.8.01.5 contained security vulnerabilities. These vulnerabilities were due to improper input validation, which could allow local attackers to use Samsung Members...

7.1CVSS5.5AI score0.00105EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/26 8:14 p.m.36 views

CVE-2026-45412 MaxKB: Unauthenticated SSRF via Workflow Template Import

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via workflowtemplate Import. Authenticated users can supply arbitrary URLs in workflowtemplate.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in...

6.3CVSS0.00207EPSS
Exploits0References1
CVE
CVE
added 2026/05/26 8:14 p.m.27 views

CVE-2026-45412

MaxKB (enterprise AI) is affected by SSRF in the work_flow_template component prior to version 2.9.1. An authenticated user could supply arbitrary URLs to work_flow_template.downloadUrl, and the server would fetch them without URL validation or internal IP filtering, enabling server-side requests...

6.3CVSS5.9AI score0.00207EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in Firefox and Thunderbird

A maliciously installed WebExtension could open arbitrary URLs, which under the right circumstances could be exploited to collect sensitive user data. This vulnerability affects Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1...

4.3CVSS6.6AI score0.00906EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/12 8:21 p.m.11 views

CVE-2026-42858

Open edX Platform enables the authoring and delivery of online learning at any scale. The syncproviderdata endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadataurl POST parameter. This URL is passed directly to requests.get in...

9.9CVSS6AI score0.00374EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.14 views

Geyser 代码问题漏洞

Geyser is a cross-platform game version bridging proxy tool developed by GeyserMC. Versions of Geyser prior to 2.9.3 contained code vulnerabilities. These vulnerabilities stemmed from server-side request forgeing when processing texture data for players’ heads in Minecraft. This allowed attackers...

2.4CVSS6AI score0.00158EPSS
Exploits0References2
Rows per page
Query Builder