Lucene search
K

1227 matches found

Nuclei
Nuclei
added 12 hours ago9 views

Service Finder Bookings - Authentication Bypass

Service Finder Bookings WordPress plugin = 6.0 contains a privilege escalation caused by improper validation of user cookie in servicefinderswitchback function, letting unauthenticated attackers login as any user including admins. id: CVE-2025-5947 info: name: Service Finder Bookings -...

9.8CVSS7.1AI score0.04469EPSS
Exploits2References4
Nuclei
Nuclei
added 12 hours ago21 views

Pinterest Automatic < 4.14.4 - Unauthenticated Arbitrary Options Update

The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the 'wppinterestautomaticparserequest' function and the 'processform.php' script in versions up to, and including, 1.14.3. This makes it possible for unauthenticated attackers to...

9.8CVSS7AI score0.04528EPSS
Exploits1References5
Nuclei
Nuclei
added 12 hours ago121 views

MStore API <= 3.9.2 - Authentication Bypass

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers ...

9.8CVSS7AI score0.67511EPSS
Exploits3References5
Nuclei
Nuclei
added 12 hours ago166 views

Popup-Maker < 1.8.12 - Broken Authentication

An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the doaction function to invoke certain popmake or pum methods, as demonstrated by controlling content and delivery of popmake-system-info.txt aka the...

9.1CVSS7AI score0.0931EPSS
Exploits2References5
Nuclei
Nuclei
added 12 hours ago184 views

DotNetNuke 07.04.00 - Administration Authentication Bypass

The installation wizard in DotNetNuke DNN before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx. id: CVE-2015-2794 info: name: DotNetNuke 07.04.00 - Administration Authentication Bypass author: 0xr2r severity...

9.8CVSS7.1AI score0.74552EPSS
Exploits4References5
Nuclei
Nuclei
added 12 hours ago43 views

Old Age Home Management System v1.0 - SQL Injection

Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter. id: CVE-2023-33338 info: name: Old Age Home Management System v1.0 - SQL Injection author: Harsh severity: critical description: | Old Age Home Management 1.0 is vulnerable to SQL Injection via the username...

9.8CVSS7.1AI score0.03662EPSS
Exploits1References2
Nuclei
Nuclei
added 12 hours ago65 views

Mura CMS <10.0.580 - Authentication Bypass

Mura CMS before 10.0.580 is susceptible to authentication bypass in the Remember Me function. An attacker can bypass authentication via a crafted web request and thereby obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected...

9.8CVSS7.1AI score0.03614EPSS
Exploits0References5
Nuclei
Nuclei
added 12 hours ago71 views

Hospital Management System 1.0 - SQL Injection

Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/doctor.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id:...

9.8CVSS7.1AI score0.07476EPSS
Exploits1References4
Nuclei
Nuclei
added 12 hours ago53 views

Cyber Cafe Management System 1.0 - SQL Injection

Cyber Cafe Management System 1.0 contains multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of th...

9.8CVSS7.1AI score0.22593EPSS
Exploits1References5
Nuclei
Nuclei
added 12 hours ago66 views

Flowise <= 1.8.2 Authentication Bypass

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality. id: CVE-2024-8181 info: name: Flowise = 1.8.2 Authentication Bypass author:...

9.8CVSS6.1AI score0.42783EPSS
Exploits0References3
Nuclei
Nuclei
added 12 hours ago40 views

Directory Management System 1.0 - SQL Injection

Directory Management System 1.0 contains multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the...

9.8CVSS7.1AI score0.19478EPSS
Exploits1References5
Nuclei
Nuclei
added 12 hours ago109 views

Redash Setup Configuration - Default Secrets Disclosure

Redash Setup Configuration is vulnerable to default secrets disclosure Insecure Default Initialization of Resource. If an admin sets up Redash versions =10.0 and prior without explicitly specifying the REDASHCOOKIESECRET or REDASHSECRETKEY environment variables, a default value is used for both...

8.1CVSS6.6AI score0.08017EPSS
Exploits1References5
Nuclei
Nuclei
added 12 hours ago45 views

Sourcecodester Simple Client Management System 1.0 - SQL Injection

Sourcecodester Simple Client Management System 1.0 contains a SQL injection vulnerability via the username field in login.php. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. id:...

9.8CVSS7.1AI score0.07515EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday70 views

Login as User or Customer < 3.3 - Privilege Escalation

The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session. id: CVE-2022-4305 info: name: Login as User or Customer 3.3 - Privilege Escalation author: r3Y3r53 severity: critical...

9.8CVSS7AI score0.38625EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday85 views

Xiaomi Mi WiFi R3G Routers - Local file Inclusion

Xiaomi Mi WiFi R3G devices before 2.28.23-stable are susceptible to local file inclusion vulnerabilities via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication. id: CVE-2019-18371...

7.5CVSS7AI score0.55872EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday109 views

Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation

The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild. id: CVE-2023-3460 info: name: Ultimate Member 2.6.7 - Unauthenticated Privilege...

9.8CVSS7.2AI score0.72306EPSS
Exploits12References5
Nuclei
Nuclei
added yesterday84 views

POS Codekop v2.0 - Broken Authentication

A broken authentication mechanism in the endpoint excel.php of POS Codekop v2.0 allows unauthenticated attackers to download selling data. id: CVE-2023-36347 info: name: POS Codekop v2.0 - Broken Authentication author: princechaddha severity: high description: | A broken authentication mechanism ...

7.5CVSS7AI score0.34293EPSS
Exploits1
Nuclei
Nuclei
added yesterday68 views

Cisco Small Business RV Series - OS Command Injection

Cisco Small Business RV Series routers RV16X/RV26X versions 1.0.01.02 and before and RV34X versions 1.0.03.20 and before contain multiple OS command injection vulnerabilities in the web-based management interface. A remote attacker can execute arbitrary OS commands via the sessionid cookie or...

9.8CVSS6.9AI score0.72472EPSS
Exploits8References5
Nuclei
Nuclei
added 2 days ago72 views

F5 BIG-IP Appliance Mode - Command Injection

When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. id: CVE-2022-41800 info: name: F5 BIG-IP Appliance Mode - Command Injection author: dwisiswant0 severity: high description...

9.8CVSS7.1AI score0.99956EPSS
Exploits70References5
Nuclei
Nuclei
added 2 days ago33 views

Atlassian Jira Seraph - Authentication Bypass

Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also...

9.8CVSS7.1AI score0.88057EPSS
Exploits2References5
Rows per page
Query Builder