Lucene search
K

1314 matches found

NVD
NVD
added 2 days ago4 views

CVE-2026-58468

NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin...

5.5CVSS0.002EPSS
Exploits0References4
Nuclei
Nuclei
added 2 days ago10 views

EKC Tournament Manager WordPress plugin - Path Traversal

EKC Tournament Manager WordPress plugin 2.2.2 contains a path traversal caused by insufficient validation, letting logged in admin users download system files outside the WordPress directory. id: CVE-2024-9765 info: name: EKC Tournament Manager WordPress plugin - Path Traversal author: Sourabh-Sa...

6.5CVSS5.9AI score0.01414EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added last week9 views

CVE-2026-13722

WatchGuard Fireware OS contains a firmware validation bypass when processing a backup image via the backup/restore feature. An authenticated administrator can exploit this vulnerability to install a tampered firmware image.This vulnerability affects Fireware OS 11.0 up to and including...

8.6CVSS5.7AI score0.00232EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/07/01 10:16 p.m.6 views

CVE-2026-54260

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation. The vulnerability is not...

4.3CVSS0.0022EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/01 9:8 p.m.4 views

CVE-2026-54260

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation. The vulnerability is not...

4.3CVSS5.6AI score0.0022EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/07/01 9:8 p.m.40 views

CVE-2026-54260 Wagtail: Denial of service via unbounded filter specs in the image preview

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation. The vulnerability is not...

4.3CVSS0.0022EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 2:17 p.m.11 views

CVE-2026-57940

HTMLy 3.1.1 contains a Server-Side Request Forgery SSRF vulnerability in the RSS feed import functionality. The function getfeed in system/admin/admin.php passes user-supplied $feedurl directly to filegetcontents without any validation. An authenticated attacker with administrative privileges can...

2.1CVSS0.00229EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 1:8 p.m.35 views

CVE-2026-57940

HTMLy 3.1.1 contains a Server-Side Request Forgery SSRF vulnerability in the RSS feed import functionality. The function getfeed in system/admin/admin.php passes user-supplied $feedurl directly to filegetcontents without any validation. An authenticated attacker with administrative privileges can...

2.1CVSS0.00229EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 1:8 p.m.6 views

CVE-2026-57940

HTMLy 3.1.1 contains a Server-Side Request Forgery SSRF vulnerability in the RSS feed import functionality. The function getfeed in system/admin/admin.php passes user-supplied $feedurl directly to filegetcontents without any validation. An authenticated attacker with administrative privileges can...

2.1CVSS5.8AI score0.00229EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/26 10:15 a.m.22 views

CVE-2025-7958

Summary (CVE-2025-7958): A code injection vulnerability exists in Trellix Network Security CM and NX. A locally authenticated admin user can trigger arbitrary code execution via the web interface and Alert artifact details. The issue is described as enabling remote-like control within the device ...

8.5CVSS6.2AI score0.00197EPSS
Exploits0References1
CVE
CVE
added 2026/06/25 3:0 p.m.21 views

CVE-2026-55477

3X-UI before version 3.3.1 is affected. An authenticated administrator can abuse the database import functionality to write arbitrary files on the host by altering Xray configuration values stored in the database, enabling code execution and persistent access as the Xray process user (including r...

7.2CVSS6.4AI score0.00342EPSS
Exploits0References1
NVD
NVD
added 2026/06/22 2:17 p.m.6 views

CVE-2026-56447

MISP allowed an authenticated site administrator to set the Kafkardkafkaconfig setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as...

9.3CVSS0.00342EPSS
Exploits0References1
NVD
NVD
added 2026/06/21 2:16 p.m.13 views

CVE-2026-56382

Craft CMS composer package craftcms/cms versions = 5.5.0 and = 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout without calling Component::cleanseConfig...

8.6CVSS0.00493EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/21 1:26 p.m.30 views

CVE-2026-56382 Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController

Craft CMS composer package craftcms/cms versions = 5.5.0 and = 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout without calling Component::cleanseConfig...

8.6CVSS0.00493EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:26 p.m.4 views

CVE-2026-56382

Craft CMS composer package craftcms/cms versions = 5.5.0 and = 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout without calling Component::cleanseConfig...

8.6CVSS6.5AI score0.00493EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/21 12:0 a.m.19 views

PT-2026-51230

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.5.0 through 5.9.13 Description An issue exists in the FieldsController::actionRenderCardPreview method where the fieldLayoutConfig POST parameter is passed directly to Fields::createLayout without being processed by...

8.6CVSS6.2AI score0.00493EPSS
Exploits0References7
CVE
CVE
added 2026/06/18 2:28 p.m.23 views

CVE-2025-52465

GeoServer has an arbitrary file write vulnerability (CVE-2025-52465) in the Master Password Dump page. Before versions 2.26.4 and 2.27.3, an authenticated administrator with access to GeoServer’s security system can pass an absolute path as the target file name to the Master Password Dump page, c...

7.2CVSS5.4AI score0.00353EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/06/18 4:31 a.m.28 views

CVE-2026-11776 Form Maker by 10Web <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection via 'groupids' Parameter

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient...

4.9CVSS0.00355EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/06/17 8:7 p.m.20 views

CVE-2026-11407 Pimcore CMS 12.3.8 Twig Sandbox Bypass via SecurityPolicy checkMethodAllowed

Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed and checkPropertyAllowed implementations in the custom Twig SecurityPolicy. Attackers can...

8.6CVSS0.00623EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/06/15 9:30 a.m.73 views

Exploit for CVE-2026-37066

CVE-2026-37066 Path traversal leading to Arbitrary File Read i...

5.2AI score
Exploits0
Rows per page
Query Builder