Lucene search
K

1425 matches found

CVE
CVE
added yesterday6 views

CVE-2026-54260

CVE-2026-54260 affects Wagtail (Django-based CMS). In versions prior to 7.0.8, 7.3.3, and 7.4.2, an authenticated admin user can trigger expensive rendition processing via crafted filter specs in the image preview, leading to potential service degradation. This is not exploitable by anonymous vis...

4.3CVSS5.6AI score
Exploits0References1
Cvelist
Cvelist
added 6 days ago22 views

CVE-2026-50765

A stored cross-site scripting XSS vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label...

0.00224EPSS
Exploits1References2
CVE
CVE
added 6 days ago6 views

CVE-2026-50765

CVE-2026-50765 is a Cross-Site Scripting (XSS) vulnerability in Koha Library Management System (through version 25.11) affecting the patron restriction type administration page. An authenticated administrator can inject arbitrary scripts via the restriction type label (display_text field). The is...

6.1CVSS5.8AI score0.00224EPSS
Exploits1References2Affected Software1
CVE
CVE
added 6 days ago7 views

CVE-2026-50767

CVE-2026-50767 describes a stored XSS vulnerability in Koha Library Management System (up to version 25.11) where an authenticated administrator can inject arbitrary scripts through the item type check-in message field (checkinmsg). The issue requires administrator privileges and is triggered by ...

5.4CVSS5.8AI score0.002EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 6 days ago5 views

CVE-2026-50765

A stored cross-site scripting XSS vulnerability in the patron restriction type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the restriction type label...

6.1CVSS5.8AI score0.00224EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 6 days ago5 views

CVE-2026-50767

A stored cross-site scripting XSS vulnerability in the item type administration page of Koha Library Management System 0 through 25.11 versions allow an authenticated remote attacker with administrator privileges to inject arbitrary web scripts via the item type check-in message field checkinmsg...

5.4CVSS5.8AI score0.002EPSS
Exploits1References3
NVD
NVD
added last week15 views

CVE-2026-55439

Halo is an open source website building tool. Prior to 2.24.3, a path traversal vulnerability in the backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem. The backup download endpoint GET...

5.5CVSS0.00337EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added last week5 views

CVE-2026-55439 Halo: Path Traversal in Backup Download Leads to Arbitrary File Read

Halo is an open source website building tool. Prior to 2.24.3, a path traversal vulnerability in the backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem. The backup download endpoint GET...

5.5CVSS6AI score0.00337EPSS
Exploits0References2
Cvelist
Cvelist
added last week27 views

CVE-2026-55477 Authenticated Arbitrary File Write via Database Import and Xray Log Path Manipulation

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code...

7.2CVSS0.00342EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 12:39 p.m.3 views

CVE-2026-56447

MISP allowed an authenticated site administrator to set the Kafkardkafkaconfig setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as...

9.3CVSS6.4AI score0.00342EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.12 views

PT-2026-51311

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description An authenticated site administrator can set the Kafka rdkafka config setting to an arbitrary filesystem path. The system parses the referenced INI file and passes its options to rdkafka. By usin...

9.3CVSS6.3AI score0.00342EPSS
Exploits0References7
CVE
CVE
added 2026/06/21 1:27 p.m.14 views

CVE-2026-56393

Craft CMS 4.x (>= 4.0.0-RC1, = 5.0.0-RC1,

4.8CVSS5.9AI score0.00183EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/21 1:27 p.m.6 views

EUVD-2026-38159

Craft CMS 4.x = 4.0.0-RC1, = 5.0.0-RC1, 5.9.0-beta.1 contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization e.g., via the checkbox.twig template, which used label|raw . An authenticated administrator with...

4.8CVSS5.9AI score0.00183EPSS
Exploits0References4
CVE
CVE
added 2026/06/20 6:27 p.m.15 views

CVE-2026-56342

AVideo

6.8CVSS6AI score0.00236EPSS
Exploits0References2
NVD
NVD
added 2026/06/20 4:17 p.m.14 views

CVE-2026-56228

Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value e.g., billions of characters as the minimum password length, making compliance...

6.9CVSS0.00272EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/20 3:24 p.m.29 views

CVE-2026-56228 Capgo - Denial of Service via Improper Password Policy Length Validation

Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value e.g., billions of characters as the minimum password length, making compliance...

6.9CVSS0.00272EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/19 4:31 a.m.28 views

CVE-2026-7547 Woosa <= 2.0.5 - Authenticated (Administrator+) Arbitrary File Read via 'log_file' Parameter

The Woosa – Marktplaats for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in versions up to and including 2.0.4. This is due to insufficient path sanitization in the renderlogsui function, which accepts a base64-encoded file name from the 'logfile' GET...

4.9CVSS0.00397EPSS
Exploits0References8
NVD
NVD
added 2026/06/18 4:16 p.m.9 views

CVE-2025-52465

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web pa...

7.2CVSS0.00353EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/18 2:28 p.m.15 views

CVE-2025-52465 GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web pa...

7.2CVSS0.00353EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/18 4:31 a.m.11 views

EUVD-2026-37842

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient...

4.9CVSS5.8AI score0.00355EPSS
Exploits0References10
Rows per page
Query Builder