Lucene search
K

12764 matches found

cvelist
cvelist
added 2026/06/22 9:26 a.m.36 views

CVE-2026-12580 Digiwin|EasyFlow .NET - Stored Cross-Site Scripting

EasyFlow .NET developed by Digiwin has a Stored Cross-Site Scripting vulnerability, allowing authenticated remote attackers to inject persistent JavaScript code executed in users' browsers upon page load...

5.4CVSS0.00168EPSS
Exploits0References2
nvd
nvd
added 2026/06/20 4:17 p.m.19 views

CVE-2026-56307

Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.readdevices access can exploit...

5.3CVSS0.00238EPSS
Exploits0References2
euvd
euvd
added 2026/06/20 3:24 p.m.9 views

EUVD-2026-38126

Capgo before 12.128.2 contains an open redirect vulnerability in stripeportal and stripecheckout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for...

4.8CVSS5.9AI score0.00152EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/20 3:24 p.m.6 views

CVE-2026-56307

Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.readdevices access can exploit...

5.3CVSS5.9AI score0.00238EPSS
Exploits0References3
cvelist
cvelist
added 2026/06/20 3:24 p.m.32 views

CVE-2026-56307 Cap-go - Broken Cursor Pagination in /private/devices Endpoint

Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.readdevices access can exploit...

5.3CVSS0.00238EPSS
Exploits0References2
cve
cve
added 2026/06/20 3:24 p.m.20 views

CVE-2026-56307

Cap-go before 12.128.12 has a broken cursor pagination vulnerability in the /private/devices endpoint of the Cloudflare/workerd path. Authenticated attackers with app.read_devices can exploit non-advancing cursor filters to trigger infinite pagination loops, causing duplicate pages and making lat...

5.3CVSS5.9AI score0.00238EPSS
Exploits0References2
nvd
nvd
added 2026/06/19 6:16 p.m.17 views

CVE-2019-25761

Joomla! Component JoomCRM 1.1.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the dealid parameter. Attackers can send GET requests to index.php with option=comjoomcrm&view=contacts and inject SQL...

7.1CVSS0.00221EPSS
Exploits0References4
nvd
nvd
added 2026/06/19 6:16 p.m.23 views

CVE-2019-25757

Joomla vWishlist 1.0.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the vproductid and userid parameters. Attackers can send POST requests to the component with crafted SQL payloads in these...

7.1CVSS0.00221EPSS
Exploits0References4
cvelist
cvelist
added 2026/06/19 5:45 p.m.20 views

CVE-2019-25761 Joomla! Component JoomCRM 1.1.1 SQL Injection via deal_id

Joomla! Component JoomCRM 1.1.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the dealid parameter. Attackers can send GET requests to index.php with option=comjoomcrm&view=contacts and inject SQL...

7.1CVSS0.00221EPSS
Exploits0References4
attackerkb
attackerkb
added 2026/06/19 5:5 p.m.4 views

CVE-2019-25749

Joomla J-CruisePortal 6.0.4 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the guestadult parameter. Attackers can send POST requests to the cruises endpoint with crafted SQL payloads in the guestadu...

7.1CVSS6.3AI score0.00221EPSS
Exploits0References4Affected Software1
attackerkb
attackerkb
added 2026/06/19 4:31 a.m.5 views

CVE-2026-12157

The BetterDocs - Knowledge Base Docs & FAQ Solution for Elementor & Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blockId attribute of the betterdocs/category-slate-layout Gutenberg block in versions up to, and including, 4.5.3. This is due to insufficient...

6.4CVSS6AI score0.00212EPSS
Exploits0References7
ptsecurity
ptsecurity
added 2026/06/19 12:0 a.m.19 views

PT-2026-50995

Name of the Vulnerable Software and Affected Versions Joomla! Component vBizz version 1.0.7 Description An SQL injection allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the payid parameter. This is achieved by submitting POST requests to the...

7.1CVSS6.2AI score0.00221EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/19 12:0 a.m.17 views

PT-2026-50994

Name of the Vulnerable Software and Affected Versions Joomla! Component vBizz version 1.0.7 Description An unrestricted file upload issue allows authenticated attackers to upload arbitrary PHP files. This is achieved by submitting malicious files through the profile pic parameter via POST request...

8.8CVSS6.4AI score0.0067EPSS
Exploits0References8
nvd
nvd
added 2026/06/17 1:21 p.m.10 views

CVE-2026-8607

The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping...

6.4CVSS0.00269EPSS
Exploits0References8
euvd
euvd
added 2026/06/16 8:51 a.m.10 views

EUVD-2026-37043

A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot...

7.1CVSS5.3AI score0.0024EPSS
Exploits0References1
nvd
nvd
added 2026/06/16 6:16 a.m.17 views

CVE-2026-6933

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the...

8.8CVSS0.00607EPSS
Exploits0References7
cve
cve
added 2026/06/16 4:30 a.m.11 views

CVE-2026-10780

CVE-2026-10780 affects the WordPress Static Block plugin (versions up to 2.2). The vulnerability is an Insecure Direct Object Reference in the static_block_content() shortcode handler, which retrieves a post with get_post() using an attacker-controlled id and outputs its post_content without vali...

4.3CVSS5.5AI score0.00211EPSS
Exploits0References4
euvd
euvd
added 2026/06/15 9:30 p.m.10 views

EUVD-2026-36773

Incorrect access control in the /form/webhooks/webhook endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request...

5.2AI score0.00282EPSS
Exploits0References2
snyk
snyk
added 2026/06/15 8:19 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the scraper process. An attacker can access internal network resources by supplying a crafted URL after authenticating. Remediation There is no fixed version for koillection/koillection. References -...

8.8CVSS5.8AI score0.00248EPSS
Exploits0References2
nvd
nvd
added 2026/06/15 8:16 p.m.20 views

CVE-2026-50892

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request...

6.5CVSS0.00171EPSS
Exploits0References1
Rows per page
Query Builder