Lucene search
K

244 matches found

OSV
OSV
added 2026/04/21 5:12 p.m.3 views

CVE-2026-40588 blueprintUE: Authenticated Password Change Does Not Verify Current Password

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a currentpassword field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...

8.1CVSS6AI score0.00215EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/21 5:12 p.m.35 views

CVE-2026-40588 blueprintUE: Authenticated Password Change Does Not Verify Current Password

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a currentpassword field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...

8.1CVSS0.00215EPSS
Exploits0References1
CVE
CVE
added 2026/04/21 5:12 p.m.15 views

CVE-2026-40588

The CVE-2026-40588 entry concerns blueprintUE: prior to version 4.2.0, its password change form at /profile/{slug}/edit/ lacks a current_password field and does not verify the existing password before applying a new one. If an attacker has a valid authenticated session (via XSS, session hijacking...

8.1CVSS5.8AI score0.00215EPSS
Exploits0References1
NVD
NVD
added 2026/04/17 1:17 a.m.8 views

CVE-2026-40262

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an...

8.7CVSS0.00309EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/13 12:0 a.m.5 views

CVE-2025-70936

Vtiger CRM 8.4.0 contains a reflected cross-site scripting XSS vulnerability in the MailManager module. Improper handling of user-controlled input in the folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s...

5.7AI score0.00138EPSS
Exploits0References2
CVE
CVE
added 2026/04/13 12:0 a.m.17 views

CVE-2025-70936

Vtiger CRM 8.4.0 is affected by a reflected XSS in the MailManager module, caused by improper handling of user-controlled input in the _folder parameter. The payload is reflected and executed in an authenticated user session, using a double URL-encoded input. The available connected sources confi...

5.4CVSS5.7AI score0.00138EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/13 12:0 a.m.23 views

CVE-2025-70936

Vtiger CRM 8.4.0 contains a reflected cross-site scripting XSS vulnerability in the MailManager module. Improper handling of user-controlled input in the folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s...

0.00138EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.9 views

PT-2026-32520

Name of the Vulnerable Software and Affected Versions Vtiger CRM version 8.4.0 Description A reflected cross-site scripting XSS issue exists in the MailManager module, where XSS is a type of attack that injects malicious scripts into a trusted website. Improper handling of user-controlled input i...

5.4CVSS5.5AI score0.00138EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/10 7:40 p.m.20 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the function parameter, which is concatenated into an API error message and rendered without HTML escaping. An attacker can execute arbitrary JavaScript code in the context of a backend user's session by...

4.1CVSS5.8AI score
Exploits0References2
NVD
NVD
added 2026/04/07 6:16 p.m.17 views

CVE-2026-39332

ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting XSS vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocu...

8.7CVSS0.00203EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/03 4:59 p.m.4 views

CVE-2026-2737

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.5CVSS5.9AI score0.00196EPSS
Exploits0References1
NVD
NVD
added 2026/04/02 2:16 p.m.6 views

CVE-2026-2737

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.5CVSS0.00196EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/02 1:28 p.m.4 views

CVE-2026-2737

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.5CVSS5.9AI score0.00196EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/04/02 1:28 p.m.19 views

CVE-2026-2737

CVE-2026-2737 affects Progress Flowmon before versions 12.5.8 and 13.0.6. An administrator who clicks a malicious link within an authenticated Flowmon web session may trigger unintended actions. The available sources describe the affected product versions and the login-session impact but do not s...

8.5CVSS5.9AI score0.00196EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/04/02 1:28 p.m.23 views

CVE-2026-2737 Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon web application

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.5CVSS0.00196EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.9 views

PT-2026-29737

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.5CVSS5.9AI score0.00196EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/01 9:41 p.m.3 views

Directory Traversal

Overview sillytavern is a LLM Frontend for Power Users Affected versions of this package are vulnerable to Directory Traversal via the avatarurl parameter in the chat export and delete endpoints. An attacker can read or delete arbitrary files within the user data root by supplying directory...

8.8CVSS6.5AI score0.0057EPSS
Exploits1References2
NVD
NVD
added 2026/04/01 4:23 p.m.10 views

CVE-2026-4924

Improper authentication in the two-factor authentication 2FA feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session...

8.2CVSS0.00326EPSS
Exploits0References1
CVE
CVE
added 2026/03/25 11:40 p.m.15 views

CVE-2026-33933

OpenEMR CVE-2026-33933 affects versions 7.0.2.1 through 8.0.0.2 (up to but not including 8.0.0.3). A reflected XSS in the custom template editor arises from an unescaped contextName parameter, allowing an attacker to execute arbitrary JavaScript in an authenticated staff member’s browser session ...

6.1CVSS5.9AI score0.00271EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/23 7:56 p.m.4 views

GHSA-5353-F8FQ-65VC New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure

Summary A logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. Affected versions = v0.10.0 Description The POST /api/verify endpoint supports multiple secure verification...

4.9CVSS5.7AI score0.00289EPSS
Exploits0References2
Rows per page
Query Builder