Lucene search
K

27900 matches found

CVE
CVE
added 16 hours ago7 views

CVE-2026-12103

CVE-2026-12103 affects the Wallet for WooCommerce WordPress plugin (

4.3CVSS6.2AI score
Exploits0References10
Nuclei
Nuclei
added 19 hours ago14 views

DataEase 2.10.4-2.10.7 - Remote Code Execution

DataEase prior to version 2.10.8 contains a remote code execution caused by insecure backend JDBC link handling, letting authenticated users execute arbitrary code, exploit requires user authentication. id: CVE-2025-32966 info: name: DataEase 2.10.4-2.10.7 - Remote Code Execution author: ChrisJr4...

9.8CVSS6.6AI score0.03925EPSS
Exploits1References3
Nuclei
Nuclei
added 19 hours ago28 views

LiteLLM - Arbitrary File Read

LiteLLM 1.83.0 contains a broken access control vulnerability caused by lack of admin role enforcement on /config/update endpoint, letting authenticated users modify configurations, execute code, read files, and take over accounts. id: CVE-2026-35029 info: name: LiteLLM - Arbitrary File Read...

8.8CVSS6.2AI score0.26409EPSS
Exploits2References3
Nuclei
Nuclei
added 19 hours ago37 views

Broadstreet WordPress plugin - Reflected XSS

Broadstreet WordPress plugin 1.51.8 contains a reflected XSS caused by unsanitised and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires victim interaction. id: CVE-2025-4652 info: name: Broadstreet WordPress plugin -...

6.1CVSS6.1AI score0.00468EPSS
Exploits1References1
Nuclei
Nuclei
added 19 hours ago45 views

Shield Security Plugin < 20.0.6 - Cross-Site Scripting

The Shield Security WordPress plugin before 20.0.6 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape the 'navsub' parameter in the admin dashboard, allowing authenticated users to execute arbitrary JavaScript in the context of other...

6.1CVSS6.3AI score0.01444EPSS
Exploits3References3
Nuclei
Nuclei
added 19 hours ago103 views

MagnusBilling Alarm Module - Cross-Site Scripting

Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling Alarm Module modules allows authenticated stored cross-site scripting. This vulnerability is associated with program files protected/components/MagnusLog.Php.This issue affects MagnusBilling-...

7.6CVSS5.8AI score0.00888EPSS
Exploits1References3
Nuclei
Nuclei
added 19 hours ago53 views

WordPress Events Calendar <1.4.5 - Cross-Site Scripting

WordPress Events Calendar plugin before 1.4.5 contains multiple cross-site scripting vulnerabilities. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the...

6.1CVSS6.4AI score0.00891EPSS
Exploits2References2
EUVD
EUVD
added 19 hours ago7 views

EUVD-2026-43122

The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1.1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio...

6.5CVSS6.1AI score
Exploits0References10
CVE
CVE
added 20 hours ago11 views

CVE-2026-13756

Technical details are not publicly available in the provided documents for CVE-2026-13756. Monitor for updates.

8.8CVSS6.1AI score
Exploits0References2
Nuclei
Nuclei
added 21 hours ago190 views

Apache Druid - Local File Inclusion

Apache Druid ingestion system is vulnerable to local file inclusion. The InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of t...

6.5CVSS6.4AI score0.81038EPSS
Exploits3References5
NVD
NVD
added yesterday8 views

CVE-2026-55474

Snipe-IT is an IT asset/license management system. Prior to 8.5.0, ActionlogController::displaySig concatenates the route filename parameter into a private upload-directory path without sanitization, allowing an authenticated attacker to traverse outside the intended directory and read arbitrary...

7.1CVSS
Exploits0References4
Cvelist
Cvelist
added yesterday32 views

CVE-2026-61460 Krayin CRM Insecure Direct Object Reference via Controllers

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CR...

8.8CVSS
Exploits0References3
EUVD
EUVD
added yesterday6 views

EUVD-2026-42981

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CR...

8.8CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added yesterday6 views

EUVD-2025-210453

HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars encoding ...

5.1CVSS6.2AI score
Exploits0References4
EUVD
EUVD
added yesterday7 views

EUVD-2025-210452

HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in...

8.8CVSS6.6AI score
Exploits0References4
NVD
NVD
added yesterday6 views

CVE-2026-57961

phpMyFAQ before 4.1.5 contains a potential authenticated path traversal vulnerability in the concatenatePaths function within src/phpMyFAQ/Export/Pdf/Wrapper.php. A user with FAQ editing privileges can store HTML containing crafted image paths that are processed during PDF generation. The path...

5.1CVSS
Exploits0References2
CVE
CVE
added yesterday6 views

CVE-2026-57961

phpMyFAQ قبل 4.1.5 contains an authenticated path traversal in Export/Pdf/Wrapper.php (concatenatePaths). An FAQ editor can inject HTML that includes crafted image paths; the code uses strpos() to locate the substring “content” in a user-controlled path, and if “content” is absent the result beco...

5.1CVSS6.1AI score
Exploits0References2
Cvelist
Cvelist
added yesterday27 views

CVE-2026-56354 n8n - Cross-Site Scripting and Open Redirect in Form Node

n8n before 1.123.24, 2.10.4, and 2.12.0 across its 1.x and 2.x branches contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML description fields and overly permissive iframe sandbox policies. Authenticated users with workflow creation permissions...

5.1CVSS
Exploits0References2
EUVD
EUVD
added yesterday6 views

EUVD-2026-42887

n8n before 1.123.24, 2.10.4, and 2.12.0 across its 1.x and 2.x branches contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML description fields and overly permissive iframe sandbox policies. Authenticated users with workflow creation permissions...

5.1CVSS6.1AI score
Exploits0References2
NVD
NVD
added yesterday7 views

CVE-2026-13010

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based SQL Injection via 'event' Shortcode Attribute in all versions up to, and including, 5.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient...

6.5CVSS0.00413EPSS
Exploits0References4
Rows per page
Query Builder