CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/05/13 12:0 a.m.•9 views

PT-2026-40595

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the save widget and reset all widgets functions in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with...

4.3CVSS5.8AI score0.00204EPSS

Exploits0References6

Positive Technologies•added 2026/05/13 12:0 a.m.•9 views

PT-2026-40611

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the pm invite user function in all versions up to, and including, 5.9.8.4. This makes it possible for authenticated attackers, with Subscriber-lev...

7.1CVSS5.8AI score0.00219EPSS

NVD•added 2026/05/12 11:16 p.m.•16 views

CVE-2026-5371

The MonsterInsights – Google Analytics Dashboard for WordPress Website Stats Made Easy plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the getadsaccesstoken and resetexperience functions in all versions up to, and including,...

7.1CVSS0.00235EPSS

ATTACKERKB•added 2026/05/12 10:24 p.m.•4 views

CVE-2026-5371

Vulnrichment•added 2026/05/12 10:24 p.m.•6 views

CVE-2026-5371 MonsterInsights <= 10.1.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset

CVE•added 2026/05/12 10:24 p.m.•24 views

CVE-2026-5371

The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable through missing capability checks on get_ads_access_token() and reset_experience() in all versions up to 10.1.2. The issue allows authenticated attackers with Subscriber-lev...

Vulnrichment•added 2026/05/12 5:16 p.m.•6 views

CVE-2026-44166 Pocketbase: Account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade

Pocketbase is an open source web backend written in go. Prior to 0.22.42 and 0.37.4, in some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When th...

6.1CVSS5.7AI score0.0019EPSS

Exploits1References1

EUVD•added 2026/05/12 9:31 a.m.•28 views

EUVD-2026-29399

The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saabcancelbooking function in all versions up to, and including, 1.0.8. The nonce check uses && AND instead of || OR,...

5.3CVSS5.9AI score0.00228EPSS

NVD•added 2026/05/12 9:16 a.m.•7 views

CVE-2026-6690

The LifePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'n' parameter of the lpupdatemds AJAX action in all versions up to, and including, 2.2.2. This is due to the wpajaxnoprivlpupdatemds action being registered without nonce verification or capability checks,...

7.2CVSS0.00236EPSS

NVD•added 2026/05/12 9:16 a.m.•29 views

CVE-2026-5693

5.3CVSS0.00228EPSS

ATTACKERKB•added 2026/05/12 7:48 a.m.•3 views

CVE-2026-5693

5.3CVSS5.9AI score0.00228EPSS

Positive Technologies•added 2026/05/12 12:0 a.m.•18 views

PT-2026-39954

The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab cancel booking function in all versions up to, and including, 1.0.8. The nonce check uses && AND instead of || OR...

5.3CVSS5.9AI score0.00228EPSS

Positive Technologies•added 2026/05/12 12:0 a.m.•7 views

PT-2026-40027

Name of the Vulnerable Software and Affected Versions dovecot versions prior to 2.4.4-1.1 Description An attacker can upload a malicious Sieve script via the 'ManageSieve' service or local access to bypass configured CPU time limits for Sieve by up to 130 times the limit. This can lead to degrade...

9.1CVSS5.7AI score0.00351EPSS

Exploits0References21

Positive Technologies•added 2026/05/12 12:0 a.m.•8 views

PT-2026-40465

Name of the Vulnerable Software and Affected Versions MonsterInsights – Google Analytics Dashboard for WordPress versions prior to 10.1.3 Description Missing capability checks in the get ads access token and reset experience functions allow authenticated attackers with Subscriber-level access or...

Packet Storm News•added 2026/05/12 12:0 a.m.•5 views

Exploits0References7

Behavioral Integrity Verification for AI Agent Skills

Agent skills extend LLM agents with privileged third-party capabilities such as filesystem access, credentials, network calls, and shell execution. Existing safety work catches malicious prompts and risky runtime actions, but the skill artifact itself goes unverified. We formalize this as the...

5.9AI score

Exploits0

Positive Technologies•added 2026/05/12 12:0 a.m.•9 views

PT-2026-44981

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.26.0 Description A heap-buffer-overflow write can be triggered in the server-side clipboard cliprdr channel. A malicious RDP client can cause this by sending a CB CLIP CAPS PDU with an insufficient...

9CVSS6.1AI score0.0051EPSS

Exploits1References15

CNNVD•added 2026/05/12 12:0 a.m.•7 views

WordPress plugin MonsterInsights – Google Analytics Dashboard for WordPress 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...