Lucene search
+L

86 matches found

NVD
NVD
added yesterday6 views

CVE-2026-15094

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

6.1CVSS0.00215EPSS
Exploits0References6
EUVD
EUVD
added yesterday9 views

EUVD-2026-45143

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

6.1CVSS6.2AI score0.00215EPSS
Exploits0References6
Cvelist
Cvelist
added yesterday30 views

CVE-2026-15094 WP Hotel Booking <= 2.3.2 - Reflected Cross-Site Scripting via 'check_in_date' Parameter

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

6.1CVSS0.00215EPSS
Exploits0References6
CVE
CVE
added yesterday12 views

CVE-2026-15094

WP Hotel Booking for WordPress, version up to 2.3.2, is vulnerable to Reflected Cross-Site Scripting via the check_in_date parameter. The root cause is insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts into pages executed when ...

6.1CVSS6.2AI score0.00215EPSS
Exploits0References6
NVD
NVD
added 2026/07/10 4:17 a.m.6 views

CVE-2026-11392

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' and 'checkoutdate' parameters in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker...

6.1CVSS0.00254EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/07/10 3:31 a.m.38 views

CVE-2026-11392 WP Hotel Booking <= 2.3.1 - Reflected Cross-Site Scripting via 'check_in_date' and 'check_out_date' Parameters

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' and 'checkoutdate' parameters in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker...

6.1CVSS0.00254EPSS
Exploits0References9
CVE
CVE
added 2026/07/08 12:0 a.m.15 views

CVE-2026-50813

CVE-2026-50813 concerns SQLite, with the issue arising before Fossil check-in 869a51ae84df. The vulnerability permits a local attacker to obtain sensitive information via the Session Extension changeset concat/changegroup merge path. The available documents do not specify the exact affected versi...

6.1CVSS6AI score0.00111EPSS
Exploits0References3
NVD
NVD
added 2026/06/29 6:16 p.m.19 views

CVE-2026-57960

Hi.Events through 1.9.0 public check-in list endpoints use shortid as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the shortid can call GET /api/public/check-in-lists/shortid/attendees t...

8.3CVSS0.00339EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/29 5:24 p.m.8 views

CVE-2026-57960 Hi.Events 1.9.0 - Unauthenticated Attendee PII Exposure via Check-in List short_id

Hi.Events through 1.9.0 public check-in list endpoints use shortid as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the shortid can call GET /api/public/check-in-lists/shortid/attendees t...

8.3CVSS5.8AI score0.00339EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/29 5:24 p.m.8 views

EUVD-2026-40145

Hi.Events through 1.9.0 public check-in list endpoints use shortid as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the shortid can call GET /api/public/check-in-lists/shortid/attendees t...

8.3CVSS5.8AI score0.00339EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/29 5:24 p.m.37 views

CVE-2026-57960 Hi.Events 1.9.0 - Unauthenticated Attendee PII Exposure via Check-in List short_id

Hi.Events through 1.9.0 public check-in list endpoints use shortid as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the shortid can call GET /api/public/check-in-lists/shortid/attendees t...

8.3CVSS0.00339EPSS
Exploits0References3
CVE
CVE
added 2026/06/29 5:24 p.m.32 views

CVE-2026-57960

Hi.Events

8.3CVSS5.8AI score0.00339EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:35 p.m.13 views

CVE-2026-5600

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...

5.5CVSS5.5AI score0.00255EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/08 3:31 p.m.4 views

EUVD-2026-20463

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...

5.5CVSS5.9AI score0.00255EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/08 3:31 p.m.6 views

pretix: API leaks check-in data between events of the same organizer

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...

5.5CVSS5.9AI score0.00255EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/04/08 3:31 p.m.37 views

GHSA-WR8Q-C73G-M7GP pretix: API leaks check-in data between events of the same organizer

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...

5.5CVSS5.9AI score0.00255EPSS
Exploits0References4
PyPA
PyPA
added 2026/04/08 1:16 p.m.10 views

PYSEC-2026-111

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...

5.5CVSS5.8AI score0.00255EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/04/08 1:16 p.m.5 views

CVE-2026-5600

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...

5.5CVSS0.00255EPSS
Exploits0References1
OSV
OSV
added 2026/04/08 1:16 p.m.7 views

PYSEC-2026-111

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...

4.3CVSS5.8AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 1:10 p.m.5 views

Improper Isolation or Compartmentalization

Overview pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the check-in events endpoint. An attacker can access sensitive information related to all check-in events under the same organizer,...

8CVSS5.8AI score0.00255EPSS
Exploits0References2
Rows per page
Query Builder