Lucene search
+L

62416 matches found

EUVD
EUVD
added 5 hours ago8 views

EUVD-2026-45405

QueryWeaver contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain valid session tokens for existing accounts by submitting a signup request with a known victim email address. The signup route unconditionally creates and links a new token to the matching...

8.8CVSS5.4AI score
Exploits0References4
CVE
CVE
added yesterday9 views

CVE-2026-16196

Affected product: Sipeed PicoClaw

6.5CVSS6.2AI score
Exploits0References8
NVD
NVD
added yesterday8 views

CVE-2026-16124

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.15.0-beta.32. This affects the function CheckSSRF/isPrivateIP of the file internal/tools/webshared.go of the component webfetch. Such manipulation leads to server-side request forgery. The attack can be launched remotel...

6.5CVSS
Exploits0References9
EUVD
EUVD
added yesterday9 views

EUVD-2026-45385

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.15.0-beta.32. This affects the function CheckSSRF/isPrivateIP of the file internal/tools/webshared.go of the component webfetch. Such manipulation leads to server-side request forgery. The attack can be launched remotel...

6.5CVSS6.1AI score
Exploits0References9
Cvelist
Cvelist
added yesterday17 views

CVE-2026-16124 nextlevelbuilder GoClaw web_fetch web_shared.go isPrivateIP server-side request forgery

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.15.0-beta.32. This affects the function CheckSSRF/isPrivateIP of the file internal/tools/webshared.go of the component webfetch. Such manipulation leads to server-side request forgery. The attack can be launched remotel...

6.5CVSS
Exploits0References9
CVE
CVE
added yesterday14 views

CVE-2026-16124

The CVE concerns nextlevelbuilder GoClaw (up to version 3.15.0-beta.32) where the CheckSSRF/isPrivateIP function in web_fetch/internal/tools/web_shared.go enables server-side request forgery. Remote exploitation is possible and the exploit has been publicly disclosed. A fix is available in versio...

6.5CVSS6.1AI score
Exploits0References9
Nuclei
Nuclei
added yesterday22 views

Web-Check < 2.0.1 Screenshot API - OS Command Injection

Lissy93/web-check contains a command injection caused by unsanitized user input in the screenshot API, letting attackers execute arbitrary system commands, exploit requires sending crafted url parameters. id: CVE-2025-32778 info: name: Web-Check 2.0.1 Screenshot API - OS Command Injection author:...

9.3CVSS5.6AI score0.19326EPSS
Exploits4References4
Nuclei
Nuclei
added yesterday71 views

Zitadel - User Registration Bypass

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the...

7.5CVSS7.4AI score0.02572EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday26 views

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the installoractivateaddonplugins function and a weak nonce hash in all...

9.8CVSS5.3AI score0.02904EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday24 views

Adminer 4.6.2 - 5.4.1 Unauthenticated Persistent DoS

Adminer = 5.4.1 contains a denial of service caused by lack of origin validation in version check endpoint, letting attackers trigger server errors via crafted POST requests, exploit requires no special privileges. id: CVE-2026-25892 info: name: Adminer 4.6.2 - 5.4.1 Unauthenticated Persistent Do...

7.5CVSS5.2AI score0.01586EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday68 views

NocoBase - SQL Injection

NocoBase @nocobase/plugin-collection-sql versions prior to 2.0.39 are vulnerable to SQL injection via the sqlCollection:update endpoint. The checkSQL function, which blocks dangerous SQL keywords and ensures only SELECT statements are allowed, is not called during collection updates. id:...

7.2CVSS5.6AI score0.01833EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday76 views

HashiCorp Consul/Consul Enterprise - Server-Side Request Forgery

HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11 are susceptible to server-side request forgery. When redirects are returned by HTTP health check endpoints, Consul follows these HTTP redirects by default. An attacker can possibly obtain sensitive information, modify data,...

7.5CVSS6.9AI score0.08676EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday125 views

reNgine 2.2.0 - Command Injection

reNgine before 2.1.2 allows OS Command Injection if an adversary has a valid session ID. The attack places shell metacharacters in an api/tools/wafdetector/?url= string. The commands are executed as root via subprocess.checkoutput. id: CVE-2023-50094 info: name: reNgine 2.2.0 - Command Injection...

8.8CVSS8AI score0.1354EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday96 views

Powertek Firmware <3.30.30 - Authorization Bypass

Powertek firmware multiple brands before 3.30.30 running Power Distribution Units are vulnerable to authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface /cgi/getparam.cgi with the tmpToken cookie set to an...

9.8CVSS7.3AI score0.13425EPSS
Exploits1References5
CVE
CVE
added 2 days ago33 views

CVE-2026-45260

Pimcore WebDAV MOVE vulnerability (CVE-2026-45260) enables remote asset deletion/overwrite due to missing authentication in the WebDAV controller and Tree::move() path. The WebDAV endpoint at /asset/webdav{path} proceeds to mutate assets before validating the current user or permissions, and Asse...

8.1CVSS5.3AI score0.00427EPSS
Exploits0References4
Cvelist
Cvelist
added 2 days ago36 views

CVE-2026-48014 Shopware: Admin API ACL Bypass in Order State Transition Endpoints

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...

6.5CVSS0.00233EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago9 views

EUVD-2026-45241

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...

6.5CVSS5.3AI score0.00233EPSS
Exploits0References5
CVE
CVE
added 2 days ago34 views

CVE-2026-48016

Summary of findings (CVE-2026-48016) : The vulnerability in Shopware Store API allows an external Store API user, including guests, to trigger payments for another user’s order by supplying a foreign orderId to the endpoint /store-api/handle-payment. The root cause is that payment initiation/proc...

4.3CVSS5.3AI score0.00238EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-45239

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the Store API endpoint /store-api/handle-payment in src/Core/Checkout/Payment/SalesChannel/HandlePaymentMethodRoute.php accepts a user-controlled orderId and forwards it to src/Core/Checkout/Payment/PaymentProcessor.php witho...

4.3CVSS5.3AI score0.00238EPSS
Exploits0References5
NVD
NVD
added 2 days ago9 views

CVE-2026-54496

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad 5.0.0, halo2gadgets 0.5.0, orchard 0.14.0, zcashprimitives 0.28.0, and zcashd 6.20.0, the variable-base scalar multiplication gadget in halo2gadgets/src/ecc/chip/mul/incomplete.rs used assignadvice for the base point without a copy...

9.3CVSS0.00315EPSS
Exploits0References7
Rows per page
Query Builder