Lucene search
K

30 matches found

EUVD
EUVD
added yesterday6 views

EUVD-2026-43288

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

4.3CVSS6.2AI score0.0014EPSS
Exploits0References2
CVE
CVE
added yesterday9 views

CVE-2026-12273

The CVE-2026-12273 entry concerns Tutor LMS for WordPress (MITRE CVE-2026-12273). Affected component: Tutor LMS WordPress plugin prior to version 3.9.13. Description details a lack of authorization checks and post-target validation in a comment-creation handler, resulting in pre-approved comments...

4.3CVSS6.2AI score0.0014EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/21 10:14 p.m.3 views

CVE-2026-40928 AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...

5.4CVSS5.7AI score0.00115EPSS
Exploits1References2
CVE
CVE
added 2026/04/21 10:14 p.m.17 views

CVE-2026-40928

WWBN AVideo (versions ≤ 29.0) exposes state-changing JSON endpoints under objects/ without CSRF protection or origin/referer checks. A logged-in user can be coerced to perform actions via attacker-controlled HTML: like/dislike comments (objects/comments_like.json.php), post comments with attacker...

5.4CVSS5.7AI score0.00115EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/14 11:12 p.m.9 views

WWBN AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion

Summary Multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently: 1. Cast/flip the...

5.4CVSS5.9AI score0.00115EPSS
Exploits1References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.8 views

CVE-2026-23488

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note including private notes without authorization, even if the note has not been publicly shared. The...

6.9CVSS5.7AI score0.00305EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:3 p.m.9 views

CVE-2026-29079

Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting th...

8.2CVSS5.8AI score0.00263EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/23 8:48 p.m.6 views

CVE-2026-23488

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note including private notes without authorization, even if the note has not been publicly shared. The...

6.9CVSS5.7AI score0.00305EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/03/23 8:48 p.m.13 views

EUVD-2026-14544

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note including private notes without authorization, even if the note has not been publicly shared. The...

6.9CVSS5.7AI score0.00305EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/23 8:48 p.m.4 views

CVE-2026-23488 Blinko: multiple interfaces in the comment feature allow unauthorized access

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note including private notes without authorization, even if the note has not been publicly shared. The...

6.9CVSS5.7AI score0.00305EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/23 8:48 p.m.28 views

CVE-2026-23488 Blinko: multiple interfaces in the comment feature allow unauthorized access

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note including private notes without authorization, even if the note has not been publicly shared. The...

6.9CVSS0.00305EPSS
Exploits0References4
CVE
CVE
added 2026/03/23 8:48 p.m.24 views

CVE-2026-23488

Blinko is affected prior to version 1.8.4. The /api/v1/comment/create endpoint allows unauthorized posting of comments to any note (including private ones), and /api/v1/comment/list allows unauthorized viewing of comments on all notes. The issue is fixed in version 1.8.4. CVSS v4.0 base score 6.9...

6.9CVSS5.7AI score0.00305EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/23 12:0 a.m.15 views

PT-2026-27216

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the /api/v1/comment/create endpoint has an unauthorized access vulnerability, allowing attackers to post comments on any note including private notes without authorization, even if the note has not been publicly shared. The...

6.9CVSS5.7AI score0.00305EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/03/23 12:0 a.m.8 views

Blinko 安全漏洞

Blinko is an open-source AI-based card-based note-taking application designed for users who want to quickly capture and organize fleeting ideas. Versions of Blinko prior to 1.8.4 contained security vulnerabilities. These vulnerabilities stemmed from unauthorized access to the/api/v1/comment/creat...

6.9CVSS5.8AI score0.00305EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/03/13 5:19 p.m.4 views

CVE-2026-29079

Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting th...

8.2CVSS5.8AI score0.00263EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2025/12/17 12:0 a.m.4 views

TMS 代码注入漏洞

TMS is a channel-based team communication and collaboration + lightweight task dashboard by weicheng individual developers. A code injection vulnerability exists in TMS 2.28.0 and earlier versions, which stems from the incorrect operation of the parameter content in the file...

4.8CVSS4.2AI score0.00235EPSS
Exploits1References4
CNNVD
CNNVD
added 2025/11/19 12:0 a.m.6 views

Rallly 安全漏洞

Rallly is a scheduling and collaboration tool from Luke Vella Individual Developer designed to make it easier to organize events and meetings. A security vulnerability exists in Rallly versions prior to 4.5.4 that stems from an authorization flaw in the comment creation feature that could lead to...

6.5CVSS6.5AI score0.00226EPSS
Exploits1References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.7 views

EUVD-2020-0413

Malware in sbrugna...

6.3CVSS5.5AI score0.00782EPSS
Exploits0References7
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-25344

Malicious code in bioql PyPI...

5.3CVSS5.7AI score0.00483EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 5:23 p.m.4 views

CVE-2020-11055

In BookStack greater than or equal to 0.18.0 and less than 0.29.2, there is an XSS vulnerability in comment creation. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the...

6.3CVSS5.3AI score0.00782EPSS
Exploits0References1
Rows per page
Query Builder