Lucene search
K

5118 matches found

CVE
CVE
added yesterday6 views

CVE-2026-58408

ChurchCRM prior to version 7.4.0 exposes a CSV export endpoint that leaks full PII of every Person/Family. The POST /CSVCreateFile.php export is gated only by a coarse admin permission check and lacks a dedicated isAdmin/owner authorization, allowing any user with non-admin flags to trigger a bul...

6.5CVSS6.1AI score
Exploits0References1
Cvelist
Cvelist
added yesterday10 views

CVE-2026-14846 Incorrect neutralisation in the PrestaShop firmware

In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the...

4.5CVSS0.0033EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday48 views

Active Directory Integration WP Plugin < 4.1.10 - Log Disclosure

The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.10 stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs. Unfortunately, this log file is never removed, and remains accessible to any users knowing the URL to do so. id:...

7.5CVSS7AI score0.25855EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday36 views

Brother MFC-L9570CDW - Information Disclosure

An unauthenticated attacker who can access either the HTTP service TCP port 80, the HTTPS service TCP port 443, or the IPP service TCP port 631, can leak several pieces of sensitive information from a vulnerable device. The URI path /etc/mntinfo.csv can be accessed via a GET request and no...

5.3CVSS7AI score0.7656EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday111 views

Directorist < 7.5.4 - Local File Inclusion

Directorist before 7.5.4 is susceptible to Local File Inclusion as it does not validate the file parameter when importing CSV files. id: CVE-2023-2252 info: name: Directorist 7.5.4 - Local File Inclusion author: r3Y3r53 severity: low description: | Directorist before 7.5.4 is susceptible to Local...

2.7CVSS6.6AI score0.01342EPSS
Exploits2References3
EUVD
EUVD
added 3 days ago8 views

EUVD-2026-43129

The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for installaddon,...

8.8CVSS6.3AI score0.00606EPSS
Exploits0References6
CVE
CVE
added 3 days ago9 views

CVE-2026-13353

CVE-2026-13353 affects the WP Ultimate CSV Importer (WordPress plugin) up to version 8.0.1. The root cause is missing capability checks on AJAX handlers (install_addon, saveMappedFields, StartImport) and exposure of the plugin nonce to any authenticated admin page, which enables a Subscriber+ to ...

8.8CVSS6.3AI score0.00606EPSS
Exploits0References6
Cvelist
Cvelist
added 3 days ago30 views

CVE-2026-13353 WP Ultimate CSV Importer <= 8.0.1 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution via 'MappedFields' Parameter

The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for installaddon,...

8.8CVSS0.00606EPSS
Exploits0References6
NVD
NVD
added 4 days ago7 views

CVE-2026-55469

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the...

6.5CVSS0.00378EPSS
Exploits0References3
NVD
NVD
added 4 days ago7 views

CVE-2026-55475

Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API key to overwrite the createdby value of an import file, allowing unauthorized modification of import ownership metadata. This issue is fixed in...

5.7CVSS0.00195EPSS
Exploits0References4
NVD
NVD
added 4 days ago6 views

CVE-2026-55452

Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction stores the request User-Agent header and ReportsController::postActivityReport writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a...

4.8CVSS0.00269EPSS
Exploits0References3
CVE
CVE
added 4 days ago11 views

CVE-2026-55475

Snipe-IT prior to version 8.6.1 is vulnerable via the Importer API endpoint where a user with CSV import capabilities and a valid API key can overwrite the created_by value of an import file, enabling unauthorized modification of import ownership metadata. The issue is fixed in version 8.6.1. Thi...

5.7CVSS6.1AI score0.00195EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-55452 Snipe-IT: CSV formula injection in Activity Report export

Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction stores the request User-Agent header and ReportsController::postActivityReport writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a...

4.8CVSS0.00269EPSS
Exploits0References3
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-42993

The DataInjection plugin for GLPI 2.15.6 GLPI 11 builds concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embe...

7.1CVSS6.1AI score0.00314EPSS
Exploits0References4
CVE
CVE
added 4 days ago9 views

CVE-2026-11321

CVE-2026-11321 affects the GLPI DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds). The plugin concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, enabling an authenticated user with access to the Data Injection feature...

7.1CVSS6.1AI score0.00314EPSS
Exploits0References4
CVE
CVE
added 5 days ago8 views

CVE-2026-7558

CVE-2026-7558 affects the WordPress plugin Age Verification & Identity Verification by Token of Trust (

5.3CVSS5.8AI score0.00262EPSS
Exploits0References8
Mageia
Mageia
added 6 days ago4 views

Updated vips packages fix security vulnerabilities

This update fixes several security issues: A flaw has been found in libvips up to 8.18.0. The affected element is the function vipsforeignloadmatrixfileisa/vipsforeignloadmatrixheader of the file libvips/foreign/matrixload.c. Executing a manipulation can lead to memory corruption. The attack need...

7.8CVSS5.6AI score0.00209EPSS
Exploits3References2
NVD
NVD
added 6 days ago8 views

CVE-2026-57439

CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts proto as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with operations such as Parse UDP to inject malicious JavaScript in...

5CVSS0.00094EPSS
Exploits0References5
NVD
NVD
added 6 days ago7 views

CVE-2026-15062

SQL injection vulnerabilities in the Snowflake Snowpark Python SDK snowpark-python versions prior to 1.53.0 could allow authenticated low-privilege users to execute SQL beyond their authorization scope. An attacker could exploit these vulnerabilities by embedding SQL payloads in source database...

9.6CVSS0.00279EPSS
Exploits0References1
Cvelist
Cvelist
added 6 days ago31 views

CVE-2026-57439 CyberChef: Prototype pollution in Series Chart operation

CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts proto as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with operations such as Parse UDP to inject malicious JavaScript in...

5CVSS0.00094EPSS
Exploits0References5
Rows per page
Query Builder