Lucene search
K

265 matches found

NVD
NVD
added 4 days ago7 views

CVE-2026-55475

Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API key to overwrite the createdby value of an import file, allowing unauthorized modification of import ownership metadata. This issue is fixed in...

5.7CVSS0.00195EPSS
Exploits0References4
NVD
NVD
added 4 days ago7 views

CVE-2026-55469

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the...

6.5CVSS0.00378EPSS
Exploits0References3
CVE
CVE
added 4 days ago11 views

CVE-2026-55475

Snipe-IT prior to version 8.6.1 is vulnerable via the Importer API endpoint where a user with CSV import capabilities and a valid API key can overwrite the created_by value of an import file, enabling unauthorized modification of import ownership metadata. The issue is fixed in version 8.6.1. Thi...

5.7CVSS6.1AI score0.00195EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-42993

The DataInjection plugin for GLPI 2.15.6 GLPI 11 builds concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, resulting in authenticated SQL injection. An authenticated user with access to the Data injection feature can embe...

7.1CVSS6.1AI score0.00314EPSS
Exploits0References4
CVE
CVE
added 4 days ago9 views

CVE-2026-11321

CVE-2026-11321 affects the GLPI DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds). The plugin concatenates user-supplied CSV field values directly into SQL queries during CSV import, without parameterization or escaping, enabling an authenticated user with access to the Data Injection feature...

7.1CVSS6.1AI score0.00314EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.12 views

PT-2026-51619

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.0 Description Improper access control in the CSV user import functionality allows a user with only the import permission to bypass user-edit authorization. By uploading a CSV file in update mode, an attacker can...

6.5CVSS5.9AI score0.00037EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/05/23 8:12 a.m.23 views

CVE-2026-9101

Prototype pollution in csv parsing logic during import can lead to untrusted file paths but not arguments entering shell.openExternal after specific user behavior leading to "1-click" command execution...

5.3CVSS5.8AI score0.00411EPSS
Exploits0References1
NVD
NVD
added 2026/05/20 5:16 p.m.15 views

CVE-2026-9101

Prototype pollution in csv parsing logic during import can lead to untrusted file paths but not arguments entering shell.openExternal after specific user behavior leading to "1-click" command execution...

5.3CVSS0.00411EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/20 4:18 p.m.11 views

EUVD-2026-31127

Prototype pollution in csv parsing logic during import can lead to untrusted file paths but not arguments entering shell.openExternal after specific user behavior leading to "1-click" command execution...

5.3CVSS5.8AI score0.00411EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.15 views

PT-2026-42201

Prototype pollution in csv parsing logic during import can lead to untrusted file paths but not arguments entering shell.openExternal after specific user behavior leading to "1-click" command execution...

5.3CVSS5.8AI score0.00411EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/17 12:11 p.m.12 views

EUVD-2018-21849

Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the deleteexportfile AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename paramet...

8.7CVSS5.9AI score0.00613EPSS
Exploits0References3
Packet Storm
Packet Storm
added 2026/05/08 12:0 a.m.89 views

📄 WordPress CatFolders 2.5.2 SQL Injection

WordPress CatFolders plugin versions 2.5.2 and below suffer from a remote SQL injection vulnerability. CVE-2025-9776: Authenticated SQL Injection in CatFolders WordPress Plugin Keywords: CVE-2025-9776, CatFolders WordPress vulnerability, SQL injection WordPress, authenticated SQL injection,...

6.5CVSS5.9AI score0.00347EPSS
Exploits2
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.7 views

CVE-2026-7641

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the saveextrauserprofilefields function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site e.g...

8.8CVSS5.7AI score0.00665EPSS
Exploits0References1
NVD
NVD
added 2026/05/02 5:16 a.m.7 views

CVE-2026-7641

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the saveextrauserprofilefields function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site e.g...

8.8CVSS0.00665EPSS
Exploits0References14
EUVD
EUVD
added 2026/05/02 4:27 a.m.7 views

EUVD-2026-26740

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the saveextrauserprofilefields function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site e.g...

8.8CVSS5.7AI score0.00665EPSS
Exploits0References14
CVE
CVE
added 2026/05/02 4:27 a.m.25 views

CVE-2026-7641

The WordPress plugin Import and export users and customers (versions ≤ 2.0.8) is vulnerable to Privilege Escalation. The root cause is an incomplete blocklist for multisite capability meta keys: primary-site keys (e.g., wp_capabilities, wp_user_level) are blocked, but multisite keys (e.g., wp_2_c...

8.8CVSS5.7AI score0.00665EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2026/05/02 12:0 a.m.5 views

PT-2026-36572

Name of the Vulnerable Software and Affected Versions Import and export users and customers plugin for WordPress versions prior to 2.0.9 Description An issue exists in the save extra user profile fields function where an incomplete blocklist fails to restrict capability meta keys for subsites in ...

8.8CVSS5.8AI score0.00665EPSS
Exploits0References20
Tenable Nessus
Tenable Nessus
added 2026/04/13 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-1403

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Ubuntu Linux - Unknown description CVE-2026-1403 Note that Nessus relies on the presence of the package as reported by the vendor. %NASLMINLEVEL 80900 C Tenable...

5.8AI score
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/04/10 12:0 a.m.8 views

FreeBSD : Gitlab -- vulnerabilities (099d4998-33cc-11f1-a7d1-2cf05da270f3)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 099d4998-33cc-11f1-a7d1-2cf05da270f3 advisory. Gitlab reports: Exposed Method issue in websocket connections impacts GitLab CE/EE Denial of...

8.5CVSS7.3AI score0.00577EPSS
Exploits0References14
FreeBSD
FreeBSD
added 2026/04/08 12:0 a.m.10 views

Gitlab -- vulnerabilities

Gitlab reports: Exposed Method issue in websocket connections impacts GitLab CE/EE Denial of Service issue in Terraform state lock API impacts GitLab CE/EE Denial of Service issue in GraphQL API impacts GitLab CE/EE Denial of Service issue in CSV import impacts GitLab CE/EE Denial of Service issu...

8.5CVSS5.9AI score0.00577EPSS
Exploits0References1
Rows per page
Query Builder