Lucene search
K

692 matches found

Nuclei
Nuclei
added 7 hours ago11 views

ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lpccaddonsactions function. This makes it possible for unauthenticated attacker...

9.8CVSS7.1AI score0.04304EPSS
Exploits1References2
EUVD
EUVD
added yesterday6 views

EUVD-2026-43305

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token...

6.5CVSS6.1AI score0.00188EPSS
Exploits0References2
NVD
NVD
added yesterday5 views

CVE-2026-9597

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4 fail to verify whether a guest account is deactivated before creating a session in the magic-link token login path, which allows a deactivated guest user to obtain a fully functional session via a magic-link token issued prior to deactivation...

5.4CVSS0.00138EPSS
Exploits0References1
NVD
NVD
added yesterday4 views

CVE-2026-9571

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to invalidate OAuth refresh tokens upon user account deactivation, which allows a deactivated user or an attacker in possession of a valid refresh token to obtain new functional access tokens via the OAuth refresh token...

6.5CVSS0.00188EPSS
Exploits0References1
Cvelist
Cvelist
added 5 days ago31 views

CVE-2026-59226 Open WebUI: Scheduled automations continue after pending-user deactivation and stored model ACL revocation

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.0 before 0.10.0, executeautomation rehydrated automation owners without rechecking that they were still active or still had features.automations, and checkmodelaccess only enforced private-model grants...

3.1CVSS0.00303EPSS
Exploits0References4
CVE
CVE
added 5 days ago6 views

CVE-2026-59226

Open WebUI vulnerability CVE-2026-59226 affects versions prior to 0.10.0 of the Open WebUI platform. The issue stems from execute_automation rehydrating automation owners without rechecking that they were still active or had features.automations, and from check_model_access only enforcing private...

4.3CVSS6AI score0.00303EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-42496

In CAXperts UPVWebServices 2.4.2212.603 through 2.7.6 and UDiTH Portal 2026.0.0 through 2026.2.0, an authenticated remote user can invoke an administrative API endpoint intended for privileged users. Due to missing authorization checks, this allows the attacker to deactivate the application's...

8.1CVSS6AI score0.00276EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56961

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes Struktur Core struktur-core allows PHP Local File Inclusion.This issue affects Struktur Core: from n/a through = 2.5.1...

7.5CVSS6.1AI score0.00496EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago12 views

PT-2026-56944

Missing Authorization vulnerability in PressTigers Universal Clocks universal-clocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Universal Clocks: from n/a through = 1.2.0...

5.3CVSS6.1AI score0.00285EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago8 views

PT-2026-56947

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Edge-Themes Aalto aalto allows PHP Local File Inclusion.This issue affects Aalto: from n/a through = 1.8...

7.5CVSS6.1AI score0.00496EPSS
Exploits0References3
NVD
NVD
added 6 days ago8 views

CVE-2026-35552

In CAXperts UPVWebServices 2.4.2212.603 through 2.7.6 and UDiTH Portal 2026.0.0 through 2026.2.0, an authenticated remote user can invoke an administrative API endpoint intended for privileged users. Due to missing authorization checks, this allows the attacker to deactivate the application's...

8.1CVSS0.00276EPSS
Exploits0References2
CVE
CVE
added 6 days ago7 views

CVE-2026-35552

The CVE covers CAXperts UPVWebServices (versions 2.4.2212.603–2.7.6) and UDiTH Portal (2026.0.0–2026.2.0). An authenticated remote user can call an administrative API endpoint intended for privileged users because authorization checks are missing, enabling the attacker to deactivate the applicati...

8.1CVSS6AI score0.00276EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 6 days ago5 views

PT-2026-56621

Name of the Vulnerable Software and Affected Versions CAXperts UPVWebServices versions 2.4.2212.603 through 2.7.6 UDiTH Portal versions 2026.0.0 through 2026.2.0 Description An authenticated remote user can invoke an administrative API endpoint intended for privileged users. Due to missing...

8.1CVSS6.1AI score0.00276EPSS
Exploits0References5
Cvelist
Cvelist
added 6 days ago29 views

CVE-2026-35552

In CAXperts UPVWebServices 2.4.2212.603 through 2.7.6 and UDiTH Portal 2026.0.0 through 2026.2.0, an authenticated remote user can invoke an administrative API endpoint intended for privileged users. Due to missing authorization checks, this allows the attacker to deactivate the application's...

0.00276EPSS
Exploits0References2
NVD
NVD
added 2026/07/03 2:16 a.m.8 views

CVE-2026-12729

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the domigration function registered as the wedocsmigratebetterdocstowedocs...

4.3CVSS0.00213EPSS
Exploits0References6
CVE
CVE
added 2026/07/03 1:28 a.m.14 views

CVE-2026-12729

The CVE concerns the weDocs: AI Powered Knowledge Base WordPress plugin up to version 2.3.0, where the do_migration() function is exposed via the wedocs_migrate_betterdocs_to_wedocs AJAX action without nonce verification (check_ajax_referer) and without a current_user_can capability check. This a...

4.3CVSS5.6AI score0.00213EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/03 1:28 a.m.11 views

EUVD-2026-41468

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the domigration function registered as the wedocsmigratebetterdocstowedocs...

4.3CVSS5.6AI score0.00213EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.17 views

PT-2026-55440

Name of the Vulnerable Software and Affected Versions weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot versions prior to 2.3.1 Description The plugin contains a missing authorization flaw. The do migration function, registered as the wedocs migrate betterdocs to wedocs AJ...

4.3CVSS5.9AI score0.00213EPSS
Exploits0References10
NVD
NVD
added 2026/06/24 9:16 p.m.8 views

CVE-2026-49277

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth...

2.3CVSS0.00215EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 9:4 p.m.22 views

CVE-2026-49277 Rocket.Chat: OAuth access and refresh tokens remain valid after account deactivation

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth...

2.3CVSS0.00215EPSS
Exploits0References1
Rows per page
Query Builder