Lucene search
K

151 matches found

EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2022-5793

Malicious code in bioql PyPI...

9.8CVSS9.3AI score0.01604EPSS
Exploits0References7
EUVD
EUVD
added 2025/10/03 8:7 p.m.12 views

EUVD-2025-25832

Malicious code in bioql PyPI...

9.8CVSS6.6AI score0.00491EPSS
Exploits0References1
Wolfi
Wolfi
added 2025/09/24 8:47 p.m.11 views

GHSA-8PJC-487G-W6P2 vulnerabilities

Vulnerabilities for packages: nri-f5, wgcf, aws-eks-pod-identity-agent, nri-rabbitmq, kubernetes-csi-node-driver-registrar, kube-logging-operator, flux-operator, nodetaint, witness, helm-operator, chartmuseum, tekton-chains, zot, mongo-tools, swagger, conftest, helm-set-status, karpenter,...

6.1AI score
Exploits0
RedhatCVE
RedhatCVE
added 2025/08/30 6:18 p.m.9 views

CVE-2025-41702

The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key...

9.8CVSS7.1AI score0.00491EPSS
Exploits0References1
NVD
NVD
added 2025/08/26 6:15 a.m.23 views

CVE-2025-41702

The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key...

9.8CVSS0.00491EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/08/26 6:10 a.m.5 views

CVE-2025-41702 egOS WebGUI Hard-Coded JWT Secret Enables Authentication Bypass

The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key...

9.8CVSS7.4AI score0.00491EPSS
Exploits0References1
CVE
CVE
added 2025/08/26 6:10 a.m.19 views

CVE-2025-41702

The CVE-2025-41702 entry concerns hard-coded JWT signing key in the egOS WebGUI backend, enabling an unauthenticated remote attacker to forge valid HS256 tokens and bypass authentication/authorization. Affected software includes egOS WebGUI-based gateways (examples cited: Welotec EG400Mk2/EG500Mk...

9.8CVSS6.8AI score0.00491EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/08/25 12:0 a.m.8 views

PT-2025-34744

Name of the Vulnerable Software and Affected Versions: egOS WebGUI affected versions not specified Description: The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass...

9.8CVSS6.5AI score0.00491EPSS
Exploits0References13
RedhatCVE
RedhatCVE
added 2025/05/23 4:59 a.m.7 views

CVE-2023-51982

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and Local In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI...

9.8CVSS7.2AI score0.00731EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/05/22 4:31 a.m.9 views

CVE-2019-14656

Yealink phones through 2019-08-04 do not properly check user roles in POST requests. Consequently, the default User account with a password of user can make admin requests via HTTP...

9CVSS7.1AI score0.01984EPSS
Exploits1References1
OSV
OSV
added 2025/04/26 6:15 a.m.5 views

CVE-2025-2907

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modi...

9.8CVSS5.6AI score0.01286EPSS
Exploits2References1
CVE
CVE
added 2025/02/27 11:22 p.m.61 views

CVE-2025-1682

CVE-2025-1682 concerns the WordPress Cardealer theme (versions <= 1.6.4). The root cause is a missing capability check in the save_settings function, enabling an authenticated user with subscriber-level access or higher to perform an Arbitrary Theme Option Update and escalate privileges by cha...

8.8CVSS8.7AI score0.00531EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2025/01/31 12:0 a.m.16 views

PT-2025-3441 · Unknown · Macrozheng Mall-Tiny

Name of the Vulnerable Software and Affected Versions: Macrozheng Mall-Tiny version 1.0.1 Description: The issue is related to incorrect access control. By default, the project imports users, and a test user is granted super administrator privileges. Recommendations: For Macrozheng Mall-Tiny...

8.8CVSS6.8AI score0.00442EPSS
Exploits1References5
CVE
CVE
added 2024/12/12 12:35 p.m.56 views

CVE-2024-28142

The CVE-2024-28142 entry describes stored cross-site scripting via improper input sanitization on the Image Access Scan2Net (and related lines) File Name input on the User Settings page (/cgi/uset.cgi?-cfilename). The root cause is inadequate filtering of the file name and wildcard character inpu...

4.7CVSS6.7AI score0.00452EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2024/12/12 12:0 a.m.5 views

PT-2024-22292 · Image Access Gmbh · Scan2Net

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue is due to missing input sanitization, allowing an attacker to perform cross-site-scripting attacks and run arbitrary Javascript in the browser...

4.7CVSS6.7AI score0.00452EPSS
Exploits0References6
SUSE CVE
SUSE CVE
added 2024/11/02 4:3 a.m.5 views

SUSE CVE-2024-7594

Vault's SSH secrets engine did not require the validprincipals list to contain a value by default. If the validprincipals and defaultuser fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault's SSH secrets engine could be used to...

8.8CVSS7.9AI score0.00269EPSS
Exploits0References5
Cvelist
Cvelist
added 2024/10/17 2:6 a.m.23 views

CVE-2024-9863 Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'defaultuserrole' option. This makes it possible for unauthenticated attackers to register an...

9.8CVSS0.00581EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2024/10/17 2:6 a.m.19 views

CVE-2024-9863 Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value

The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'defaultuserrole' option. This makes it possible for unauthenticated attackers to register an administrator user even if the...

9.8CVSS9.6AI score0.00581EPSS
Exploits0References3
CVE
CVE
added 2024/10/16 8:43 a.m.48 views

CVE-2024-9858

CVE-2024-9858 affects Google Cloud Migrate to Containers for Windows (versions 1.1.0–1.2.2). The root cause is an insecure default local user, m2cuser, created with administrator privileges. If the analyze or generate workflow is interrupted or the local user is not deleted, this user could be ex...

7.8CVSS7.5AI score0.00073EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2024/10/16 12:0 a.m.6 views

PT-2024-39895 · WordPress · Userpro

Name of the Vulnerable Software and Affected Versions: UserPro plugin for WordPress versions up to, and including, 3.6.0 Description: The issue is related to privilege escalation due to the insecure 'administrator' default value for the default user role option. This allows unauthenticated...

9.8CVSS7.6AI score0.00581EPSS
Exploits0References10
Rows per page
Query Builder