Lucene search
K

12484 matches found

CVE
CVE
added yesterday7 views

CVE-2026-10103

Mattermost versions affected: 11.7.x (up to 11.7.2), 11.6.x (up to 11.6.4), and 10.11.x (up to 10.11.19) have a flaw in the shared channel inbound sync handler that fails to verify post ownership. This allows an authenticated remote cluster to modify or delete posts authored by local users or oth...

4.3CVSS6.2AI score0.00145EPSS
Exploits0References1Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday4 views

Malicious code in ishowfeet17 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a8a7da1cae4bcc5f4805bed7bd781b9e27de67b2264f6ba7740c8730369c9405 The tarball ships auto-publish.sh, a script that republishes the same payload under 100 distinct npm names ishowfeet1-ishowfeet20, nottuff1-nottuff30...

6.2AI score
Exploits0References4
Nuclei
Nuclei
added yesterday105 views

OpenAPI Generator <= 7.5.0 - Arbitrary File Read/Delete

OpenAPI Generator versions 7.5.0 and below are prone to an Arbitrary File Read/Delete vulnerability. Attackers can exploit this vulnerability to read and delete files and folders from an arbitrary, writable directory. id: CVE-2024-35219 info: name: OpenAPI Generator = 7.5.0 - Arbitrary File...

8.3CVSS7AI score0.03592EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday66 views

Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Delete

Telesquare TLR-2005KSH 1.0.0 is affected by an arbitrary file deletion vulnerability that allows a remote attacker to delete any file, even system internal files, via a DELETE request. id: CVE-2021-46424 info: name: Telesquare TLR-2005KSH 1.0.0 - Arbitrary File Delete author: gy741 severity:...

9.4CVSS7.2AI score0.36834EPSS
Exploits3References5
NVD
NVD
added 2 days ago7 views

CVE-2026-56313

Capgo before 12.128.2 contains a cross-organization account disruption vulnerability in the SSO prelink endpoint that allows enterprise administrators to delete password identities of users in foreign organizations. Attackers with org.updatesettings permission and an active SSO provider can call...

8.1CVSS0.00276EPSS
Exploits0References2
CVE
CVE
added 2 days ago13 views

CVE-2026-61874

CVE-2026-61874 affects filebrowser before 2.63.17. The root cause is improper path normalization in DeleteWithPathPrefix, allowing an authenticated user to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path and then recreate the same directory to...

3.1CVSS6.1AI score0.00198EPSS
Exploits0References3
Cvelist
Cvelist
added 2 days ago35 views

CVE-2026-61874 filebrowser before 2.63.17 Stale Public Share via Trailing-Slash Delete

filebrowser versions before 2.63.17 fail to normalize paths before querying the share index in DeleteWithPathPrefix, allowing authenticated users to leave stale public shares behind. Attackers can delete a shared directory using a trailing-slash path, then recreate the same directory to expose ne...

3.1CVSS0.00198EPSS
Exploits0References3
CVE
CVE
added 2 days ago14 views

CVE-2026-56313

Capgo before 12.128.2 contains a cross-organization account disruption vulnerability in the SSO prelink endpoint. Attackers with org.update_settings permission and an active SSO provider can call the prelink-users endpoint to permanently remove email-based authentication for any user matching the...

8.1CVSS6.1AI score0.00276EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-43231

Capgo before 12.128.2 contains a cross-organization account disruption vulnerability in the SSO prelink endpoint that allows enterprise administrators to delete password identities of users in foreign organizations. Attackers with org.updatesettings permission and an active SSO provider can call...

8.1CVSS6.1AI score0.00276EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-43224

Capgo before 12.128.2 contains a privilege escalation vulnerability where demoted superadmin users retain access to deletenoncompliantbundles and countnoncompliantbundles RPCs due to stale orgusers.userright column not being cleared during role binding deletion. Attackers can exploit this by...

8.3CVSS6.1AI score0.00211EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago36 views

CVE-2026-61442 PraisonAI Platform before 0.1.9 Authorization Bypass via PATCH

PraisonAI Platform praisonai-platform before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A workspace member can modify owner-created records; for projects, a member can reassign leadid to their ow...

7.1CVSS0.00256EPSS
Exploits0References3
NVD
NVD
added 3 days ago6 views

CVE-2026-10041

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfmproductarchive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS0.0025EPSS
Exploits0References12
Cvelist
Cvelist
added 3 days ago35 views

CVE-2026-10041 WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Vendor Data Manipulation via Multiple AJAX Handlers

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfmproductarchive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS0.0025EPSS
Exploits0References12
NVD
NVD
added 3 days ago7 views

CVE-2026-6803

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wpajax and wpajaxnopriv hooks, as the base...

5.3CVSS0.00297EPSS
Exploits0References12
NVD
NVD
added 3 days ago7 views

CVE-2026-7559

The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS0.00304EPSS
Exploits0References12
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-43141

The Solace Extra plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.5.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete all...

5.3CVSS6.1AI score0.00273EPSS
Exploits0References8
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-43140

The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS6.1AI score0.00304EPSS
Exploits0References12
Cvelist
Cvelist
added 3 days ago33 views

CVE-2026-7559 Affilia <= 3.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Status Modification

The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS0.00304EPSS
Exploits0References12
CVE
CVE
added 3 days ago10 views

CVE-2026-7559

Technical details beyond what is in the Initial Description are not publicly provided in the connected documents. Monitor for updates to affected versions, remediation status, and exploit information.

4.3CVSS6.1AI score0.00304EPSS
Exploits0References12
NVD
NVD
added 4 days ago5 views

CVE-2026-55515

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending-find$acceptanceId by global ID without checking access to the related checkoutable asset, allowing a reports user in...

5CVSS0.00248EPSS
Exploits0References3
Rows per page
Query Builder