Lucene search
K

262 matches found

ATTACKERKB
ATTACKERKB
added 2026/07/02 5:35 a.m.5 views

CVE-2026-14249

The Request a Quote plugin for WordPress is vulnerable to Code Injection in versions up to, and including, 2.5.5 via the emddeletefile AJAX action. This is due to the emddeletefile handler deriving a PHP function name from the attacker-controlled $POST'path' parameter and invoking it dynamically...

7.5CVSS6AI score0.00333EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.11 views

PT-2026-54640

Name of the Vulnerable Software and Affected Versions Request a Quote versions prior to 2.5.6 Description The Request a Quote plugin for WordPress allows unauthenticated attackers to perform code injection. The issue occurs because the emd delete file function derives a PHP function name from the...

7.5CVSS6.1AI score0.00333EPSS
Exploits0References12
EUVD
EUVD
added 2026/07/01 3:43 a.m.8 views

EUVD-2026-40897

The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emddeletefile AJAX handler in includes/common-functions.php. The user-supplied value is passed through...

7.5CVSS5.9AI score0.00319EPSS
Exploits0References5
NVD
NVD
added 2026/06/24 6:17 p.m.9 views

CVE-2026-55611

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST /api/workspace/:slug/embed-parsed-file/:fileId flow...

0.00236EPSS
Exploits0References3
NVD
NVD
added 2026/06/17 1:20 p.m.12 views

CVE-2026-48929

Rocket.Chat in versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket...

7.5CVSS0.00723EPSS
Exploits0References2
CVE
CVE
added 2026/06/16 11:8 p.m.26 views

CVE-2026-48929

Rocket.Chat versions older than 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13 are vulnerable to unauthenticated file deletion through the deleteFileMessage Meteor method. When called over an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, bypassing the auth...

7.5CVSS7.3AI score0.00723EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.24 views

PT-2026-50131

Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 8.5.1 Rocket.Chat versions prior to 8.4.4 Rocket.Chat versions prior to 8.3.6 Rocket.Chat versions prior to 8.2.6 Rocket.Chat versions prior to 8.1.6 Rocket.Chat versions prior to 8.0.7 Rocket.Chat versions prior ...

7.5CVSS7.2AI score0.00723EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.11 views

CVE-2026-45230

DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit th...

9.1CVSS5.7AI score0.00626EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:9 p.m.13 views

CVE-2026-35077

The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

8.1CVSS5.6AI score0.0037EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/03 10:39 a.m.7 views

CVE-2026-35077

The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

8.1CVSS6AI score0.0037EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/03 10:39 a.m.40 views

CVE-2026-35077 Arbitrary file delete vulnerability in method ugw-delete-file

The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

8.1CVSS0.0037EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/03 10:39 a.m.12 views

EUVD-2026-34073

The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

8.1CVSS6AI score0.0037EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/03 10:39 a.m.8 views

CVE-2026-35077 Arbitrary file delete vulnerability in method ugw-delete-file

The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

8.1CVSS6AI score0.0037EPSS
Exploits0References1
CVE
CVE
added 2026/06/03 10:39 a.m.20 views

CVE-2026-35077

Technical details such as affected product versions, root cause specifics, and remediation are not publicly available in the provided documents. Monitor for updates from CERT VDE and CVE listings.

8.1CVSS6AI score0.0037EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/03 12:0 a.m.18 views

PT-2026-45918

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files. This occurs because the system does not sufficiently...

8.1CVSS6AI score0.0037EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/01 5:0 a.m.43 views

CVE-2026-10226 raisulislamg4 student_management_system_by_php delete.php sql injection

A flaw has been found in raisulislamg4 studentmanagementsystembyphp up to 310d950e09013d5133c6b9210aff9444382d16d1. Impacted is an unknown function of the file delete.php. Executing a manipulation of the argument userid/courseid/teacherid/studentid/applicationid can lead to sql injection. The...

7.5CVSS0.00263EPSS
Exploits0References6
EUVD
EUVD
added 2026/05/28 6:45 a.m.15 views

EUVD-2026-32736

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the processbulkaction function, the...

8.1CVSS6AI score0.00248EPSS
Exploits0References10
EUVD
EUVD
added 2026/05/22 12:31 a.m.12 views

EUVD-2026-31361

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protecti...

2.3CVSS5.8AI score0.00116EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/21 9:17 p.m.7 views

CVE-2026-7882

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protecti...

2.3CVSS5.8AI score0.00116EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.18 views

PT-2026-42555

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description An inverted CSRF token check in the DeleteFile controller allows unauthorized file deletion. The system incorrectly throws an error when the token is valid and proceeds with the deletion process...

2.3CVSS5.8AI score0.00116EPSS
Exploits0References4
Rows per page
Query Builder