Lucene search
K

80 matches found

CVE
CVE
added 5 days ago21 views

CVE-2026-14615

Keycloak FGAP v2 implementation flaw exposes child group details via the parent-group children endpoint when FGAP v2 is enabled. The issue occurs because the system does not properly filter child groups by the caller’s per-child permissions, allowing a delegated administrator to view child group ...

4.3CVSS5.9AI score0.00172EPSS
Exploits0References2
Patchstack
Patchstack
added 6 days ago4 views

WordPress MotoPress Appointment Booking plugin <= 2.4.4 - Unauthenticated Insecure Direct Object Reference to 'payment_details.booking_id' Parameter vulnerability

Unauthenticated Insecure Direct Object Reference to 'paymentdetails.bookingid' Parameter vulnerability discovered by g0wthr in WordPress Plugin MotoPress Appointment Booking versions = 2.4.4...

5.3CVSS5.9AI score0.00342EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.9 views

CVE-2026-44341

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access ...

5.3CVSS5.4AI score0.00239EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/30 2:55 p.m.11 views

CVE-2018-25416 AiOPMSD Final 1.0.0 SQL Injection via country.php

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Attackers can send GET requests to country.php with crafted SQL payloads in the country parameter to extrac...

8.8CVSS6.1AI score0.0027EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/30 12:0 a.m.11 views

AiOPMSD Final SQL注入漏洞

AiOPMSD Final is a video stream download tool developed by AiOPMSD Corporation. Version 1.0.0 of AiOPMSD Final contains a SQL injection vulnerability. This vulnerability arises from injecting malicious code through the ‘genre’ parameter, which may allow unauthenticated attackers to execute...

8.8CVSS6.2AI score0.0027EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/05/28 8:12 p.m.12 views

CVE-2026-42459

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm Subscriber Data Management service. An unauthenticated attacker can inject control characters into the SUPI...

8.7CVSS5.8AI score0.00324EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 3:53 p.m.8 views

CVE-2026-42459

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm Subscriber Data Management service. An unauthenticated attacker can inject control characters into the SUPI...

8.7CVSS5.8AI score0.00324EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/27 3:53 p.m.9 views

CVE-2026-42459 free5GC: Improper Input Validation and Generation of Error Message Containing Sensitive Information in github.com/free5gc/udm

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm Subscriber Data Management service. An unauthenticated attacker can inject control characters into the SUPI...

8.7CVSS5.8AI score0.00324EPSS
Exploits1References1
OSV
OSV
added 2026/05/21 9:30 p.m.2 views

GHSA-46XH-7854-F568 Concrete CMS is vulnerable to authorization bypass in the Calendar Block

Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since actiongetevents does not check canView on the calendar which results in restricted event details being disclosed...

6.3CVSS5.9AI score0.00211EPSS
Exploits0References3
NVD
NVD
added 2026/05/14 5:16 p.m.15 views

CVE-2025-62311

HCL AION is affected by a vulnerability where backend service details may be transmitted over insecure HTTP channels. This may expose sensitive information to potential interception or unauthorized access during transmission under certain conditions...

4.3CVSS0.0008EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 4:6 p.m.15 views

CVE-2025-62311

CVE-2025-62311 affects HCL AION. The issue involves backend service details potentially being transmitted over insecure HTTP channels, which may lead to exposure or unauthorized access during transmission under certain conditions. According to the included metrics, the CVSS3.1 base score is 4.3 (...

4.3CVSS5.8AI score0.0008EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/04 5:39 p.m.4 views

CVE-2026-32834 Easy PayPal Events & Tickets < 1.4 Authentication Bypass via QR Code Scanning

Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can...

8.7CVSS5.9AI score0.00448EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/04 5:39 p.m.7 views

CVE-2026-32834

Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can...

8.7CVSS5.9AI score0.00448EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/04 5:39 p.m.40 views

CVE-2026-32834 Easy PayPal Events & Tickets < 1.4 Authentication Bypass via QR Code Scanning

Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can...

8.7CVSS0.00448EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/23 8:10 p.m.3 views

CVE-2026-6376

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user...

8.7CVSS5.7AI score0.00497EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/16 9:17 p.m.7 views

CVE-2026-34164

Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data PII, citizen identifier...

4.9CVSS5.8AI score0.00366EPSS
Exploits0References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/16 12:0 a.m.4 views

PT-2026-33366

Name of the Vulnerable Software and Affected Versions Valtimo versions 13.0.0 through 13.21.0 Description The InboxHandlingService function handle in the inbox module logs the full content of every incoming inbox message at the INFO level. These messages may contain sensitive information, such as...

4.9CVSS5.8AI score0.00366EPSS
Exploits0References9
CNNVD
CNNVD
added 2026/03/26 12:0 a.m.6 views

HCL Aftermarket DPC 安全漏洞

HCL Aftermarket DPC is a digital spare parts and aftermarket management platform for HCL India. HCL Aftermarket DPC suffers from a security vulnerability that can be exploited by an attacker to obtain system software and version details to carry out software-specific attacks...

5.3CVSS5.8AI score0.00225EPSS
Exploits0References1
NVD
NVD
added 2026/03/04 10:16 p.m.8 views

CVE-2026-27898

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipherid and call "PUT /api/ciphers/id/partial" Even though the standard retrieval API correctly denies access...

5.4CVSS0.00167EPSS
Exploits0References1
OSV
OSV
added 2026/03/04 8:14 p.m.4 views

GHSA-W9F8-M526-H7FH Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher

Summary In the test environment, it was confirmed that an authenticated regular user can specify another user’s cipherid and call: PUT /api/ciphers/id/partial Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes...

5.4CVSS6AI score0.00167EPSS
Exploits0References2
Rows per page
Query Builder