Lucene search
K

2877 matches found

NVD
NVD
added 2026/05/11 4:17 p.m.42 views

CVE-2026-44197

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in...

6.5CVSS0.00204EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/11 2:52 p.m.16 views

CVE-2026-42841 Grav: Stored XSS via Markdown media attribute() action in Grav CMS

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters...

6.9CVSS5.9AI score0.00397EPSS
Exploits1References2
Fedora
Fedora
added 2026/05/11 1:3 a.m.29 views

[SECURITY] Fedora 43 Update: nextcloud-33.0.3-1.fc43

NextCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing rig ht on the web. NextCloud is extendable via a simple but powerful API...

9.9CVSS6.4AI score0.01815EPSS
Exploits15
ATTACKERKB
ATTACKERKB
added 2026/05/10 12:43 p.m.7 views

CVE-2021-47931

Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary...

6.4CVSS5.9AI score0.00213EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/10 12:43 p.m.15 views

CVE-2021-47931 Exponent CMS 2.6 Multiple Vulnerabilities Stored XSS Authentication

Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary...

6.4CVSS5.9AI score0.00213EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/10 12:43 p.m.33 views

CVE-2021-47931 Exponent CMS 2.6 Multiple Vulnerabilities Stored XSS Authentication

Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary...

6.4CVSS0.00213EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/10 12:0 a.m.16 views

PT-2026-39507

Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary...

6.4CVSS5.9AI score0.00213EPSS
Exploits0References4
OSV
OSV
added 2026/05/08 8:0 p.m.12 views

GHSA-VRFH-RJ4Q-RMHR Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO

Read-Only Users Can Modify Collaborative Documents via Socket.IO Affected Component Socket.IO collaborative document editing handler: - backend/openwebui/socket/main.py lines 667-721, ydoc:document:update handler Affected Versions Current main branch and likely all versions with collaborative not...

5.4CVSS5.5AI score0.0022EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/08 8:0 p.m.9 views

Incorrect Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Incorrect Authorization in the ydoc:document:update handler. An attacker can inject, modify, or delete content in collaborative documents by emitting crafted Socket.IO events after joining a document room wit...

5.4CVSS5.8AI score0.0022EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/05/08 8:0 p.m.13 views

Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO

Read-Only Users Can Modify Collaborative Documents via Socket.IO Affected Component Socket.IO collaborative document editing handler: - backend/openwebui/socket/main.py lines 667-721, ydoc:document:update handler Affected Versions Current main branch and likely all versions with collaborative not...

5.4CVSS5.5AI score0.0022EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.13 views

PT-2026-39281

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description The ydoc:document:update Socket.IO event handler fails to verify if a sender has write permissions, checking only if the sender is a member of the document's Socket.IO room. Users with read-only...

5.4CVSS5.8AI score0.0022EPSS
Exploits1References4
Snyk
Snyk
added 2026/05/05 9:24 p.m.8 views

Cross-site Scripting (XSS)

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the attribute process. An attacker can execute arbitrary JavaScript in the context of users who view a page by...

6.9CVSS5.8AI score0.00397EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.10 views

PT-2026-37280

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2 Description An authenticated user with page editing permissions can perform stored Cross-Site Scripting XSS by injecting an executable JavaScript event-handler attribute into rendered image HTML. This occurs...

6.9CVSS5.9AI score0.00397EPSS
Exploits1References5
CNNVD
CNNVD
added 2026/05/05 12:0 a.m.15 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.14 contained security vulnerabilities. These vulnerabilities stemmed from editing bypasses, allowing authenticated gateway clients to receive unedited secrets through alias fiel...

7.1CVSS5.8AI score0.00333EPSS
Exploits0References1
Fedora
Fedora
added 2026/05/01 3:12 a.m.6 views

[SECURITY] Fedora 44 Update: emacs-30.2-23.fc44

GNU Emacs is a powerful, customizable, self-documenting, modeless text editor. It contains special code editing features, a scripting language elisp, and the capability to read mail, news, and more without leaving the editor...

7.1CVSS5.3AI score0.00108EPSS
Exploits0
Cvelist
Cvelist
added 2026/04/29 7:24 p.m.29 views

CVE-2018-25308 BuddyPress Xprofile Custom Fields Type 2.6.3 Arbitrary File Deletion

BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the fieldhiddenfile and fielddeleteimg parameters during profile editing to unlink...

8.8CVSS0.00741EPSS
Exploits0References3
CVE
CVE
added 2026/04/29 7:24 p.m.7 views

CVE-2018-25308

Affected product: BuddyPress Xprofile Custom Fields Type 2.6.3. Vulnerability: remote code execution via unescaped POST parameters during profile editing, enabling authenticated users to delete arbitrary files by manipulating field_hiddenfile and field_deleteimg. Impact: high impact on confidenti...

8.8CVSS6.5AI score0.00741EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/29 7:24 p.m.3 views

EUVD-2018-21829

BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the fieldhiddenfile and fielddeleteimg parameters during profile editing to unlink...

8.8CVSS6.5AI score0.00741EPSS
Exploits0References3
NVD
NVD
added 2026/04/29 6:16 p.m.5 views

CVE-2026-5712

This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing...

8.8CVSS0.00163EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/29 5:18 p.m.4 views

CVE-2026-5712 IdentityIQ Role Editor Incorrect Authorization Vulnerability

This vulnerability impacts all versions of IdentityIQ and allows an authenticated identity that is the requestor or assignee of a work item to edit the definition of a role without having an assigned capability that would allow role editing...

8CVSS5.3AI score0.00163EPSS
Exploits0References1
Rows per page
Query Builder