Lucene search
+L

1581 matches found

NVD
NVD
•added 3 days ago•4 views

CVE-2026-45063

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, X509Authenticator extracts the user identifier from $SERVER'SSLCLIENTSDN' with an unanchored regex that matches emailAddress= anywhere in the distinguishe...

9.1CVSS0.00323EPSS
Exploits0References6
OSV
OSV
•added 3 days ago•3 views

CVE-2026-45063 Symfony: Identity Spoofing via Unanchored DN Regex in X509Authenticator

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 5.4.52, 6.4.40, 7.4.12, and 8.0.12, X509Authenticator extracts the user identifier from $SERVER'SSLCLIENTSDN' with an unanchored regex that matches emailAddress= anywhere in the distinguishe...

9.1CVSS6.1AI score0.00323EPSS
Exploits0References8
EUVD
EUVD
•added 3 days ago•8 views

EUVD-2026-43588

SAP HANA Database user self service tools allows an unauthenticated user to send specially crafted requests that produce distinguishable responses, enabling enumeration of valid user accounts and email addresses. Successful exploitation could allow the attacker to enumerate valid user accounts,...

3.7CVSS6.1AI score0.0022EPSS
Exploits0References2
EUVD
EUVD
•added 2026/07/05 6:55 a.m.•11 views

EUVD-2026-41732

A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the emailverified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but...

4.8CVSS6.1AI score0.00196EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/07/03 12:0 a.m.•24 views

PT-2026-55600

Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.25.5 Description A flaw allows a user to change the primary email address of another user. Recommendations Update to version 1.25.5 or later...

7.5CVSS6.1AI score0.00345EPSS
Exploits0References7
RedHat Linux
RedHat Linux
•added 2026/06/29 10:17 a.m.•6 views

gnutls: GnuTLS: Policy bypass due to case-sensitive nameConstraints comparison

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName DNS or rfc822Name email constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf...

7.4CVSS5.8AI score0.00566EPSS
Exploits1References5
NVD
NVD
•added 2026/06/25 3:16 p.m.•12 views

CVE-2026-13225

Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order...

5.3CVSS0.00345EPSS
Exploits0References1
OSV
OSV
•added 2026/06/25 2:26 p.m.•3 views

CVE-2026-13225 Stored XSS in ticket confirmation page

Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order...

5.3CVSS5.9AI score0.00345EPSS
Exploits0References5
Cvelist
Cvelist
•added 2026/06/25 2:26 p.m.•44 views

CVE-2026-13225 Stored XSS in ticket confirmation page

Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order...

5.3CVSS0.00345EPSS
Exploits0References1
EUVD
EUVD
•added 2026/06/25 9:31 a.m.•7 views

EUVD-2026-39187

The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks...

8.8CVSS5.8AI score0.00301EPSS
Exploits0References2
NVD
NVD
•added 2026/06/25 7:16 a.m.•10 views

CVE-2026-5305

The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks...

8.8CVSS0.00301EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
•added 2026/06/25 6:0 a.m.•6 views

CVE-2026-5305

The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks...

5.8AI score0.00301EPSS
Exploits0References1
Cvelist
Cvelist
•added 2026/06/25 6:0 a.m.•34 views

CVE-2026-5305 Email Address Encoder (Free < 1.0.25, Premium < 0.3.12) - Unauthenticated Stored XSS

The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks...

0.00301EPSS
Exploits0References1
CVE
CVE
•added 2026/06/25 6:0 a.m.•26 views

CVE-2026-5305

The CVE-2026-5305 issue affects the WordPress plugins Email Address Encoder (free) prior to 1.0.25 and Email Encoder Premium prior to 0.3.12. The root cause is improper handling of email replacement, which can allow unauthenticated attackers to perform Stored XSS. Impact per sources is high (CVE-...

8.8CVSS5.8AI score0.00301EPSS
Exploits0References1
OSV
OSV
•added 2026/06/24 11:53 a.m.•3 views

CVE-2026-56223 Capgo - Account Takeover via Cross-Domain SSO Email Assertion in provision-user

Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a...

9.3CVSS6.1AI score0.00244EPSS
Exploits0References4
NVD
NVD
•added 2026/06/24 7:16 a.m.•14 views

CVE-2026-9178

The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/ callback userDetail with permissioncallback set to 'returntrue', and the function's home-grown authentication only...

7.5CVSS0.00347EPSS
Exploits0References5
NVD
NVD
•added 2026/06/23 11:16 p.m.•12 views

CVE-2026-56785

FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in...

8.4CVSS0.00243EPSS
Exploits0References3
Redos
Redos
•added 2026/06/22 12:0 a.m.•6 views

ROS-20260622-73-0036

The vulnerability of the consumePhrase function in the Go programming language is related to insufficient validation of input data during the analysis of email addresses. Exploiting this vulnerability could allow a remote attacker to cause service failures...

7.5CVSS5.9AI score0.00798EPSS
Exploits0
Cvelist
Cvelist
•added 2026/06/16 2:10 p.m.•29 views

CVE-2026-48780 Forem vulnerable to bypass of email address domain restrictions

Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments. The issue is patched as of a2ab6d4. As a workaround,...

8.2CVSS0.00218EPSS
Exploits0References2
Positive Technologies
Positive Technologies
•added 2026/06/12 12:0 a.m.•16 views

PT-2026-48906

🚨 CVE-2026-50082 The Aqara Cloud Developer Portal developer.aqara.com issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 6.5...

9.8CVSS6.2AI score0.00412EPSS
Exploits2References5
Rows per page
Query Builder