Lucene search
K

3677 matches found

EUVD
EUVD
added 7 hours ago4 views

EUVD-2026-43548

9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation historie...

8.7CVSS6.1AI score
Exploits0References3
NVD
NVD
added yesterday4 views

CVE-2026-12397

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level self-registerable account to read other employers' private account email addresses by enumerating job...

4.3CVSS0.00132EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday11 views

CVE-2026-12397 WP Job Portal < 2.5.5 - Subscriber+ Employer Email Disclosure via IDOR

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level self-registerable account to read other employers' private account email addresses by enumerating job...

0.00132EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday35 views

Post SMTP <= 3.6.0 - Email Log Disclosure

Post SMTP WordPress plugin = 3.6.0 contains an unauthorized data access vulnerability caused by missing capability check in construct function, letting unauthenticated attackers read arbitrary logged emails, exploit requires no authentication. id: CVE-2025-11833 info: name: Post SMTP = 3.6.0 -...

9.8CVSS7.2AI score0.51507EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday11 views

WordPress Qubely < 1.8.6 - Unauthenticated Email Sending

Qubely WordPress plugin 1.8.6 contains an insecure deserialization caused by unauthenticated users being able to send arbitrary emails via the qubelysendformdata AJAX action, letting attackers send spam or malicious emails, exploit requires no authentication. id: CVE-2021-24916 info: name:...

7.5CVSS7AI score0.01535EPSS
Exploits2References2
NVD
NVD
added 3 days ago7 views

CVE-2026-9017

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS0.00273EPSS
Exploits0References8
NVD
NVD
added 3 days ago6 views

CVE-2026-12994

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attacker...

5.3CVSS0.00361EPSS
Exploits0References12
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-43156

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attacker...

5.3CVSS6.2AI score0.00361EPSS
Exploits0References12
NVD
NVD
added 4 days ago6 views

CVE-2026-61492

In JetBrains YouTrack before 2026.2.17394 stored XSS via article titles in digest emails was possible...

6.1CVSS0.0039EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-42915

In JetBrains YouTrack before 2026.2.17394 stored XSS via article titles in digest emails was possible...

6.1CVSS6.1AI score0.0039EPSS
Exploits0References1
CVE
CVE
added 4 days ago5 views

CVE-2026-56279

Capgo before 12.128.2 is affected by an information disclosure vulnerability in the get_orgs_v7(userid) RPC function that remains publicly invokable despite intended private access controls. Unauthenticated attackers can supply arbitrary user UUIDs to retrieve foreign users’ organization membersh...

8.7CVSS6.2AI score0.00313EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 4 days ago8 views

CVE-2026-59262

A flaw was found in AFFiNE. This vulnerability allows an authenticated workspace member to bypass document read permissions by supplying arbitrary document Globally Unique Identifiers GUIDs to the histories GraphQL field. This can lead to information disclosure, enabling attackers to retrieve ful...

7.1CVSS6.1AI score0.00238EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 4 days ago6 views

CVE-2026-15291

The Chat Help – Click to Chat Button & Form plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the REST API endpoints /wp-json/chat-help/v1/leads and /wp-json/chat-help/v1/leads/id. This is due to the plugin not performing any...

7.5CVSS5.9AI score0.0047EPSS
Exploits0References7
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-12597 LoginPress Pro <= 6.2.3 - Unauthenticated Authentication Bypass via Unverified OAuth Email via GitHub OAuth Callback

The LoginPress Pro plugin for WordPress is vulnerable to Authentication Bypass via the GitHub OAuth callback in versions up to, and including, 6.2.3. The vulnerability exists in the loginpressongithublogin function, which blindly trusts the first element profile0'email' of the array returned by...

8.1CVSS0.00422EPSS
Exploits0References2
Patchstack
Patchstack
added 5 days ago4 views

WordPress Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin <= 1.24.1 - Authenticated (Administrator+) SQL Injection vulnerability

Authenticated Administrator+ SQL Injection vulnerability discovered by PRISM in WordPress Plugin Mail Mint versions = 1.24.1...

4.9CVSS6.1AI score0.00319EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 5 days ago8 views

EUVD-2026-42550

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...

4.3CVSS5.9AI score0.00435EPSS
Exploits0References10
CVE
CVE
added 5 days ago8 views

CVE-2026-12270

The CVE concerns Everest Forms for WordPress prior to version 3.5.0. The vulnerability arises because access controls on several onboarding-assistant REST API endpoints are bypassable: the capability check only runs when a specific attacker‑controlled request header has a value, allowing unauthen...

6.5CVSS5.9AI score0.00179EPSS
Exploits0References1
Cvelist
Cvelist
added 5 days ago35 views

CVE-2026-12270 Everest Forms < 3.5.0 - Unauthenticated Missing Authorization via Site Assistant REST Endpoints

The Everest Forms WordPress plugin before 3.5.0 does not correctly restrict access to several REST API endpoints belonging to its onboarding assistant: the capability check is only applied when an attacker-controllable request header holds a specific value, so it can be bypassed by omitting or...

0.00179EPSS
Exploits0References1
Cvelist
Cvelist
added 6 days ago31 views

CVE-2026-59262 AFFiNE - Unauthorized Document Edit History Access via GraphQL histories Field

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails...

7.1CVSS0.00238EPSS
Exploits0References4
NVD
NVD
added 6 days ago8 views

CVE-2026-10708

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the...

7.5CVSS0.00158EPSS
Exploits0References1
Rows per page
Query Builder