Lucene search
K

3192 matches found

Nuclei
Nuclei
added 10 hours ago60 views

Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the...

8.6CVSS6.9AI score0.01594EPSS
Exploits1References4
EUVD
EUVD
added 17 hours ago5 views

EUVD-2026-43569

OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in message mutation handling that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to skip requester authorization and...

7.1CVSS6.2AI score
Exploits0References3
NVD
NVD
added yesterday3 views

CVE-2026-62194

OpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can exploit misconfigured input paths or enabled features to escalate...

8.8CVSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-57395

Name of the Vulnerable Software and Affected Versions Swiss Toolkit For WP versions prior to 1.4.7 Description An arbitrary file upload issue exists due to flawed file type validation in the upload extension files function. The function uses strpos to check if a filename contains a configured...

8.8CVSS6.3AI score0.00553EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 4 days ago19 views

PT-2026-57304

Name of the Vulnerable Software and Affected Versions RabbitMQ versions prior to 3.13.15 RabbitMQ versions prior to 4.0.20 RabbitMQ versions prior to 4.1.11 RabbitMQ versions prior to 4.2.6 Description The management plugin exposes an obsolete GET '/api/auth' endpoint that can disclose the OAuth ...

8.7CVSS6.1AI score0.0033EPSS
Exploits0References12
Cvelist
Cvelist
added 5 days ago29 views

CVE-2026-45788 Discourse: Secure uploads exposed by hotlinked image copying

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, secure uploads could be exposed by pullhotlinkedimages when an attacker knew the secured upload URL and the secureuploads site setting was enabled. This issue is fixed in versions 2026.6.0,...

6.3CVSS0.00466EPSS
Exploits0References9
Cvelist
Cvelist
added 5 days ago31 views

CVE-2026-13441 EventPrime <= 4.3.4.2 - Unauthenticated Stored Cross-Site Scripting via 'new_event_type_background_color' Parameter

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'neweventtypebackgroundcolor' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible...

7.2CVSS0.00247EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 5 days ago6 views

dnsmasq < 2.93 Heap-Based Buffer Overflow (CVE-2026-12725)

The version of dnsmasq installed on the remote host is prior to 2.93. It is, therefore, affected by a heap-based buffer overflow vulnerability. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause...

5.9CVSS6.2AI score0.00403EPSS
Exploits0References3
Snyk
Snyk
added 6 days ago6 views

NULL Pointer Dereference

Overview github.com/nats-io/nats-server/server is an A simple, secure and performant communications system for digital systems, services and devices. Affected versions of this package are vulnerable to NULL Pointer Dereference via the leafnode handshake process. An attacker can cause the server t...

8.7CVSS6.1AI score0.00732EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago3 views

NULL Pointer Dereference

Overview github.com/nats-io/nats-server/v2/server is an A simple, secure and performant communications system for digital systems, services and devices. Affected versions of this package are vulnerable to NULL Pointer Dereference via the leafnode handshake process. An attacker can cause the serve...

8.7CVSS6.1AI score0.00732EPSS
Exploits0References2
NVD
NVD
added 6 days ago6 views

CVE-2026-58250

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.12.8 and 2.11.17, an unauthenticated peer with network access to a leafnode listener with compression enabled could crash the server during the pre-authentication leafnode handshake by...

7.5CVSS0.00732EPSS
Exploits0References5
NVD
NVD
added 6 days ago8 views

CVE-2026-29007

U-Boot through 2026.04-rc3 contains an out-of-bounds read vulnerability in tcprxstatemachine net/tcp.c when CONFIGPROTTCP is enabled, allowing remote attackers to read beyond TCP segment boundaries by crafting a malicious packet with a mismatched IP total length and TCP data offset field. Attacke...

6.9CVSS0.00467EPSS
Exploits0References4
CVE
CVE
added 6 days ago12 views

CVE-2026-29009

CVE-2026-29009 affects U-Boot 2026.04-rc3 with CONFIG_CMD_NFS enabled. The flaw is a buffer overflow in nfs_readlink_reply() (net/nfs-common.c) where the 2048-byte nfs_path_buff can be overflowed by multiple relative symlink targets returned via NFS READLINK. Attackers can send two or more READLI...

8.8CVSS6.3AI score0.00424EPSS
Exploits0References4
Cvelist
Cvelist
added 6 days ago36 views

CVE-2026-15063 Trustyai-service-operator: trustyai service operator: gorch port bypass when auth is enabled

A flaw was found in the gorch service template, which is part of the trustyai-service-operator. Even when authentication is enabled, the gorch service exposes unproxied orchestrator and detector metrics ports. This allows any pod on the cluster network to directly access these ports, bypassing th...

6.3CVSS0.00184EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago40 views

CVE-2026-55437 Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.17, 2.32.7, 2.33.8, and 2.34.2, the AgentLogLine dashboard component instantiated ansi-to-html without escapeXML: true and inserted the result via dangerouslySetInnerHTML so HTML embedded...

5.4CVSS0.00316EPSS
Exploits0References6
OSV
OSV
added 2026/07/07 10:17 a.m.4 views

PYSEC-2026-999 TensorFlow has Null Pointer Error in RandomShuffle with XLA enable

Impact NPE in RandomShuffle with XLA enable python import tensorflow as tf func = tf.rawops.RandomShuffle para = 'value': 1e+20, 'seed': -4294967297, 'seed2': -2147483649 @tf.functionjitcompile=True def test: y = funcpara return y test Patches We have patched the issue in GitHub commit...

7.5CVSS6.6AI score0.00391EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/07/07 5:34 a.m.5 views

CVE-2026-14345

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postData' parameter parameter. This is due to unsanitized write of attacker-controlled postData values...

9.8CVSS6.3AI score0.00745EPSS
Exploits0References12
CVE
CVE
added 2026/07/07 5:34 a.m.32 views

CVE-2026-14345

The CVE-2026-14345 entry concerns the WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell (WordPress plugin). Affected versions up to and including 3.12.7 are vulnerable to Remote Code Execution via the postData parameter. The root cause is an unsanitized write of attacker...

9.8CVSS6.3AI score0.00745EPSS
Exploits0References11
OSV
OSV
added 2026/07/06 11:44 p.m.4 views

BIT-MLFLOW-2026-8147 Authorization Bypass in mlflow/mlflow

In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying trac...

8.1CVSS7.2AI score0.00348EPSS
Exploits1References3
NVD
NVD
added 2026/07/06 9:16 p.m.7 views

CVE-2026-59711

showdown contains a cross-site scripting vulnerability in metadata title handling that allows attackers to inject arbitrary HTML and JavaScript. When completeHTMLDocument option is enabled, unescaped less-than and greater-than characters in markdown frontmatter metadata are inserted directly into...

6.1CVSS0.00187EPSS
Exploits0References3
Rows per page
Query Builder