Lucene search
+L

19063 matches found

CVE
CVE
added 2026/07/09 6:48 p.m.15 views

CVE-2026-49276

Kirby CMS contains a self-XSS vulnerability (CVE-2026-49276) in the writer field used by any blueprint. In affected releases, a scripting link could be placed as the target of a link or email link in writer mark components, allowing the attacker to trigger JavaScript execution in the authenticate...

7.4CVSS5.8AI score0.00289EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/09 6:48 p.m.30 views

CVE-2026-49276 Kirby: Self cross-site scripting (self-XSS) in the writer field

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the writer field in any blueprint allowed a scripting link to be included as the target of a link or email link in writer mark components, making the target clickable by the user who entered it and...

7.4CVSS0.00289EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/09 6:38 p.m.8 views

CVE-2026-49274

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page...

5.3CVSS5.9AI score0.00275EPSS
Exploits0References8Affected Software1
Cvelist
Cvelist
added 2026/07/09 6:33 p.m.30 views

CVE-2026-13492 UsersWP <= 1.2.65 - Authenticated (Subscriber+) Arbitrary File Deletion via File Upload Field

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWPValidation::validatefields function which falls through to sanitizetextfield for fields of type 'file',...

8.8CVSS0.00525EPSS
Exploits0References8
CVE
CVE
added 2026/07/09 6:33 p.m.10 views

CVE-2026-13492

The CVE-2026-13492 entry concerns the WordPress UsersWP plugin (affected versions up to and including 1.2.65). The vulnerability arises from insufficient validation of file-field values in UsersWP_Validation::validate_fields(), which falls through to sanitize_text_field() for fields of type 'file...

8.8CVSS6AI score0.00525EPSS
Exploits0References8
OSV
OSV
added 2026/07/09 6:33 p.m.5 views

CVE-2026-13492 UsersWP <= 1.2.65 - Authenticated (Subscriber+) Arbitrary File Deletion via File Upload Field

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWPValidation::validatefields function which falls through to sanitizetextfield for fields of type 'file',...

8.8CVSS6.2AI score0.00525EPSS
Exploits0References10
NVD
NVD
added 2026/07/09 6:16 p.m.10 views

CVE-2026-59720

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without...

7.5CVSS0.00336EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/09 5:27 p.m.7 views

EUVD-2026-42654

Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without...

7.5CVSS5.9AI score0.00336EPSS
Exploits0References4
OSV
OSV
added 2026/07/09 4:14 p.m.3 views

CVE-2026-58459 gpsd gpsprof Command Injection via gnuplot plot title subtype field

gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerability in gpsprof that allows attackers who control the GPS device subtype value to execute arbitrary shell commands by embedding backtick payloads in the gnuplot plot title without proper escaping. The...

8.4CVSS6.4AI score0.01775EPSS
Exploits1References8
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/07/09 3:55 p.m.13 views

Malicious code in type-slint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1b5cd26e040f4f4366ed65cca4b70258d276f781e0aab76b99b5573d4007a97d The npm package [email protected] masquerades as the pino logger copied module layout, exports as module.exports.pino, keywords fast/logger/stream/jso...

6.1AI score
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/07/09 2:49 p.m.6 views

protobufjs: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors

A flaw was found in protobufjs, a library used to compile protobuf definitions into JavaScript functions. A remote attacker could exploit this vulnerability by providing a crafted descriptor that includes a non-string default value for a bytes field. This could lead to the generation of an unsafe...

8.8CVSS6.2AI score0.00392EPSS
Exploits0References5
NVD
NVD
added 2026/07/09 11:16 a.m.9 views

CVE-2026-12428

The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getallvalues function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permissioncallback only verifies the...

6.5CVSS0.00285EPSS
Exploits0References8
CVE
CVE
added 2026/07/09 9:31 a.m.10 views

CVE-2026-12428

The CVE concerns the WordPress plugin Blocks for ACF Fields (versions up to 1.6.2). A missing capability check on the REST endpoint /wp-json/acf-field-blocks/v1/values (get_all_values) allows unauthorized access to ACF field data. The permission_callback only verifies publish_posts, and the handl...

6.5CVSS6.1AI score0.00285EPSS
Exploits0References8
EUVD
EUVD
added 2026/07/09 9:31 a.m.8 views

EUVD-2026-42568

The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getallvalues function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permissioncallback only verifies the...

6.5CVSS6.1AI score0.00285EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/09 9:31 a.m.33 views

CVE-2026-12428 Blocks for ACF Fields <= 1.6.2 - Missing Authorization to Authenticated (Author+) Arbitrary ACF Field Value Disclosure via 'id' Parameter

The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getallvalues function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permissioncallback only verifies the...

6.5CVSS0.00285EPSS
Exploits0References8
CVE
CVE
added 2026/07/08 7:32 p.m.10 views

CVE-2026-59946

CVE-2026-59946 affects Composer (PHP dependency manager). A bin entry containing trailing .. path segments could resolve outside the package install directory, enabling the binary installation flow to chmod an existing host file to world-readable/world-executable during composer install, update, ...

6.1CVSS5.9AI score0.00136EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/08 7:32 p.m.35 views

CVE-2026-59946 Composer: Path traversal in package bin field lets dependencies chmod arbitrary host files

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...

6.1CVSS0.00136EPSS
Exploits0References5
OSV
OSV
added 2026/07/08 7:32 p.m.4 views

CVE-2026-59946 Composer: Path traversal in package bin field lets dependencies chmod arbitrary host files

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...

6.1CVSS6.1AI score0.00136EPSS
Exploits0References7
Snyk
Snyk
added 2026/07/08 6:47 p.m.18 views

Prototype Pollution

Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Prototype Pollution through the textformat file. An attacker can modify the prototype of the returned map object by supplying a specially crafted map entry with the key proto...

8.3CVSS6.5AI score0.00219EPSS
Exploits0References2
NVD
NVD
added 2026/07/08 2:17 p.m.9 views

CVE-2026-56401

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

0.00325EPSS
Exploits0
Rows per page
Query Builder