Lucene search
+L

19058 matches found

Positive Technologies
Positive Technologies
added yesterday6 views

PT-2026-60793

Maybe through 0.6.0 contains a missing authorization vulnerability that allows authenticated low-privilege member-role users to access and modify global hosting settings by exploiting unprotected show and update actions in the Settings::HostingsController, where the before action ensure admin...

7.1CVSS5.3AI score
Exploits0References3
NVD
NVD
added 2 days ago6 views

CVE-2026-44175

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, Kirby did not securely sanitize the contents of the list field on save, leaving it vulnerable to cross-site scripting XSS. Kirby's list field stores its formatted content as HTML, and unlike other field types...

8.5CVSS0.00254EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-44175 Kirby: Cross-site scripting (XSS) from list field content in the site frontend

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, Kirby did not securely sanitize the contents of the list field on save, leaving it vulnerable to cross-site scripting XSS. Kirby's list field stores its formatted content as HTML, and unlike other field types...

8.5CVSS0.00254EPSS
Exploits0References2
CVE
CVE
added 2 days ago26 views

CVE-2026-44175

Kirby has a stored XSS vulnerability in the list field prior to versions 4.9.1 and 5.4.1 due to server-side sanitization on save not being applied (HTML in list field not escaped without breaking formatting). The content is stored as HTML and could be sent via Kirby’s API bypassing the Panel, the...

8.5CVSS5.9AI score0.00254EPSS
Exploits0References2
NVD
NVD
added 2 days ago7 views

CVE-2026-63081

Perfect Support Ticketing & Document Management System through 1.7 contains a stored cross-site scripting vulnerability that allows authenticated attackers with Agent-level privileges to inject malicious payloads into the Notes field of assigned support tickets. Attackers can store malicious...

5.4CVSS0.00138EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago35 views

CVE-2026-63081 Perfect Support Ticketing System 1.7 Stored XSS via Ticket Notes Field

Perfect Support Ticketing & Document Management System through 1.7 contains a stored cross-site scripting vulnerability that allows authenticated attackers with Agent-level privileges to inject malicious payloads into the Notes field of assigned support tickets. Attackers can store malicious...

5.4CVSS0.00138EPSS
Exploits0References2
CVE
CVE
added 2 days ago8 views

CVE-2026-63081

The CVE-2026-63081 entry describes a stored XSS in the Perfect Support Ticketing & Document Management System (v1.7). Authenticated attackers with Agent-level privileges can inject scripts into the Notes field of assigned tickets, causing the script to run in the browser context of any viewer (in...

5.4CVSS6.1AI score0.00138EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago32 views

CVE-2026-63305 AVideo through 29.0 OS Command Injection via ffmpeg.json.php

AVideo through 29.0 contains an OS command injection vulnerability in the ffmpeg.json.php endpoint where notifyCode and callback parameters are concatenated into a shell command without escaping. Attackers who can craft a valid encrypted payload can inject arbitrary shell metacharacters into thes...

9.2CVSS0.01383EPSS
Exploits0References2
NVD
NVD
added 2 days ago12 views

CVE-2026-15021

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access...

6.4CVSS0.00206EPSS
Exploits0References8
EUVD
EUVD
added 2 days ago8 views

EUVD-2026-44899

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access...

6.4CVSS6.2AI score0.00206EPSS
Exploits0References8
CVE
CVE
added 2 days ago21 views

CVE-2026-15021

The wpForo Forum plugin for WordPress is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the 'location' Profile Field across all versions up to 3.1.1. The issue stems from insufficient input sanitization and output escaping; sanitize_text_field() at input does not encode double q...

6.4CVSS6.2AI score0.00206EPSS
Exploits0References8
Cvelist
Cvelist
added 2 days ago38 views

CVE-2026-15021 wpForo Forum <= 3.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'location' Profile Field

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access...

6.4CVSS0.00206EPSS
Exploits0References8
CVE
CVE
added 2 days ago15 views

CVE-2026-13741

The CVE-2026-13741 entry concerns the Digits: WordPress Mobile Number Signup and Login plugin for WordPress, vulnerable in all versions up to and including 9.1.0.5. The root cause is missing authorization and role validation in the dig_update_wpwc_custom_fields() function, allowing authenticated ...

8.8CVSS6AI score0.00246EPSS
Exploits0References2
NVD
NVD
added 2 days ago10 views

CVE-2026-15458

The SEO Booster plugin for WordPress is vulnerable to generic SQL Injection via the 'sortfield' parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible fo...

4.9CVSS0.00272EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-44867

The SEO Booster plugin for WordPress is vulnerable to generic SQL Injection via the 'sortfield' parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible fo...

4.9CVSS6.1AI score0.00272EPSS
Exploits0References5
Cvelist
Cvelist
added 2 days ago40 views

CVE-2026-15458 SEO Booster <= 7.3.1 - Authenticated (Administrator+) SQL Injection via 'sort_field' Parameter

The SEO Booster plugin for WordPress is vulnerable to generic SQL Injection via the 'sortfield' parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible fo...

4.9CVSS0.00272EPSS
Exploits0References5
CVE
CVE
added 3 days ago6 views

CVE-2026-52890

CVE-2026-52890 affects Wekan (open-source Kanban, Meteor-based) before version 9.31. A logged-in board member can insert an attachment via the DDP /attachments/insert method using attacker-controlled versions.original.path and versions.original.storage. The insert rule checks only board write acc...

7.1CVSS6.2AI score0.00325EPSS
Exploits0References3
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-44704

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.111.0 and 16.22.0, an authenticated user with a standard operational role can trigger server-side template injection through a configuration field, resulting in unauthorized disclosure of data outside the user's norm...

8.8CVSS6.1AI score0.00136EPSS
Exploits0References1
OSV
OSV
added 3 days ago5 views

JLSEC-2026-759

iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field...

7.5CVSS6.1AI score0.01703EPSS
Exploits0References13
CVE
CVE
added 3 days ago8 views

CVE-2026-41580

Stirling-PDF (local web app) exposes a Reflected XSS via crafted PDF metadata in the /get-info-on-pdf endpoint. Prior to version 2.0.0, Title and Author metadata were rendered without proper HTML encoding/sanitization, allowing attacker-controlled JavaScript to execute in a user’s browser when vi...

6.1CVSS6.2AI score0.00188EPSS
Exploits0References2
Rows per page
Query Builder