Lucene search
+L

19053 matches found

EUVD
EUVD
added last week6 views

EUVD-2026-43132

The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'heightslider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS6.2AI score0.00201EPSS
Exploits0References6
EUVD
EUVD
added last week5 views

EUVD-2026-43053

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2...

6.1AI score0.00307EPSS
Exploits0References2
EUVD
EUVD
added last week7 views

EUVD-2026-43066

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field versions: from 0.0.0 to 3.15.0...

6.1AI score0.00165EPSS
Exploits0References2
EUVD
EUVD
added last week7 views

EUVD-2026-43051

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Formatter Field allows Object Injection. This issue affects Formatter Field versions: from 0.0.0 to 2.0.0...

6.1AI score0.00386EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/11 12:0 a.m.6 views

PT-2026-57391

Name of the Vulnerable Software and Affected Versions Themify Builder versions prior to 7.7.7 Description Insufficient input sanitization and output escaping in the Map Module allow authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting. This is...

6.4CVSS6.2AI score0.00193EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/11 12:0 a.m.13 views

PT-2026-57392

Name of the Vulnerable Software and Affected Versions Themify Builder versions prior to 7.7.7 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts...

6.4CVSS6.2AI score0.00201EPSS
Exploits0References11
NVD
NVD
added 2026/07/10 10:16 p.m.6 views

CVE-2026-55809

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2...

8.1CVSS0.00307EPSS
Exploits0References1
NVD
NVD
added 2026/07/10 10:16 p.m.11 views

CVE-2026-13242

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field versions: from 0.0.0 to 3.15.0...

6.5CVSS0.00165EPSS
Exploits0References1
NVD
NVD
added 2026/07/10 10:16 p.m.7 views

CVE-2026-12535

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Formatter Field allows Object Injection. This issue affects Formatter Field versions: from 0.0.0 to 2.0.0...

9.8CVSS0.00386EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/10 9:44 p.m.35 views

CVE-2026-13242 Geolocation Field - Critical - SQL Injection - SA-CONTRIB-2026-062

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field versions: from 0.0.0 to 3.15.0...

0.00165EPSS
Exploits0References1
CVE
CVE
added 2026/07/10 9:44 p.m.35 views

CVE-2026-13242

Geolocation Field in Drupal is affected: versions 0.0.0 through 3.15.0 expose an SQL injection due to improper neutralization in a view filter. The root cause is insufficient sanitization when user input reaches a view-filtered SQL path. Impact is SQL injection risk within Drupal sites using the ...

6.5CVSS6.1AI score0.00165EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/10 9:44 p.m.31 views

CVE-2026-55809 Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2...

0.00307EPSS
Exploits0References1
CVE
CVE
added 2026/07/10 9:44 p.m.21 views

CVE-2026-55809

The CVE-2026-55809 issue affects the Drupal Flag attendance field module, with vulnerable versions 0.0.0 through 1.2. The root cause is improper control of modification of dynamically-determined object attributes, with data stored as PHP-serialized strings. If malicious data is written to the fie...

8.1CVSS6.1AI score0.00307EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/07/10 9:43 p.m.18 views

CVE-2026-12535

CVE-2026-12535 concerns the Drupal Formatter Field module, where the vulnerability arises from storing data as PHP-serialized strings and exposing a risk of object injection when malicious data is written to the formatter_field. The affected versions span 0.0.0 through 2.0.0. The root cause invol...

9.8CVSS6.1AI score0.00386EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/10 9:43 p.m.31 views

CVE-2026-12535 Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Formatter Field allows Object Injection. This issue affects Formatter Field versions: from 0.0.0 to 2.0.0...

0.00386EPSS
Exploits0References1
OSV
OSV
added 2026/07/10 9:43 p.m.3 views

CVE-2026-12535 Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Formatter Field allows Object Injection. This issue affects Formatter Field versions: from 0.0.0 to 2.0.0...

9.8CVSS6.1AI score0.00386EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/10 8:31 p.m.33 views

CVE-2026-12761 miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.7.0 - Unauthenticated Authentication Bypass to Administrator Account Takeover via Profile Completion OTP Flow

The miniOrange Social Login and Register Discord, Google, Twitter, LinkedIn plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the...

9.8CVSS0.00463EPSS
Exploits0References6
CVE
CVE
added 2026/07/10 7:42 p.m.9 views

CVE-2026-55469

Snipe-IT prior to 8.6.2 is affected. An authenticated user with import and assets.update permissions can inject a path traversal string into an asset image field via CSV import, which can trigger image deletion and lead to deletion of arbitrary files accessible to the server process. The issue is...

6.5CVSS6.2AI score0.00378EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/07/10 7:42 p.m.6 views

EUVD-2026-43000

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the...

6.5CVSS6.2AI score0.00378EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/10 7:42 p.m.30 views

CVE-2026-55469 Snipe-IT: Path traversal vulnerability via CSV import `image` field

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the...

6.5CVSS0.00378EPSS
Exploits0References3
Rows per page
Query Builder