Lucene search
K

1054 matches found

Cvelist
Cvelist
added 8 hours ago6 views

CVE-2026-58319 Apache Doris: Improper Authentication in Frontend HTTP API

Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to...

Exploits0References1
EUVD
EUVD
added 8 hours ago4 views

EUVD-2026-43653

Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to...

9.1CVSS6.1AI score
Exploits0References1
Nuclei
Nuclei
added 11 hours ago10 views

WordPress Front End Users - Reflected XSS

WordPress Front End Users plugin = 3.2.32 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...

7.1CVSS7AI score0.00515EPSS
Exploits1References1
Cvelist
Cvelist
added 5 days ago28 views

CVE-2026-13450 GamiPress <= 7.9.4 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'access' Parameter

The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This...

5.3CVSS0.00408EPSS
Exploits0References14
EUVD
EUVD
added 2026/07/02 6:0 a.m.10 views

EUVD-2026-41252

The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wpksespost, as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any us...

6.8CVSS5.8AI score0.00235EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/01 12:34 a.m.8 views

EUVD-2026-40414

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication AUTHUSERNAME/AUTHPASSWORD, is reachable unauthenticated at /mcp because the nginx front-end does not apply the authrequest gate to that path and the MCP server auto-mints a...

6.9CVSS5.8AI score0.00437EPSS
Exploits0References6
NVD
NVD
added 2026/06/30 10:16 p.m.9 views

CVE-2026-58446

Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication AUTHUSERNAME/AUTHPASSWORD, is reachable unauthenticated at /mcp because the nginx front-end does not apply the authrequest gate to that path and the MCP server auto-mints a...

6.9CVSS0.00437EPSS
Exploits0References5
CVE
CVE
added 2026/06/28 6:37 p.m.40 views

CVE-2026-49048

The CVE-2026-49048 issue affects the Joomla extension JoomCCK (com_joomcck). A front-end controller task (tags.save) builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation, enabling unauthenticated SQL injec...

9.8CVSS5.8AI score0.00505EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/28 6:37 p.m.11 views

CVE-2026-49048 Joomla Extension - joomcoder.com - Unauthenticated SQL Injection in JoomCCK extension for Joomla < 6.4.1

The Joomla extension JoomCCK exposes a front-end controller task, that builds two SQL statements by directly concatenating a user-supplied request parameter into the query string without escaping or parameterisation...

8.7CVSS5.8AI score0.00505EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/06/28 12:0 a.m.14 views

PT-2026-53162

Name of the Vulnerable Software and Affected Versions JoomCCK affected versions not specified Description A front-end controller task in the JoomCCK extension for Joomla is susceptible to SQL injection. This occurs because the application constructs two SQL statements by directly concatenating a...

9.8CVSS5.8AI score0.00505EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/26 10:15 p.m.10 views

EUVD-2026-38057

Statamic CMS's unsafe method invocation via collection sorting allows data destruction...

7.4CVSS5.8AI score0.0027EPSS
Exploits0References3
OSV
OSV
added 2026/06/26 10:15 p.m.3 views

GHSA-M92M-R54R-X8R2 Statamic CMS's unsafe method invocation via collection sorting allows data destruction

Impact The fix for GHSA-4jjr-vmv7-wh4w was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes...

7.4CVSS5.7AI score0.0027EPSS
Exploits0References4
CVE
CVE
added 2026/06/19 5:36 p.m.22 views

CVE-2026-49287

Statamic CMS (Laravel/Git) had an incomplete fix for CVE-2026-41175; in-memory collection sorting was not protected. CVE-2026-49287 notes that prior to 5.73.23 and 6.20.0, the patch covered the query builder but not in-memory sorting. This could allow a front-end template that passes request inpu...

7.4CVSS5.6AI score0.0027EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/19 5:36 p.m.4 views

CVE-2026-49287

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could...

7.4CVSS5.6AI score0.0027EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/13 12:0 a.m.25 views

PT-2026-49077

Name of the Vulnerable Software and Affected Versions WP Ticket versions prior to 6.0.5 Description The WP Ticket plugin for WordPress allows unauthenticated attackers to extract sensitive information from the database. The issue occurs during unauthenticated front-end searches when the plugin...

7.5CVSS5.5AI score0.0051EPSS
Exploits0References10
Github Security Blog
Github Security Blog
added 2026/06/03 9:6 p.m.16 views

malla: Stored XSS via Meshtastic node names in multiple frontend pages

Node names longname, shortname received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla dashboard visitor. Affecte...

6.1AI score0.00174EPSS
Exploits0References3Affected Software1
vulnersOsv
vulnersOsv
added 2026/05/31 9:0 p.m.9 views

@redhat-cloud-services/frontend-components-inventory (>=2.0.0 <=3.4.0), @redhat-cloud-services/frontend-components-inventory-compliance (>=0.0.1 <=3.4.4) +4 more potentially affected by unknown CVE via @redhat-cloud-services/frontend-components-notifications (=6.9.1)

@redhat-cloud-services/frontend-components-notifications NPM version =6.9.1 is affected by a known vulnerability. The following packages have a transitive dependency on @redhat-cloud-services/frontend-components-notifications and may be impacted: -...

5.5AI score
Exploits0
Vulnrichment
Vulnrichment
added 2026/05/31 2:28 a.m.9 views

CVE-2026-8382 Advanced Custom Fields (ACF®) <= 6.8.1 - Unauthenticated Arbitrary Post Modification via Front-End Form '_post_title' and '_post_content' Parameters

The Advanced Custom Fields ACF® plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrit...

5.3CVSS5.8AI score0.00402EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/31 2:28 a.m.43 views

CVE-2026-8382 Advanced Custom Fields (ACF®) <= 6.8.1 - Unauthenticated Arbitrary Post Modification via Front-End Form '_post_title' and '_post_content' Parameters

The Advanced Custom Fields ACF® plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrit...

5.3CVSS0.00402EPSS
Exploits0References3
OSV
OSV
added 2026/05/29 10:19 p.m.8 views

GHSA-PGXQ-P76C-X9CG formie's unauthenticated front-end submission editing can overwrite existing submissions

Impact Unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. Patches 2.2.21, 3.1.26 Workarounds Block unauthenticated access to actions/formie/submissions/save-submission, or disable/customize front-end submissio...

8.7CVSS5.8AI score0.00311EPSS
Exploits0References5
Rows per page
Query Builder