Lucene search
+L

14382 matches found

NVD
NVD
added 8 hours ago5 views

CVE-2023-54366

SurrealDB before 1.0.1 sets default table permissions to FULL instead of NONE, allowing SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. Attackers with database access or unauthenticated users on publicly exposed instances can perform unrestricted operations o...

8.8CVSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 9 hours ago3 views

CVE-2023-54366

SurrealDB before 1.0.1 sets default table permissions to FULL instead of NONE, allowing SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. Attackers with database access or unauthenticated users on publicly exposed instances can perform unrestricted operations o...

8.8CVSS5.3AI score
Exploits0References3
CVE
CVE
added 9 hours ago6 views

CVE-2023-54366

CVE-2023-54366 affects SurrealDB prior to 1.0.1, where default table permissions are set to FULL instead of NONE. This misconfiguration allows attackers with database access or unauthenticated users on publicly exposed instances to perform uncontrolled SELECT, CREATE, UPDATE, and DELETE operation...

8.8CVSS5.3AI score
Exploits0References2
Cvelist
Cvelist
added 9 hours ago7 views

CVE-2023-54366 SurrealDB before 1.0.1 Insecure Default Table Permissions

SurrealDB before 1.0.1 sets default table permissions to FULL instead of NONE, allowing SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. Attackers with database access or unauthenticated users on publicly exposed instances can perform unrestricted operations o...

8.8CVSS
Exploits0References2
EUVD
EUVD
added 9 hours ago3 views

EUVD-2023-60602

SurrealDB before 1.0.1 sets default table permissions to FULL instead of NONE, allowing SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. Attackers with database access or unauthenticated users on publicly exposed instances can perform unrestricted operations o...

8.8CVSS5.3AI score
Exploits0References2
Nuclei
Nuclei
added 14 hours ago21 views

KevinLAB BEMS (Building Energy Management System) - Backdoor Account

KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highes...

9CVSS7.1AI score0.06719EPSS
Exploits2References2
Nuclei
Nuclei
added 14 hours ago47 views

WP Popups - Information Disclosure

WP Popups - WordPress Popup builder plugin for WordPress contains a full path disclosure caused by using mobiledetect without access restrictions, letting unauthenticated attackers retrieve server paths, exploit requires no specific conditions. id: CVE-2024-6555 info: name: WP Popups - Informatio...

5.3CVSS5.2AI score0.00927EPSS
Exploits0References4
Nuclei
Nuclei
added 14 hours ago101 views

Drupal 11.x-dev - Full Path Disclosure

core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure even when error logging is None if the value of hashsalt is filegetcontents of a file that does not exist. id: CVE-2024-45440 info: name: Drupal 11.x-dev - Full Path Disclosure author: DhiyaneshDK severity: medium description: |...

5.3CVSS5.6AI score0.09269EPSS
Exploits4
Nuclei
Nuclei
added 14 hours ago8 views

Campaign Monitor for WordPress - Information Disclosure

Campaign Monitor for WordPress plugin for WordPress versions up to 2.8.15 contains a full path disclosure caused by improper access restriction and enabled displayerrors in /forms/views/admin/create.php, letting unauthenticated attackers retrieve server paths, exploit requires displayerrors to be...

5.3CVSS5.2AI score0.00849EPSS
Exploits0References3
Nuclei
Nuclei
added 14 hours ago51 views

DedeCMS 5.7 - Path Disclosure

DedeCMS 5.7 allows remote attackers to discover the full path via a direct request for include/downmix.inc.php or inc/incarchivesfunctions.php id: CVE-2018-6910 info: name: DedeCMS 5.7 - Path Disclosure author: pikpikcu severity: high description: DedeCMS 5.7 allows remote attackers to discover t...

7.5CVSS7.4AI score0.18955EPSS
Exploits1References5
Nuclei
Nuclei
added 14 hours ago72 views

emlog 5.3.1 Path Disclosure

emlog v5.3.1 is susceptible to full path disclosure via t/index.php, which allows an attacker to see the path to the webroot/file. id: CVE-2021-3293 info: name: emlog 5.3.1 Path Disclosure author: h1ei1 severity: medium description: emlog v5.3.1 is susceptible to full path disclosure via...

5.3CVSS5.7AI score0.17436EPSS
Exploits1References5
EUVD
EUVD
added yesterday7 views

EUVD-2026-45275

IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec function without sandboxing, input...

9.9CVSS6.9AI score
Exploits0References1
NVD
NVD
added yesterday10 views

CVE-2026-14503

The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3 via the wp2pclajaxprocessrequestinner. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract force generation of a...

6.5CVSS0.00287EPSS
Exploits0References7
Nuclei
Nuclei
added yesterday48 views

CouchCMS <= 2.0 - Path Disclosure

CouchCMS = 2.0 allows remote attackers to discover the full path via a direct request to includes/mysql2i/mysql2i.func.php or addons/phpmailer/phpmailer.php. id: CVE-2018-7662 info: name: CouchCMS = 2.0 - Path Disclosure author: ritikchaddha severity: medium description: CouchCMS = 2.0 allows...

5.3CVSS5.8AI score0.43004EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday31 views

GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which...

10CVSS9.1AI score0.28931EPSS
Exploits3References4
EUVD
EUVD
added yesterday13 views

EUVD-2026-45132

The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3 via the wp2pclajaxprocessrequestinner. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract force generation of a...

6.5CVSS6.1AI score0.00287EPSS
Exploits0References7
NVD
NVD
added yesterday5 views

CVE-2026-62231

The Grav API plugin getgrav/grav-plugin-api before 1.0.6 contains an authorization bypass: API keys can be created with a restricted scopes array, but the ApiKeyAuthenticator class never reads or enforces these scopes. It loads and returns the owning user's full account object, so a key created...

8.6CVSS0.00221EPSS
Exploits0References2
NVD
NVD
added 2 days ago6 views

CVE-2026-43978

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account gym manager, general manager by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a...

8.1CVSS0.00213EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago31 views

CVE-2026-15997 Native ARM SHA3 / SHAKE `restoreFullState` fails to detect size_t underflow in a crafted encoded state

Out-of-bounds write vulnerability in Legion of the Bouncy Castle Inc. BC-LTS bcprov-lts8on on ARM allows Overflow Buffers. This vulnerability is associated with program files https://github.Com/bcgit/bc-lts-java/blob/main/nativec/arm/sha/shake.C,...

5.6CVSS0.001EPSS
Exploits0References1
OSV
OSV
added 2 days ago4 views

MAL-2026-10694 Malicious code in vor8zakon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 99924288481504c324c3f573ba7ba99ac4e1c7a7f22a940c94d81059b868fdfd Package advertises itself as 'A simple cryptographic library for JavaScript applications' but ships no crypto code and exports nothing. package.json...

6.1AI score
Exploits0References2
Rows per page
Query Builder