Lucene search
+L

316533 matches found

attackerkb
attackerkb
added 5 hours ago3 views

CVE-2026-62236

grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...

5.4CVSS6.1AI score
Exploits0References3
cvelist
cvelist
added 5 hours ago3 views

CVE-2026-62214 OpenClaw < 2026.5.28 Bot Framework SSRF via serviceUrl Parameter Validation

OpenClaw versions before 2026.5.28 Bot Framework contains an improper input validation vulnerability that allows lower-trust callers to expose bot tokens and credentials by failing to properly validate serviceUrl parameters. Attackers can supply malicious serviceUrl values through configured inpu...

6.5CVSS
Exploits0References2
cve
cve
added 5 hours ago5 views

CVE-2026-62214

OpenClaw Bot Framework (versions before 2026.5.28) contains an input validation flaw in serviceUrl parameters that enables SSRF-style access by lower-trust callers. This misvalidation can allow retrieval of bot tokens and credentials by supplying malicious serviceUrl values through configured inp...

6.5CVSS6.1AI score
Exploits0References2
attackerkb
attackerkb
added 5 hours ago3 views

CVE-2026-62214

OpenClaw versions before 2026.5.28 Bot Framework contains an improper input validation vulnerability that allows lower-trust callers to expose bot tokens and credentials by failing to properly validate serviceUrl parameters. Attackers can supply malicious serviceUrl values through configured inpu...

6.5CVSS6.1AI score
Exploits0References3
ptsecurity
ptsecurity
added 5 hours ago5 views

PT-2026-60679

The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms registration action, which allows attacker-supplied field IDs to be added to the trusted form-fie...

9.8CVSS5.9AI score
Exploits0References3
ptsecurity
ptsecurity
added 5 hours ago4 views

PT-2026-60650

The Grav API plugin getgrav/grav-plugin-api before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on every API route JwtAuthenticator::extractBearerToken fallback. Because tokens are embedded in URLs, they are logged verbatim in web server access logs, leaked via th...

8.2CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 5 hours ago5 views

PT-2026-60646

grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...

5.4CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 5 hours ago3 views

PT-2026-60648

OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through...

7.2CVSS6.1AI score
Exploits0References2
ptsecurity
ptsecurity
added 5 hours ago3 views

PT-2026-60624

OpenClaw versions before 2026.5.28 Bot Framework contains an improper input validation vulnerability that allows lower-trust callers to expose bot tokens and credentials by failing to properly validate serviceUrl parameters. Attackers can supply malicious serviceUrl values through configured inpu...

6.5CVSS6.1AI score
Exploits0References2
nvd
nvd
added yesterday4 views

CVE-2026-45368

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the underlying URL methods for the KirbyTags and image blocks components did not filter out malicious URL values that resolve to script execution. The vulnerability affects four first-party Kirby renderers th...

8.4CVSS0.00062EPSS
Exploits0References2
nvd
nvd
added yesterday4 views

CVE-2026-14782

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the Customer Import in all versions up to, and including, 2.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL quer...

4.9CVSS
Exploits0References2
cvelist
cvelist
added yesterday8 views

CVE-2026-45368 Kirby: Cross-site scripting (XSS) from links in KirbyTags and image blocks in the site frontend

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the underlying URL methods for the KirbyTags and image blocks components did not filter out malicious URL values that resolve to script execution. The vulnerability affects four first-party Kirby renderers th...

8.4CVSS0.00062EPSS
Exploits0References2
euvd
euvd
added yesterday4 views

EUVD-2026-45058

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the underlying URL methods for the KirbyTags and image blocks components did not filter out malicious URL values that resolve to script execution. The vulnerability affects four first-party Kirby renderers th...

8.4CVSS6.1AI score0.00062EPSS
Exploits0References2
attackerkb
attackerkb
added yesterday3 views

CVE-2026-45368

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the underlying URL methods for the KirbyTags and image blocks components did not filter out malicious URL values that resolve to script execution. The vulnerability affects four first-party Kirby renderers th...

8.4CVSS6.1AI score0.00062EPSS
Exploits0References3Affected Software1
cve
cve
added yesterday27 views

CVE-2026-45368

Kirby CMS is affected in versions prior to 4.9.1 and 5.4.1 by an XSS in URL handling for several first‑party renderers that emit : the (link: …) KirbyTag, the link parameter of (image: …), the image block's link field, and the HTML importer for blocks. The underlying issue does not filter dangero...

8.4CVSS6.1AI score0.00062EPSS
Exploits0References2
githubexploit
githubexploit
added yesterday17 views

aurora-earn-poc

Aurora Earn PoC A TypeScript HTTP service that reads Kraken E...

6.1AI score
Exploits0
attackerkb
attackerkb
added yesterday3 views

CVE-2026-14782

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the Customer Import in all versions up to, and including, 2.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL quer...

4.9CVSS6.1AI score
Exploits0References3
cvelist
cvelist
added yesterday11 views

CVE-2026-14782 Booking for Appointments and Events Calendar – Amelia <= 2.4.3 - Authenticated (Custom+) SQL Injection via Customer Import

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the Customer Import in all versions up to, and including, 2.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL quer...

4.9CVSS
Exploits0References2
cve
cve
added yesterday6 views

CVE-2026-14782

The CVE-2026-14782 entry concerns the Booking for Appointments and Events Calendar – Amelia plugin for WordPress. A SQL Injection exists via the Customer Import feature in all versions up to and including 2.4.3, due to insufficient escaping of the user-supplied parameter and inadequate preparatio...

4.9CVSS6.1AI score
Exploits0References2
wordfence
wordfence
added yesterday7 views

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 6, 2026 to July 12, 2026)

Last week, there were 267 vulnerabilities disclosed in 222 WordPress Plugins and 6 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 136 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilitie...

6.3AI score
Exploits0
Rows per page
Query Builder