Lucene search
K

254 matches found

CVE
CVE
added 2026/06/30 6:0 a.m.14 views

CVE-2026-9576

CVE-2026-9576 affects the Fluent Booking WordPress plugin (versions before 2.1.2). The vulnerability arises from not verifying ownership of the requested group_id before exporting attendees data via the export endpoint, allowing users with at least the Calendar Manager role to access attendees’ P...

4.9CVSS5.8AI score0.00234EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:26 p.m.4 views

CVE-2026-56242

Capgo before 12.128.2 contains an unauthenticated security definer RPC function getidentityapikeyonly that returns the owning userid for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys t...

8.7CVSS5.9AI score0.00259EPSS
Exploits0References3
CVE
CVE
added 2026/06/19 7:21 p.m.17 views

CVE-2026-49344

Mercator (open source mapping app) prior to version 2025.05.19 is affected by CVE-2026-49344. The Query Engine endpoint /admin/queries/execute does not enforce an authorization gate, allowing any authenticated account (including read-only Auditor) to query models outside the intended scope (e.g.,...

7.1CVSS5.8AI score0.00281EPSS
Exploits0References1
CVE
CVE
added 2026/06/15 6:0 a.m.22 views

CVE-2026-8386

WP Go Maps for WordPress is affected up to version 10.0.9. The vulnerability arises because the public single-marker REST endpoint does not filter by approval state, enabling unauthenticated users to fetch marker records that administrators have not approved for public display. Exposed data may i...

5.3CVSS5.4AI score0.00225EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.13 views

PT-2026-49184

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address...

5.4AI score0.00225EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.9 views

CVE-2025-15609

The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc...

7.5CVSS5.5AI score0.00404EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.8 views

OpenTelemetry eBPF Instrumentation 安全漏洞

OpenTelemetry eBPF Instrumentation is an open-source, eBPF-based lightweight telemetry data collection tool developed by OpenTelemetry. Versions of OpenTelemetry eBPF Instrumentation prior to 0.9.0 contained security vulnerabilities. These vulnerabilities stemmed from the export of raw Redis erro...

6.5CVSS5.4AI score0.00212EPSS
Exploits1References2
NVD
NVD
added 2026/05/28 6:16 a.m.15 views

CVE-2026-3173

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user...

6.5CVSS0.00243EPSS
Exploits0References4
NVD
NVD
added 2026/05/19 9:16 p.m.18 views

CVE-2026-34233

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators onl...

6.5CVSS0.0028EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/19 10:28 a.m.42 views

CVE-2026-37981 Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access control in user lookup endpoint

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By...

4.3CVSS0.0037EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/19 6:0 a.m.16 views

EUVD-2025-209890

The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc...

7.5CVSS5.8AI score0.00404EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/18 9:51 p.m.14 views

EUVD-2026-30812

FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metadat...

6.5CVSS5.7AI score0.00227EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.9 views

PT-2026-40605

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information PII via a crafted SQL...

5.8AI score0.00275EPSS
Exploits0References2
CVE
CVE
added 2026/05/13 12:0 a.m.16 views

CVE-2026-37429

The CVE-2026-37429 entry concerns qihang-wms: commit 75c15a contains a SQL injection vulnerability in the SysUserMapper.xml via the datascope parameter. The vulnerability could allow an attacker to retrieve sensitive data including PII through crafted SQL statements. CVSSv3.1 base score is 6.5 (M...

6.5CVSS5.8AI score0.00275EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/07 9:16 p.m.12 views

Ech0 comment model's Email field returned on public /api/comments endpoints

Summary The Comment model serializes its Email field through the public comment-listing API. internal/model/comment/comment.go:33 uses json:"email", while adjacent PII fields IPHash, UserAgent correctly use json:"-". The public endpoints GET /api/comments?echoid=X and GET...

5.8AI score
Exploits0References3Affected Software1
Packet Storm News
Packet Storm News
added 2026/05/06 12:0 a.m.18 views

GLiNER Guard: Unified Encoder Family for Production LLM Safety and Privacy

Production LLM systems require both safety moderation and PII detection under strict latency and cost constraints. This creates a trade-off: autoregressive moderators are accurate but expensive, while lightweight encoders are faster but less capable. We present GLiNER Guard GLiGuard, a unified...

5.8AI score
Exploits0
GithubExploit
GithubExploit
added 2026/05/03 9:47 p.m.106 views

Exploit for CVE-2026-40776

CVE-2026-40776 — Eventin wp-event-solution Broken Access Con...

5.8AI score0.00414EPSS
Exploits2
EUVD
EUVD
added 2026/04/14 7:43 a.m.3 views

EUVD-2026-22231

The Eventin – Events Calendar, Event Booking, Ticket & Registration AI Powered plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the getitempermissionscheck function in all versions up to, and including, 4.1.8. This makes it possible for...

4.3CVSS5.9AI score0.00179EPSS
Exploits0References2
GithubExploit
GithubExploit
added 2026/04/12 12:26 a.m.108 views

Exploit for CVE-2026-4106

WordPress HTMega Unauthenti...

5.8AI score0.00742EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2026/04/01 9:5 p.m.7 views

AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints

Summary The AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php template was shipped without this guard. Every plugin that uses th...

7.5CVSS6AI score0.00376EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder