Lucene search
K

12505 matches found

OSV
OSV
added yesterday3 views

MAL-2026-10452 Malicious code in markdown-editable-table (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b6b15669732f3eaec42e12c5f8d41a8f74d595fc04f709804de9768cb1719a94 The package's package.json declares a preinstall hook node index.d.js that runs automatically on npm install. The script in index.d.js base64-decodes...

6.2AI score
Exploits0References4
EUVD
EUVD
added yesterday5 views

EUVD-2026-43308

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to validate that an assigned incoming webhook user has access to the target team or channel, which allows a requester with webhook management permissions to create posts or direct messages attributed to another user via...

4.9CVSS6.1AI score0.0021EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday21 views

WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass

Burst Statistics – Privacy-Friendly WordPress Analytics plugin 3.4.0 to 3.4.1.1 contains an authentication bypass caused by incorrect return-value handling in ismainwpauthenticated function, letting unauthenticated attackers impersonate administrators, exploit requires knowledge of an administrat...

9.8CVSS6.1AI score0.14608EPSS
Exploits10References2
Nuclei
Nuclei
added yesterday77 views

Keycloak - SAML Core Package Signature Validation Flaw

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Referen...

7.7CVSS6.6AI score0.0203EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday98 views

WordPress Pie Register <= 3.7.1.4 - Authentication Bypass

An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting socialsite=true and manipulating the useridsocialsite parameter,...

10CVSS7.5AI score0.09903EPSS
Exploits7References3
Nuclei
Nuclei
added yesterday21 views

Dash Framework - Cross-site Scripting

Dash framework versions before 2.15.0 are vulnerable to Cross-site Scripting XSS via href attribute in anchor tags. This template tests for javascript:alert payload injection. id: CVE-2024-21485 info: name: Dash Framework - Cross-site Scripting author: Lee Changhyuneeche severity: medium...

6.5CVSS6.5AI score0.01475EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday107 views

MooSocial 3.1.8 - Cross-Site Scripting

A reflected cross-site scripting XSS vulnerability exisits in the dataredirecturl parameter on user login function of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL. id: CVE-2023-43325 info: name: MooSocial 3.1.8 - Cross-Sit...

6.1CVSS6.4AI score0.01857EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday16 views

OneDev < 4.0.3 - User Access Token Leak

OneDev before version 4.0.3 contains an insecure endpoint that allows retrieval of arbitrary user details, including access tokens, due to missing security checks on /users/id, letting attackers leak sensitive data and impersonate users, exploit requires no special conditions. id: CVE-2021-21246...

8.6CVSS7AI score0.49051EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday23 views

RegistrationMagic <= 5.0.1.7 - Authentication Bypass

RegistrationMagic WordPress plugin versions = 5.0.1.7 contain an authentication bypass caused by missing identity validation in socialloginusingemail, letting unauthenticated users log in as any site user, exploit requires knowing a valid username. id: CVE-2021-4073 info: name: RegistrationMagic ...

9.8CVSS6.9AI score0.07EPSS
Exploits1References3
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday3 views

Malicious code in chat-adapter-zoom (npm)

The chat-adapter-zoom package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a Zoom...

6.1AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added yesterday4 views

Malicious code in salesforce-vscode-slds (npm)

The salesforce-vscode-slds package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a...

6.1AI score
Exploits0References3
NVD
NVD
added 2 days ago8 views

CVE-2026-56271

Flowise before 3.1.0 affected versions 3.0.13 and earlier uses weak hardcoded default JWT secrets 'authtoken', 'refreshtoken' and default audience and issuer values 'AUDIENCE', 'ISSUER' in the enterprise passport authentication middleware packages/server/src/enterprise/middleware/passport/index.t...

9.8CVSS0.00396EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-43228

Flowise before 3.1.0 affected versions 3.0.13 and earlier uses weak hardcoded default JWT secrets 'authtoken', 'refreshtoken' and default audience and issuer values 'AUDIENCE', 'ISSUER' in the enterprise passport authentication middleware packages/server/src/enterprise/middleware/passport/index.t...

9.8CVSS6.1AI score0.00396EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-39508

File Browser: Authentication Bypass via Proxy Auth Header Forgery...

9.1CVSS6.1AI score0.00337EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago5 views

Malicious code in type-elint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f29d6bfc122cb5792d95cfade56e62789f83366b30fc0d58a88a84113d89962c Package impersonates the pino logger README is pino documentation, package name is a lookalike. The main export is a middleware factory that spawns...

6.5AI score
Exploits0References2
Cvelist
Cvelist
added 4 days ago28 views

CVE-2026-38059 ST Engineering iDirect iQ-Series Terminals Missing authentication for critical function

The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID DID, Terminal Private Key identifier TPK, MAC address, and exact firmwa...

8.7CVSS0.00592EPSS
Exploits0References3
NVD
NVD
added 5 days ago6 views

CVE-2026-53963

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that...

9CVSS0.00392EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 5 days ago6 views

CVE-2026-53963

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that...

7.3CVSS5.8AI score0.00392EPSS
Exploits0References10Affected Software1
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-53963 Discourse: Stored-XSS in 2FA delete confirmation modal

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that...

7.3CVSS0.00392EPSS
Exploits0References9
CVE
CVE
added 5 days ago7 views

CVE-2026-53963

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, a malicious second factor name on an attacker-controlled account was not escaped in the delete confirmation dialog, allowing stored cross-site scripting when an administrator impersonated that...

9CVSS5.8AI score0.00392EPSS
Exploits0References9Affected Software1
Rows per page
Query Builder