Lucene search
+L

10348 matches found

Cvelist
Cvelist
added 5 hours ago8 views

CVE-2025-71392 SurrealDB before 2.2.2 SurrealQL Injection via export

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a...

9.4CVSS
Exploits0References2
CVE
CVE
added 5 hours ago6 views

CVE-2025-71392

SurrealDB prior to 2.0.5, 2.1.x prior to 2.1.5, and 2.2.x prior to 2.2.2 fails to escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a higher-privilege...

9.4CVSS5.3AI score
Exploits0References2
Nuclei
Nuclei
added 10 hours ago14 views

WordPress Ultimate FAQs <= 1.8.24 – Unauthenticated HTML Content Injection

Functions/EWDUFAQImport.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows HTML content injection. id: CVE-2019-17233 info: name: WordPress Ultimate FAQs = 1.8.24 – Unauthenticated HTML Content Injection author: daffainfo severity: medium description: | Functions/EWDUFAQImport.ph...

6.1CVSS7.3AI score0.01843EPSS
Exploits1References2
Nuclei
Nuclei
added 10 hours ago12 views

Motors Car Dealer & Classified Ads <= 1.4.0 - Unauthenticated settings import/export

includes/options.php in the motors-car-dealership-classified-listings aka Motors - Car Dealer & Classified Ads plugin through 1.4.0 for WordPress allows unauthenticated options changes. id: CVE-2019-17228 info: name: Motors Car Dealer & Classified Ads = 1.4.0 - Unauthenticated settings...

6.5CVSS6.4AI score0.01153EPSS
Exploits1References4
Nuclei
Nuclei
added 10 hours ago12 views

WordPress Ultimate FAQs <= 1.8.24 – Unauthenticated Options Import and Export

Functions/EWDUFAQImport.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows unauthenticated options import. id: CVE-2019-17232 info: name: WordPress Ultimate FAQs = 1.8.24 – Unauthenticated Options Import and Export author: daffainfo severity: high description: |...

7.5CVSS7.9AI score0.03518EPSS
Exploits1References4
Nuclei
Nuclei
added 10 hours ago18 views

Kaswara Modern VC Addons <= 3.0.1 - Missing Authorization

The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions...

9.8CVSS5.4AI score0.01342EPSS
Exploits0References2
Nuclei
Nuclei
added 10 hours ago183 views

Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE

The Import XML and RSS Feeds WordPress plugin before 2.1.5 allows unauthenticated attackers to execute arbitrary commands via a web shell. id: CVE-2023-4521 info: name: Import XML and RSS Feeds 2.1.5 - Unauthenticated RCE author: princechaddha severity: critical description: The Import XML and RS...

9.8CVSS8.9AI score0.39294EPSS
Exploits2References1
Nuclei
Nuclei
added 10 hours ago14 views

Schneider Electric U.motion Builder - SQL Injection

The vulnerability exists within processing of trackimportexport.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the objectid input parameter. id: CVE-2018-7765 info: name: Schneider Electric U.motion...

8.8CVSS8.2AI score0.02917EPSS
Exploits3References2
Nuclei
Nuclei
added 10 hours ago10 views

phpVMS < 7.0.6 - Legacy Importer Authorization Bypass

phpVMS 7.0.6 contains an authentication bypass caused by unauthenticated access to a legacy import feature, letting unauthenticated attackers access restricted functionality, exploit requires no special privileges. id: CVE-2026-42569 info: name: phpVMS 7.0.6 - Legacy Importer Authorization Bypass...

9.4CVSS5.2AI score0.01173EPSS
Exploits1References3
Nuclei
Nuclei
added 10 hours ago28 views

Import Legacy Media <= 0.1 - Cross-Site Scripting

A cross-site scripting vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php. id: CVE-2014-4535 info: name: Import Legacy Media = 0.1 - Cross-Site...

6.1CVSS6.1AI score0.03983EPSS
Exploits2References4
Nuclei
Nuclei
added 10 hours ago42 views

External Media without Import <=1.1.2 - Authenticated Blind Server-Side Request Forgery

WordPress External Media without Import plugin through 1.1.2 is susceptible to authenticated blind server-side request forgery. The plugin has no authorization and does not ensure that media added via URLs are external media, which can allow any authenticated users, including subscribers, to obta...

6.5CVSS6.5AI score0.02941EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added yesterday7 views

mcp-memory-keeper: Arbitrary local file read in context_import via unvalidated filePath

Impact contextimport passed the caller-supplied filePath directly to fs.readFileSync with no path confinement. A malicious MCP client — or an LLM agent that is prompt-injected into calling the tool — could point filePath at any file readable by the server process, outside any session or export...

5.5AI score
Exploits0References6Affected Software1
Patchstack
Patchstack
added yesterday8 views

NPM: mcp-memory-keeper: Arbitrary local file read in context_import via unvalidated filePath

NPM: mcp-memory-keeper: Arbitrary local file read in contextimport via unvalidated filePath vulnerability discovered by ? in WordPress Npm mcp-memory-keeper versions 0.13.0...

5.3AI score
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added yesterday7 views

Formie: Missing authorization in administrative settings allows low-privileged CP users to modify plugin configuration

Formie contains a missing authorization vulnerability in administrative settings routes. An authenticated, non-admin Craft CMS control panel user with limited Formie access could directly access Formie settings pages and modify global plugin configuration. In affected versions, Formie...

5.3AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday7 views

TAK-PS-Stats Web UI: Authenticated full-read SSRF in CloudTAK basemap import (PUT /api/basemap) — no IP-classification guard

Summary PUT /api/basemap the basemap import endpoint fetches an attacker-supplied URL server-side with no SSRF protection whatsoever. Any authenticated user can submit a JSON body "type": "...", "url": "" ; the server calls fetchurl against that URL and then reflects the response body name,...

5.6AI score
Exploits0References2Affected Software1
Nuclei
Nuclei
added yesterday254 views

GitLab CE/EE - Remote Code Execution

GitLab CE/EE 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 is susceptible to remote code execution. An authenticated user authorized to import projects can import a maliciously crafted project, thus possibly being able to execute malware, obtain sensitive information, modi...

9.9CVSS8.5AI score0.76884EPSS
Exploits0References5
NVD
NVD
added 2 days ago6 views

CVE-2026-14782

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the Customer Import in all versions up to, and including, 2.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL quer...

4.9CVSS0.0024EPSS
Exploits0References2
CVE
CVE
added 2 days ago9 views

CVE-2026-14782

The CVE-2026-14782 entry concerns the Booking for Appointments and Events Calendar – Amelia plugin for WordPress. A SQL Injection exists via the Customer Import feature in all versions up to and including 2.4.3, due to insufficient escaping of the user-supplied parameter and inadequate preparatio...

4.9CVSS6.1AI score0.0024EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-14782 Booking for Appointments and Events Calendar – Amelia <= 2.4.3 - Authenticated (Custom+) SQL Injection via Customer Import

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the Customer Import in all versions up to, and including, 2.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL quer...

4.9CVSS0.0024EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2 days ago9 views

Important: Red Hat Security Advisory: multicluster engine for Kubernetes v2.6.12 security update

The multicluster engine for Kubernetes 2.6 General Availability release images, which add new features and enhancements, bug fixes, and updated container images. The multicluster engine for Kubernetes v2.6 images The multicluster engine for Kubernetes provides the foundational components that are...

9.6CVSS6.8AI score0.01041EPSS
Exploits6References13
Rows per page
Query Builder