Lucene search
K

1833 matches found

Nuclei
Nuclei
added yesterday33 views

MLflow Job API - Authentication Bypass

MLflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/ when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions. id:...

9.8CVSS7.3AI score0.04392EPSS
Exploits1References3
Cvelist
Cvelist
added 2 days ago30 views

CVE-2026-34149 Coolify: Authenticated Host-Level RCE via Unescaped Database Credentials in Backup Jobs

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, DatabaseBackupJob interpolates user-controlled database credentials and MongoDB collection exclusion names into backup shell commands without adequate escaping, allowing an...

3.3CVSS0.00221EPSS
Exploits0References4
CVE
CVE
added 2026/06/30 7:53 p.m.12 views

CVE-2026-10560

CVE-2026-10560 affects IBM Langflow OSS 1.0.0–1.9.6. The issue is a missing authentication vulnerability in the /api/v1/build_public_tmp/ endpoints, allowing an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier. This leads to information disclosure (sen...

9.1CVSS5.8AI score0.00272EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-419 mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization

In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...

9.1CVSS7.9AI score0.04392EPSS
Exploits1References5
Tenable Nessus
Tenable Nessus
added 2026/06/27 12:0 a.m.8 views

EulerOS 2.0 SP15 : cups (EulerOS-SA-2026-2478)

According to the versions of the cups packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local...

7.8CVSS6.7AI score0.00502EPSS
Exploits7References8
EUVD
EUVD
added 2026/06/24 1:20 p.m.7 views

EUVD-2026-38781

A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access...

4.3CVSS5.9AI score0.00178EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/09 3:41 a.m.32 views

CVE-2026-8882 WP ApplicantStack Jobs Display <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP ApplicantStack Jobs Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00181EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/09 3:41 a.m.11 views

CVE-2026-8882 WP ApplicantStack Jobs Display <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP ApplicantStack Jobs Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.7AI score0.00181EPSS
Exploits0References3
CVE
CVE
added 2026/06/09 3:41 a.m.20 views

CVE-2026-8882

CVE-2026-8882 affects the WP ApplicantStack Jobs Display WordPress plugin (versions up to 1.1.1). The vulnerability is a Stored Cross-Site Scripting via Shortcode Attributes caused by insufficient input sanitization and output escaping, exploitable by authenticated users with contributor-level ac...

6.4CVSS5.7AI score0.00181EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/09 3:41 a.m.13 views

EUVD-2026-35311

The WP ApplicantStack Jobs Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.7AI score0.00181EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/06/09 12:0 a.m.12 views

WordPress plugin WP ApplicantStack Jobs Display 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

6.4CVSS5.4AI score0.00181EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.15 views

PT-2026-47675

Name of the Vulnerable Software and Affected Versions WP ApplicantStack Jobs Display versions prior to 1.1.2 Description Insufficient input sanitization and output escaping in shortcode attributes allow authenticated attackers with contributor-level access or higher to perform Stored Cross-Site...

6.4CVSS5.7AI score0.00181EPSS
Exploits0References7
Patchstack
Patchstack
added 2026/06/08 3:6 p.m.8 views

WordPress WP ApplicantStack Jobs Display plugin <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin WP ApplicantStack Jobs Display versions = 1.1.1...

6.4CVSS5.4AI score0.00181EPSS
Exploits0References1Affected Software1
GithubExploit
GithubExploit
added 2026/06/06 8:13 p.m.336 views

Exploit for Authentication Bypass Using an Alternate Path or Channel in Sangoma Freepbx

CVE-2025-57819 — FreePBX Unauthenticated SQLi → RCE One-shot...

10CVSS6.9AI score0.93286EPSS
Exploits20
CNNVD
CNNVD
added 2026/06/06 12:0 a.m.9 views

WordPress plugin RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

4.3CVSS5.6AI score0.0029EPSS
Exploits0References23
Vulnrichment
Vulnrichment
added 2026/06/05 11:28 p.m.11 views

CVE-2026-8976 RSS Aggregator by Feedzy <= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action...

4.3CVSS5.6AI score0.0029EPSS
Exploits0References22
CVE
CVE
added 2026/06/05 11:28 p.m.30 views

CVE-2026-8976

The CVE-2026-8976 entry concerns the WordPress plugin RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator . It states a vulnerability in all versions up to and including 5.1.7: an authorization bypass where the plugin does not properly verify a user’s perm...

4.3CVSS5.6AI score0.0029EPSS
Exploits0References22
Cvelist
Cvelist
added 2026/06/05 11:28 p.m.101 views

CVE-2026-8976 RSS Aggregator by Feedzy <= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action...

4.3CVSS0.0029EPSS
Exploits0References22
RedhatCVE
RedhatCVE
added 2026/06/05 7:34 p.m.12 views

CVE-2026-10260

A vulnerability was detected in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /admin/jobs-admins/delete-jobs.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now...

7.5CVSS7.1AI score0.00263EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:15 p.m.11 views

CVE-2026-2652

A flaw was found in mlflow. When the mlflow server is configured with basic authentication and served via uvicorn, an architectural mismatch in the FastAPI permission middleware allows unauthenticated remote attackers to bypass authentication on specific routes. This bypass enables attackers to...

8.6CVSS7.2AI score0.01502EPSS
Exploits1References5
Rows per page
Query Builder