CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

196 matches found

Positive Technologies•added 2026/05/02 12:0 a.m.•1 views

PT-2026-36594

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when ...

7.2CVSS6AI score0.00174EPSS

Exploits0References9

Github Security Blog•added 2026/04/14 6:30 p.m.•3 views

Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

8.1CVSS5.8AI score0.00038EPSS

Exploits2References4Affected Software1

EUVD•added 2026/04/14 6:30 p.m.•3 views

EUVD-2026-22301

8.1CVSS5.8AI score0.00038EPSS

Exploits2References3

Positive Technologies•added 2026/04/14 12:0 a.m.•2 views

PT-2026-32684

8.1CVSS5.8AI score0.00038EPSS

Exploits2References5

Cvelist•added 2026/04/14 12:0 a.m.•30 views

CVE-2026-38530

8.1CVSS0.00038EPSS

Exploits2References2

NVD•added 2026/03/11 9:16 a.m.•3 views

CVE-2026-1454

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfbleadsanitize function which omits certain...

7.2CVSS0.0013EPSS

Exploits0References4

Cvelist•added 2026/03/07 5:8 a.m.•27 views

CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13...

7.7CVSS0.00455EPSS

Exploits1References2

OSV•added 2026/03/07 5:8 a.m.•0 views

CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint

7.7CVSS5.8AI score0.00455EPSS

Exploits1References4

CVE•added 2026/03/07 5:8 a.m.•9 views

CVE-2026-30822

CVE-2026-30822 (Flowise leads API) : The connected advisory documents reveal a mass assignment vulnerability in the public POST /api/v1/leads endpoint. The code copies all request properties to a Lead entity via Object.assign(newLead, body), which overwrites auto-generated fields like id (UUID), ...

7.7CVSS7.1AI score0.00455EPSS

Exploits1References2Affected Software1

Vulnrichment•added 2026/03/07 5:8 a.m.•0 views

CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint

7.7CVSS5.8AI score0.00455EPSS

Exploits1References2

Github Security Blog•added 2026/03/06 10:19 p.m.•4 views

Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint

Summary A Mass Assignment vulnerability in the /api/v1/leads endpoint allows any unauthenticated user to control internal entity fields id, createdDate, chatId by including them in the request body. The endpoint uses Object.assign to copy all properties from the request body to the Lead entity...

7.7CVSS5.9AI score0.00455EPSS

Exploits1References4Affected Software1

OSV•added 2026/03/06 10:19 p.m.•3 views

GHSA-MQ4R-H2GH-QV7X Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint

7.7CVSS5.9AI score0.00455EPSS

Exploits1References4

Snyk•added 2026/03/06 10:19 p.m.•2 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the Object.assign function. An attacker can manipulate internal entity fields such as id, createdDate, and chatId by...

9.2CVSS5.8AI score0.00455EPSS

Exploits1References2

Positive Technologies•added 2026/03/06 12:0 a.m.•4 views

PT-2026-23788

Flowise and Affected Versions Flowise versions prior to 3.0.13 Description Flowise is a drag & drop user interface to build a customized large language model flow. A mass assignment issue exists in the /api/v1/leads endpoint, allowing unauthenticated users to control internal entity fields id,...

7.7CVSS7.2AI score0.00455EPSS

Exploits1References5

RedhatCVE•added 2026/02/25 4:7 a.m.•2 views

CVE-2026-3050

A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out remotely. The exploi...

5.4CVSS3.8AI score0.00047EPSS

Exploits1References1

OSV•added 2026/02/24 1:16 a.m.•4 views

CVE-2026-3050

5.4CVSS3.9AI score

Exploits0References6

NVD•added 2026/02/24 1:16 a.m.•2 views

CVE-2026-3050

5.4CVSS0.00047EPSS

Exploits1References6

ATTACKERKB•added 2026/02/24 1:2 a.m.•3 views

CVE-2026-3050

5.1CVSS3.8AI score0.00047EPSS

Exploits1References6Affected Software1

Cvelist•added 2026/02/24 1:2 a.m.•20 views

CVE-2026-3050 horilla-opensource horilla Leads global.js cross site scripting

5.1CVSS0.00047EPSS

Exploits1References6

CVE•added 2026/02/24 1:2 a.m.•6 views

CVE-2026-3050

CVE-2026-3050 affects horilla-opensource horilla CRM up to version 1.0.2, specifically the Leads Module’s static/assets/js/global.js. A flaw in an unknown function allows manipulation of the Notes argument to trigger cross-site scripting (XSS) via a remote attack. An exploit has been published. R...

5.4CVSS3.7AI score0.00047EPSS

Exploits1References6Affected Software1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by