Lucene search
+L

35520 matches found

cve
cve
added 6 hours ago11 views

CVE-2026-12585

Vulnerable component: Abandoned Cart Lite for WooCommerce (WordPress plugin) prior to version 6.8.2. Root cause: The plugin does not protect the integrity of cart-recovery tokens or bind them to the requesting account, allowing an unauthenticated attacker to forge a recovery link that logs in as ...

6.1AI score
Exploits0References1
cve
cve
added 6 hours ago6 views

CVE-2026-12492

The CVE affects the Happy Coders OTP Login for WooCommerce WordPress plugin prior to version 2.8. The root cause is that the plugin does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, enabling unauthenticated login as any ex...

6.1AI score
Exploits0References1
euvd
euvd
added 6 hours ago3 views

EUVD-2026-44876

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is...

6.1AI score
Exploits0References1
euvd
euvd
added 6 hours ago3 views

EUVD-2026-44873

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well ...

6.1AI score
Exploits0References1
cve
cve
added yesterday9 views

CVE-2026-55652

Wekan prior to v9.46 is vulnerable to a header-login bypass: the server trusts X-Forwarded-For via HEADER_LOGIN_TRUSTED_IPS in getRequestIp(), allowing unauthenticated users to request a login for any username and obtain a meteor_login_token (including admin), enabling full account takeover. The ...

9.8CVSS6.1AI score
Exploits0References3
nvd
nvd
added yesterday3 views

CVE-2026-40957

o CVE-2026-40957 is a frameable content vulnerability in the Secure Access server login page prior to 14.55. Attackers with control of a malicious web site could use it to potentially steal credentials from an unwary administrator...

7.5CVSS
Exploits0References1
cve
cve
added yesterday5 views

CVE-2026-40957

CVE-2026-40957 describes a frameable content vulnerability in the Secure Access server login page prior to version 14.55. By controlling a malicious web site, an attacker could potentially steal credentials from an administrator visiting the login page. The connected sources confirm the existence...

7.5CVSS6AI score
Exploits0References1Affected Software1
euvd
euvd
added yesterday3 views

EUVD-2026-44791

o CVE-2026-40957 is a frameable content vulnerability in the Secure Access server login page prior to 14.55. Attackers with control of a malicious web site could use it to potentially steal credentials from an unwary administrator...

6.1CVSS6AI score
Exploits0References1
attackerkb
attackerkb
added yesterday2 views

CVE-2026-40957

o CVE-2026-40957 is a frameable content vulnerability in the Secure Access server login page prior to 14.55. Attackers with control of a malicious web site could use it to potentially steal credentials from an unwary administrator...

7.5CVSS6AI score
Exploits0References2
susecve
susecve
added yesterday4 views

SUSE CVE-2025-3879

Vault Community, Vault Enterprise “Vault” Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the boundlocations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18...

7.5CVSS6.7AI score0.00351EPSS
Exploits0References5
redhatcve
redhatcve
added yesterday4 views

CVE-2026-47158

A flaw was found in Vaultwarden, a Bitwarden-compatible server. An unauthenticated attacker could exploit a vulnerability in the Single Sign-On SSO authorization flow. This flaw, caused by improper binding of the OAuth state parameter to the browser session and inadequate cleanup of SSO...

8.3CVSS6AI score0.00031EPSS
Exploits0References2
nvd
nvd
added yesterday5 views

CVE-2026-33213

Redash is a package for data visualization and sharing. From 5.0.2 to 26.3.0, the getnextpath function in Redash's authentication module stripped the scheme and netloc from user-supplied next parameters but did not normalize multiple leading slashes, allowing a crafted login URL such as...

6.1CVSS
Exploits0References2
euvd
euvd
added yesterday4 views

EUVD-2026-44690

Nixpkgs is a collection of software packages that can be installed with the Nix package manager. Prior to the 25.11 and 26.05 channel fixes, the NixOS module for MySQL services.mysql initializes the MySQL database in a way that allows local users, such as unprivileged web or CGI processes on the...

8.5CVSS6.1AI score
Exploits0References7
cve
cve
added yesterday6 views

CVE-2026-61828

Affected software: NixOS/Nixpkgs’ MySQL service module (services.mysql). Vulnerability: The module initialization process could set up the MySQL data directory in a way that allows local unprivileged users (e.g., web or CGI processes on the same host) to log in as root without a password when usi...

8.5CVSS6.1AI score
Exploits0References7
cvelist
cvelist
added yesterday18 views

CVE-2026-61828 nixos/mysql : `services.mysql` is configured with insecure authentication by default when used with `mysql` or `percona-server`

Nixpkgs is a collection of software packages that can be installed with the Nix package manager. Prior to the 25.11 and 26.05 channel fixes, the NixOS module for MySQL services.mysql initializes the MySQL database in a way that allows local users, such as unprivileged web or CGI processes on the...

8.5CVSS
Exploits0References7
cve
cve
added yesterday6 views

CVE-2026-33213

Redash vulnerability CVE-2026-33213 affects the data-visualization tool Redash (versions 5.0.2 through 26.3.0). The get_next_path() function in the authentication module strips the scheme and netloc from user-supplied next parameters but does not normalize multiple leading slashes, enabling an op...

6.1CVSS6AI score
Exploits0References2
cve
cve
added yesterday13 views

CVE-2026-12281

The vulnerability CVE-2026-12281 affects the Shibboleth WordPress plugin before 2.5.4. When HTTP header identity mode is enabled without an anti-spoofing key, the plugin does not fail closed and treats any request carrying identity headers as authenticated without verification. This allows an una...

8.1CVSS6.1AI score0.00149EPSS
Exploits0References1
nuclei
nuclei
added yesterday20 views

Mailcow < 2026-03b - Href Link Injection

mailcow 2026-03b reflects raw REQUESTURI into JavaScript and href links on the login page, allowing attackers to inject parameters that break JS logic and enable phishing. id: CVE-2026-40878 info: name: Mailcow 2026-03b - Href Link Injection author: ritikchaddha severity: low description: | mailc...

2.1CVSS6.1AI score0.00805EPSS
Exploits0References3
nuclei
nuclei
added yesterday15 views

Musicbox WordPress - Reflected XSS

contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a malicious URL. id: CVE-2024-13327 info:...

6.1CVSS7AI score0.00562EPSS
Exploits1References2
nuclei
nuclei
added yesterday23 views

RegistrationMagic <= 5.0.1.7 - Authentication Bypass

RegistrationMagic WordPress plugin versions = 5.0.1.7 contain an authentication bypass caused by missing identity validation in socialloginusingemail, letting unauthenticated users log in as any site user, exploit requires knowing a valid username. id: CVE-2021-4073 info: name: RegistrationMagic ...

9.8CVSS6.9AI score0.07EPSS
Exploits1References3
Rows per page
Query Builder