Lucene search
K

32886 matches found

Circl
Circl
added yesterday4 views

CVE-2026-55445

creationtimestamp| type| source ---|---|--- 2026-07-15 23:06:05+00:00| seen| https://bsky.app/profile/stackflag.bsky.social/post/3mqptj5juer2c 2026-07-16 00:38:51+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqpyoz5fpx22 2026-07-16 01:30:26+00:00| seen|...

9.3CVSS6.1AI score
Exploits0References4
CVE
CVE
added yesterday7 views

CVE-2026-45806

Penpot before 2.15.0 vulnerable to authenticated SSRF in remote image import. The flow passes a user-controlled URL from frontend to the backend RPC method create-file-media-object-from-url, where media/download-image uses a shared HTTP client without destination filtering, allowing an authentica...

7.7CVSS6.2AI score0.00032EPSS
Exploits1References2
Circl
Circl
added yesterday5 views

CVE-2026-56400

creationtimestamp| type| source ---|---|--- 2026-07-15 12:38:04+00:00| seen| https://bsky.app/profile/stackflag.bsky.social/post/3mqoqg5mume2p 2026-07-15 15:43:26+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqp2rmdoce2e...

9CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added yesterday4 views

EUVD-2026-44651

The Grav API plugin getgrav/grav-plugin-api before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension inspects only the final file extension via pathinfo$filename, PATHINFOEXTENSION, so a user with api.media.write permission can...

8.8CVSS6.3AI score
Exploits0References2
Cvelist
Cvelist
added yesterday9 views

CVE-2026-61457 Grav before 1.0.3 Remote Code Execution via File Upload Extension Bypass

The Grav API plugin getgrav/grav-plugin-api before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension inspects only the final file extension via pathinfo$filename, PATHINFOEXTENSION, so a user with api.media.write permission can...

8.8CVSS
Exploits0References2
NVD
NVD
added yesterday4 views

CVE-2026-11579

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload...

5.3CVSS0.00177EPSS
Exploits0References1
CVE
CVE
added yesterday9 views

CVE-2026-11579

CVE-2026-11579 affects the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin up to version 2.4.17. The issue arises because the plugin does not verify that a file upload is tied to an existing form with a file-upload field, allowing unauthenticated users to upload files to the Wo...

5.3CVSS6.2AI score0.00177EPSS
Exploits0References1
EUVD
EUVD
added yesterday7 views

EUVD-2026-44592

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload...

5.3CVSS6.2AI score0.00177EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-11579

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload...

6.2AI score0.00177EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday17 views

CVE-2026-11579 Kali Forms < 2.4.17 - Unauthenticated Media Upload

The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload...

0.00177EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday25 views

WordPress Media Library Assistant <= 3.34 - SQL Injection

David Lingren Media Library Assistant = 3.34 contains an sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input. id: CVE-2026-34885 info: name: WordPress Media Library Assistant = 3.34 -...

8.5CVSS6.3AI score0.01668EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday127 views

Media Library Assistant < 3.09 - Remote Code Execution/Local File Inclusion

A vulnerability in the Wordpress Media-Library-Assistant plugins in version 3.09 is vulnerable to a local file inclusion which leading to RCE on default Imagegick installation/configuration. id: CVE-2023-4634 info: name: Media Library Assistant 3.09 - Remote Code Execution/Local File Inclusion...

9.8CVSS7AI score0.82585EPSS
Exploits6References5
Nuclei
Nuclei
added yesterday61 views

WordPress Sell Media 2.4.1 - Cross-Site Scripting

WordPress Plugin Sell Media v2.4.1 contains a cross-site scripting vulnerability in /inc/class-search.php that allows remote attackers to inject arbitrary web script or HTML via the keyword parameter aka $searchterm or the Search field. id: CVE-2019-6112 info: name: WordPress Sell Media 2.4.1 -...

6.1CVSS6.5AI score0.09221EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday22 views

Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion

Media Library Assistant plugin for WordPress before 2.82 contains a local file inclusion caused by unsanitized mlagallery link parameter, letting attackers include arbitrary local files, exploit requires access to the vulnerable link. id: CVE-2020-11732 info: name: Media Library Assistant 2.82 -...

7.5CVSS7AI score0.04917EPSS
Exploits4References1
Nuclei
Nuclei
added yesterday45 views

2 Click Socialmedia Buttons < 0.34 - Cross-Site Scripting

A cross-site scripting vulnerability in libs/xing.php in the 2 Click Social Media Buttons plugin before 0.34 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xing-url parameter. id: CVE-2012-4273 info: name: 2 Click Socialmedia Buttons 0.34 - Cross-Site Scripti...

4.3CVSS6.2AI score0.0578EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday42 views

External Media without Import <=1.1.2 - Authenticated Blind Server-Side Request Forgery

WordPress External Media without Import plugin through 1.1.2 is susceptible to authenticated blind server-side request forgery. The plugin has no authorization and does not ensure that media added via URLs are external media, which can allow any authenticated users, including subscribers, to obta...

6.5CVSS6.7AI score0.02941EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday20 views

WordPress Frontend File Manager < 4.0 & N-Media Post Frontend < 1.1 - Arbitrary File Upload

The Frontend File Manager plugin 4.0 and N-Media Post Front-end Form plugin 1.1 for WordPress were vulnerable to arbitrary file uploads due to missing file type validation. This allowed unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution. id:...

9.8CVSS6.3AI score0.05515EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday28 views

Import Legacy Media <= 0.1 - Cross-Site Scripting

A cross-site scripting vulnerability in the Import Legacy Media plugin 0.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the filename parameter to getid3/demos/demo.mimeonly.php. id: CVE-2014-4535 info: name: Import Legacy Media = 0.1 - Cross-Site...

6.1CVSS6.5AI score0.03983EPSS
Exploits2References4
CVE
CVE
added yesterday13 views

CVE-2026-61371

Microsoft AVML before 0.17.0 is affected. On Unix, it could follow a symlink when opening a destination output path, allowing truncation/overwrite of the symlink target at open-time via O_TRUNC and potentially before full input validation. This is described as a truncation-before-validation issue...

7.5CVSS6.1AI score
Exploits0References3
Circl
Circl
added 2 days ago4 views

CVE-2026-59733

creationtimestamp| type| source ---|---|--- 2026-07-14 23:00:35+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mqncqefi572b 2026-07-15 00:34:24+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqnhy5ivbc2q...

8.8CVSS6.1AI score0.00523EPSS
Exploits0References2
Rows per page
Query Builder