Lucene search
+L

48956 matches found

Nuclei
Nuclei
added 11 hours ago49 views

FineCMS <5.0.9 - Open Redirect

FineCMS 5.0.9 contains an open redirect vulnerability via the url parameter in a sync action. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2017-11586 info: name: FineCMS 5.0.9 - Open...

6.1CVSS6.2AI score0.02286EPSS
Exploits1References2
CVE
CVE
added 16 hours ago10 views

CVE-2026-62386

The CVE-2026-62386 entry applies to Grav API plugin (getgrav/grav-plugin-api)

8.2CVSS6.1AI score
Exploits0References2
CVE
CVE
added yesterday9 views

CVE-2026-59237

Roskus Prospero Flow CRM prior to 5.5.3 is affected by an IDOR (CWE-639) vulnerability in the Order and OrderItem REST API controllers. The issue arises because Order::find($id) / Item::find($id) are not scoped to the authenticated user’s company, enabling a remote, authenticated user to read, mo...

6.9CVSS6.1AI score
Exploits0References3
OSV
OSV
added 3 days ago3 views

CVE-2026-55651 Easy!Appointments Vulnerable to Appointments Takeover via Excessive Data Exposure

Easy!Appointments is a self hosted appointment scheduler. In version 1.5.2, an Excessive Data Exposure vulnerability in the customers search endpoint allows an authenticated user to obtain appointment hashes belonging to other users. Using these hashes, an attacker can modify or delete appointmen...

7.1CVSS6.1AI score0.00185EPSS
Exploits0References3
NVD
NVD
added 3 days ago4 views

CVE-2026-44761

SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration provided in SAP Help Portal documentation. If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token...

9.1CVSS0.00352EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-43591

SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration provided in SAP Help Portal documentation. If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token...

9.1CVSS6.1AI score0.00352EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago31 views

CVE-2026-44761 Insecure Sample Credentials in SAP Commerce Cloud

SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration provided in SAP Help Portal documentation. If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token...

9.1CVSS0.00352EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-57942

Name of the Vulnerable Software and Affected Versions SAP Commerce Cloud affected versions not specified Description SAP Commerce Cloud may retain a sample OAuth2 client with publicly documented credentials derived from sample configurations in the SAP Help Portal. An unauthenticated attacker can...

9.1CVSS6.1AI score0.00352EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-58009

Name of the Vulnerable Software and Affected Versions 1715-AENTR EtherNet/IP Adapter versions prior to 3.011 Description The 1715-AENTR EtherNet/IP Adapter exposes a network-accessible debug port that lacks proper privilege controls. This allows unauthenticated remote access to intrusive...

10CVSS6.1AI score0.00253EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago37 views

CVE-2026-58410 ChurchCRM: Improper object-level authorization allows low-privileged users to read and modify other families’ records

ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other families’ records. An authenticated non-admin user with EditSelf access can supply another...

7.1CVSS0.00174EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-43307

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to verify post ownership in the shared channel inbound sync handler, which allows an authenticated remote cluster to modify or delete posts authored by local users or other remotes via crafted sync messages referencing...

4.3CVSS6.2AI score0.00145EPSS
Exploits0References2
CVE
CVE
added 4 days ago9 views

CVE-2026-10103

Mattermost versions affected: 11.7.x (up to 11.7.2), 11.6.x (up to 11.6.4), and 10.11.x (up to 10.11.19) have a flaw in the shared channel inbound sync handler that fails to verify post ownership. This allows an authenticated remote cluster to modify or delete posts authored by local users or oth...

4.3CVSS6.2AI score0.00145EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-11963 User Registration & Membership < 5.2.2 - Subscriber+ Cross-User Role and Membership Tier Modification via IDOR

The User Registration & Membership WordPress plugin before 5.2.2 does not perform an authorization check on a membership-upgrade action and derives the user to modify from a caller-supplied identifier instead of the current user, allowing any authenticated user such as a subscriber to change...

0.00201EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 5 days ago9 views

PT-2026-57524

Name of the Vulnerable Software and Affected Versions H3C NX15 version V100R017 Description A flaw exists in the Administrator Password Modification Endpoint within the change passwd function of the '/api/login/modify' endpoint. Remote manipulation of the newPass argument can lead to weak passwor...

7.5CVSS7AI score0.00278EPSS
Exploits0References8
EUVD
EUVD
added 6 days ago5 views

EUVD-2026-43140

The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS6.1AI score0.00304EPSS
Exploits0References12
Cvelist
Cvelist
added 6 days ago34 views

CVE-2026-7559 Affilia <= 3.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Status Modification

The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS0.00304EPSS
Exploits0References12
EUVD
EUVD
added last week6 views

EUVD-2026-42981

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CR...

8.8CVSS6.1AI score0.0028EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/10 9:32 a.m.6 views

CVE-2026-9857

The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access...

4.3CVSS6.1AI score0.00288EPSS
Exploits0References13
EUVD
EUVD
added 2026/07/10 7:48 a.m.6 views

EUVD-2026-42847

The FlowForms – Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the updateform due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS6.1AI score0.00226EPSS
Exploits1References8
NVD
NVD
added 2026/07/10 5:16 a.m.8 views

CVE-2026-15293

The WP Business Intelligence Lite plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.2.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

8CVSS0.00348EPSS
Exploits0References3
Rows per page
Query Builder