Lucene search
K

8000 matches found

Nuclei
Nuclei
added 12 hours ago30 views

WordPress New Year Firework <=1.1.9 - Cross-Site Scripting

WordPress New Year Firework 1.1.9 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authenticati...

6.1CVSS6.6AI score0.03432EPSS
Exploits2References5
Nuclei
Nuclei
added 12 hours ago14 views

ChurchCRM - SQL Injection

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper...

9.8CVSS7AI score0.02177EPSS
Exploits1References3
NVD
NVD
added yesterday5 views

CVE-2026-12385

The Smart Slider 3 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1.37 via the 'keyword' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles and full content...

4.3CVSS
Exploits0References7
NVD
NVD
added 2 days ago6 views

CVE-2026-10668

The Nuvoton NuMaker HSUSBD USB device-controller driver drivers/usb/udc/udcnumaker.c armed the control Data IN stage unconditionally base-CEPTXCNT = len in numakerhsusbdeptrigger. Because the HSUSBD hardware cannot disarm a control Data IN already armed for a previous transfer, a USB host that...

2.4CVSS0.00143EPSS
Exploits0References2
CVE
CVE
added 2 days ago15 views

CVE-2026-10668

Technical details are not publicly available in the provided documents. Monitor for updates.

2.4CVSS6.1AI score0.00143EPSS
Exploits0References2
NVD
NVD
added 2 days ago10 views

CVE-2026-61875

luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders...

8.8CVSS0.00289EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-61875 luci-app-upnp Stored XSS via UPnP Port Mapping Description

luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders...

8.8CVSS0.00289EPSS
Exploits0References2
CVE
CVE
added 2 days ago17 views

CVE-2026-61875

The vulnerability is in luci-app-upnp (OpenWrt LuCI) and is a stored cross-site scripting (XSS) flaw in the UPnP IGD AddPortMapping SOAP request. An unauthenticated LAN client can submit malicious HTML in the NewPortMappingDescription field; miniupnpd stores it and luci-app-upnp renders it withou...

8.8CVSS6.1AI score0.00289EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago7 views

PT-2026-57559

Name of the Vulnerable Software and Affected Versions luci-app-upnp affected versions not specified Description Stored cross-site scripting occurs when unauthenticated LAN clients inject JavaScript through UPnP IGD AddPortMapping SOAP requests. The issue arises because the NewPortMappingDescripti...

8.8CVSS6.1AI score0.00289EPSS
Exploits0References6
CVE
CVE
added 4 days ago9 views

CVE-2026-12123

CVE-2026-12123 describes a Server-Side Request Forgery in the WordPress plugin All-in-One Video Gallery (versions

6.4CVSS6AI score0.00246EPSS
Exploits0References12
ATTACKERKB
ATTACKERKB
added 4 days ago9 views

CVE-2026-12123

The All-in-One Video Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.8.5 via the 'vdl' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locatio...

6.4CVSS6.2AI score0.00246EPSS
Exploits0References13
NVD
NVD
added 5 days ago9 views

CVE-2026-44342

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the email and WeChat account binding endpoints GET /api/oauth/email/bind and GET /api/oauth/wechat/bind used GET requests for state-changing account operations, allowing a...

5.3CVSS0.00187EPSS
Exploits0References3
NVD
NVD
added 5 days ago8 views

CVE-2026-13441

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'neweventtypebackgroundcolor' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible...

7.2CVSS0.00247EPSS
Exploits0References8
EUVD
EUVD
added 5 days ago7 views

EUVD-2026-42559

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'neweventtypebackgroundcolor' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible...

7.2CVSS6.1AI score0.00247EPSS
Exploits0References8
EUVD
EUVD
added 5 days ago5 views

EUVD-2026-42500

A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the newPassword parameter in the password change functionality...

6.3CVSS7.5AI score0.00157EPSS
Exploits0References3
OSV
OSV
added 6 days ago7 views

BIT-PILLOW-2026-55379 Pillow BdfFontFile`: `Image.new()` called without `_decompression_bomb_check()` — bomb protection bypass via font loading

Pillow is a Python imaging library. Prior to 12.3.0, PIL/BdfFontFile.py bdfchar read the BBX width and height field from a BDF font file and passed attacker-controlled dimensions to Image.new without calling Image.decompressionbombcheck, bypassing Pillow's documented decompression bomb protection...

7.5CVSS5.9AI score0.00364EPSS
Exploits1References4
CVE
CVE
added 6 days ago6 views

CVE-2026-39179

SOGo

6.3CVSS7.5AI score0.00157EPSS
Exploits0References2
OSV
OSV
added 2026/07/07 11:45 a.m.4 views

PYSEC-2026-2007 vantage6 collaboration admins can extend their influence by expanding the collaboration

Impact Collaboration administrators can add extra organizations to their collaboration. When doing that, they extend their influence: for instance, for organizations that they include, they can then create new users for which they know the passwords, and use that to read task results of other...

2.7CVSS6AI score0.00316EPSS
Exploits0References6
OSV
OSV
added 2026/07/06 8:54 p.m.5 views

GHSA-F962-QM93-MJ4C Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service

Summary NewDataBuilder in provisionersdk/proto/dataupload.go allocated a byte slice using the client-supplied FileSize from a DataUpload message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the FileSize value itself was unconstrained Impact An authenticated user able to...

4.9CVSS6AI score0.00611EPSS
Exploits0References3
OSV
OSV
added 2026/07/06 8:10 p.m.6 views

OPENSUSE-SU-2026:21221-1 Security update for jline3

This update for jline3 fixes the following issues: Changes in jline3: unauthenticated remote memory exhaustion via unbounded Telnet 'NEW-ENVIRON variables bsc1269021...

6AI score
Exploits0References1
Rows per page
Query Builder