Lucene search
+L

106645 matches found

CVE
CVE
added 9 hours ago4 views

CVE-2026-11324

The CVE affects the WordPress plugins WooCommerce Placetopay Gateway and PlacetoPay/AvalPay Gateway. Vulnerable in versions up to 3.2.2 due to insufficient input sanitization and output escaping of the redirect-url parameter, enabling Reflected XSS. Exploitation requires a user action (e.g., clic...

6.1CVSS6.2AI score
Exploits0References8
EUVD
EUVD
added 9 hours ago3 views

EUVD-2026-45127

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.6 via the 'spreadsheetexporttmpname' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to write .xls/.xlsx files ...

4.3CVSS6.2AI score
Exploits0References4
EUVD
EUVD
added 9 hours ago4 views

EUVD-2026-45129

The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for...

6.1CVSS6.2AI score
Exploits0References8
EUVD
EUVD
added 11 hours ago6 views

EUVD-2026-45084

OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through...

7.2CVSS6.1AI score
Exploits0References2
Cvelist
Cvelist
added 11 hours ago7 views

CVE-2026-62214 OpenClaw < 2026.5.28 Bot Framework SSRF via serviceUrl Parameter Validation

OpenClaw versions before 2026.5.28 Bot Framework contains an improper input validation vulnerability that allows lower-trust callers to expose bot tokens and credentials by failing to properly validate serviceUrl parameters. Attackers can supply malicious serviceUrl values through configured inpu...

6.5CVSS
Exploits0References2
CVE
CVE
added 11 hours ago7 views

CVE-2026-62214

OpenClaw Bot Framework (versions before 2026.5.28) contains an input validation flaw in serviceUrl parameters that enables SSRF-style access by lower-trust callers. This misvalidation can allow retrieval of bot tokens and credentials by supplying malicious serviceUrl values through configured inp...

6.5CVSS6.1AI score
Exploits0References2
CVE
CVE
added yesterday8 views

CVE-2026-15422

CVE-2026-15422 concerns illumos SCTP where the inbound path performs association lookups for INIT ACK chunks without validating the address parameters. The vulnerability is triggered during packet classification, before SCTP integrity checks or IPsec policies, allowing a remote, unauthenticated a...

10CVSS6.3AI score
Exploits0References3
EUVD
EUVD
added yesterday5 views

EUVD-2026-44986

Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template parameter from apicontroller.php without validation, and logcontroller.php later checks fileexists and calls include View::getView$template, allowing an...

7.7CVSS6.2AI score0.00177EPSS
Exploits0References1
CVE
CVE
added yesterday5 views

CVE-2026-46687

CVE-2026-46687 affects Emlog prior to or including 2.6.13. The flaw stems from an unvalidated path-traversal template parameter used by api_controller.php and a subsequent include in View::getView($template) after a file_exists check in log_controller.php. This enables an authenticated author to ...

7.7CVSS6.2AI score0.00177EPSS
Exploits0References1
Nuclei
Nuclei
added yesterday34 views

Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting

Caldera Forms WordPress plugin 1.9.7 contains a reflected cross-site scripting caused by lack of validation and escaping of the cf-api parameter in responses, letting attackers execute arbitrary scripts in victim's browser, exploit requires attacker to craft a malicious request. id: CVE-2022-0879...

6.1CVSS6.5AI score0.01195EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday11 views

URL Shortify <= 1.12.1 - Open Redirect

The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirectto' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentiall...

4.7CVSS6.1AI score0.00592EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday73 views

myfactory FMS - Cross-Site Scripting

myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter. id: CVE-2021-42565 info: name: myfactory FMS - Cross-Site Scripting author: madrobot,daffainfo severity: medium description: | myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter. impact: |...

6.1CVSS6.4AI score0.05832EPSS
Exploits3References3
Nuclei
Nuclei
added yesterday10 views

Nortek Linear eMerge E3-Series - SQL Injection

Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a SQL injection vulnerability via the idt parameter. id: CVE-2022-38627 info: name: Nortek Linear eMerge E3-Series - SQL Injection author: daffainfo,omarhashem666...

9.8CVSS7.1AI score0.0427EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday108 views

OpenCATS 0.9.6 - Cross-Site Scripting

OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the email parameter in the Check Email function. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

6.1CVSS6.5AI score0.01333EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday80 views

sar2html <=3.2.2 Plot Parameter - Remote Code Execution

sar2html version 3.2.2 and prior contains an OS command injection vulnerability in the plot parameter of index.php. A remote, unauthenticated attacker can append shell metacharacters to the plot parameter and execute arbitrary operating system commands. id: CVE-2025-34030 info: name: sar2html...

10CVSS7.2AI score0.60635EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday78 views

DomainMOD 4.13.0 - Cross-Site Scripting

DomainMOD 4.13.0 is vulnerable to cross-site scripting via reporting/domains/cost-by-owner.php in the "or Expiring Between" parameter. id: CVE-2020-20988 info: name: DomainMOD 4.13.0 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.13.0 is vulnerable to...

5.4CVSS6.1AI score0.01331EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday11 views

HomeAutomation 3.3.2 - Open Redirect

HomeAutomation 3.3.2 contains a redirect vulnerability caused by improper verification of the 'redirect' GET parameter in 'api.php', letting attackers redirect users to arbitrary websites, exploit requires user interaction with a crafted link. id: CVE-2020-21998 info: name: HomeAutomation 3.3.2 -...

6.1CVSS6.5AI score0.01319EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday79 views

Extreme Management Center 8.4.1.24 - Cross-Site Scripting

Extreme Management Center 8.4.1.24 contains a cross-site scripting vulnerability via a parameter in a GET request. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

6.1CVSS6.5AI score0.04015EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday69 views

SuperWebmailer 7.21.0.01526 - Remote Code Execution

SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection. id: CVE-2020-11546 info: name: SuperWebmailer...

9.8CVSS7.6AI score0.3173EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday29 views

XXL-JOB v2.2.0 — Stored Cross Site Scripting

Multiple cross-site scripting XSS vulnerabilities in xxl-job v2.2.0 allow remote attackers to inject arbitrary web script or HTML via 1 AppName and 2AddressList parameter in JobGroupController.java file. id: CVE-2020-23814 info: name: XXL-JOB v2.2.0 — Stored Cross Site Scripting author:...

6.1CVSS6.5AI score0.01188EPSS
Exploits1References2
Rows per page
Query Builder