Lucene search
K

105373 matches found

RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.22 views

CVE-2026-4790

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customsvg' parameter in versions up to, and including, 4.11.70 due to insufficient input sanitization and output escaping. This makes it possible fo...

5.4CVSS6AI score0.00194EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.7 views

CVE-2026-6817

The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ratereason' parameter in all versions up to, and including, 6.7.1.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

5.8CVSS6AI score0.00228EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.5 views

CVE-2026-7649

The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.0.60 due to insufficient escaping on the user supplied paramete...

7.5CVSS5.9AI score0.00335EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.4 views

CVE-2026-6378

The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/maxi-blocks/v1.0/style-card REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the scstyles parameter. This makes it possible...

6.4CVSS6AI score0.00234EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.6 views

CVE-2026-7647

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybeunserialize function on the attacker-controlled 'args' POST parameter within the wppbrequestuserspinsactioncallback AJAX handler, whi...

8.1CVSS5.9AI score0.00462EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.14 views

CVE-2026-4060

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The escsql functi...

7.5CVSS6AI score0.00304EPSS
Exploits1References1
NVD
NVD
added 2026/05/04 8:16 p.m.9 views

CVE-2026-41923

WDR201A WiFi Extender HW V2.1, FW LFMZX28040922V1.02 contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit...

9.3CVSS0.02615EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/04 7:29 p.m.9 views

Missing Authentication for Critical Function

Overview arelle-release is an An open source XBRL platform. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the plugins parameter in the /rest/configure endpoint, which is processed without authentication or authorization. An attacker can execu...

9.8CVSS6.2AI score0.00732EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/04 7:15 p.m.31 views

CVE-2026-41925 WDR201A WiFi Extender OS Command Injection via adm.cgi (reboot_time)

WDR201A WiFi Extender HW V2.1, FW LFMZX28040922V1.02 contains an OS command injection vulnerability in the adm.cgi binary's reboottime function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboottime POST parameter. Attacke...

9.3CVSS0.03387EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/04 7:15 p.m.4 views

CVE-2026-41925

WDR201A WiFi Extender HW V2.1, FW LFMZX28040922V1.02 contains an OS command injection vulnerability in the adm.cgi binary's reboottime function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboottime POST parameter. Attacke...

9.3CVSS6.4AI score0.03387EPSS
Exploits0References4
CVE
CVE
added 2026/05/04 7:15 p.m.21 views

CVE-2026-41925

CVE-2026-41925 affects WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02). The adm.cgi reboot_time function is vulnerable to OS command injection: unauthenticated remote attackers can inject shell commands via the reboot_time POST parameter when reboot_enabled=1, enabling remote code executio...

9.3CVSS6.4AI score0.03387EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/04 7:12 p.m.4 views

CVE-2026-41924 WDR201A WiFi Extender OS Command Injection via makeRequest.cgi

WDR201A WiFi Extender HW V2.1, FW LFMZX28040922V1.02 contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the settime or StartSniffer functions. Attackers can...

9.3CVSS6.1AI score0.02707EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/04 7:10 p.m.7 views

CVE-2026-41923

WDR201A WiFi Extender HW V2.1, FW LFMZX28040922V1.02 contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit...

9.3CVSS6.1AI score0.02615EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/04 7:4 p.m.5 views

EUVD-2026-27117

WDR201A WiFi Extender HW V2.1, FW LFMZX28040922V1.02 contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can...

9.3CVSS6.6AI score0.04983EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/04 6:29 p.m.9 views

EUVD-2026-27083

Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hidehiddenmailfieldsregexcallback method reads an iteration count directly from user-supplied POST parameters without...

8.7CVSS5.9AI score0.00435EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/04 6:26 p.m.6 views

CVE-2026-42226

n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supp...

7.1CVSS5.9AI score0.0026EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/05/04 6:16 p.m.9 views

CVE-2026-42796

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file...

9.8CVSS0.00732EPSS
Exploits0References3
CVE
CVE
added 2026/05/04 5:37 p.m.13 views

CVE-2026-42140

The CVE covers the PlantUML Macro used in XWiki, where the vulnerability lies in the server parameter not being validated. Prior to version 2.4.1, an attacker can supply an arbitrary URL (including internal addresses) to the server parameter, causing the XWiki server to attempt to connect for ren...

4.4CVSS5.8AI score0.00151EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/04 5:37 p.m.35 views

CVE-2026-42140 Server-Side Request Forgery (SSRF) in PlantUML Macro via 'server' parameter

PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery SSRF. The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does...

4.4CVSS0.00151EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/04 5:19 p.m.2 views

CVE-2026-42796

Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file...

9.8CVSS6.5AI score0.00732EPSS
Exploits0References4
Rows per page
Query Builder