CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Nuclei•added 9 hours ago•35 views

Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change

The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it...

9.8CVSS7.6AI score0.02163EPSS

Nuclei•added 9 hours ago•7 views

LatePoint <= 5.0.11 - SQL Injection

The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

9.8CVSS5.9AI score0.02823EPSS

NVD•added yesterday•6 views

CVE-2026-54103

The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could chang...

9.8CVSS

Cvelist•added yesterday•20 views

CVE-2026-54103 U.S. GAO EPDS and CBCA EDS unauthenticated password change

9.8CVSS

EUVD•added yesterday•5 views

EUVD-2026-37910

9.8CVSS5.4AI score

CVE•added yesterday•9 views

CVE-2026-54103

CVE-2026-54103 affects GAO EPDS and CBCA EDS, where the /update-profile/N endpoint does not require authentication for password changes. The vulnerability allows a remote attacker to change an arbitrary user’s password without credentials. This result is supported by the CVSS data indicating high...

9.8CVSS5.4AI score

Nuclei•added yesterday•42 views

Lotus Domino R5 and R6 WebMail - Information Disclosure

Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled which is by default allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and t...

5CVSS5.2AI score0.73635EPSS

Exploits11References5

EUVD•added 2 days ago•6 views

EUVD-2026-37721

Missing Authorization in the server management routes routes/admin.php in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email...

8.6CVSS5.3AI score0.00348EPSS

Cvelist•added 2 days ago•25 views

CVE-2026-54415 Broken Access Control in Azuriom CMS Server Routes Allows Account Takeover

8.6CVSS0.00348EPSS

CVE•added 2 days ago•7 views

CVE-2026-54415

CVE-2026-54415 is a broken access control issue in Azuriom CMS before 1.2.11. An authenticated user with the admin.access permission can abuse server-management routes to create AzLink server tokens and take over non-admin user accounts by changing passwords and emails. The vulnerability exists i...

8.6CVSS5.3AI score0.00348EPSS

Positive Technologies•added 2 days ago•7 views

PT-2026-50444

Name of the Vulnerable Software and Affected Versions Azuriom CMS versions prior to 1.2.11 Description Missing authorization in the server management routes allows an authenticated attacker with the admin.access permission to create AzLink server tokens. This can lead to the takeover of non-admin...

8.6CVSS5.2AI score0.00348EPSS

Exploits0References5

NVD•added 3 days ago•8 views

CVE-2026-0647

An improper authentication security issue exists within the 1794-AENTR adapter's embedded web server. The vulnerability allows an unauthenticated attacker to change the device's web interface password by sending a crafted HTTP GET request to a specific endpoint, without any prior authentication...

8.8CVSS0.00396EPSS

Cvelist•added 3 days ago•28 views

CVE-2026-0647 Rockwell Automation FLEX I/O Dual-port EtherNet/IP Adapters – Multiple Vulnerabilities

8.8CVSS0.00396EPSS

CVE•added 3 days ago•25 views

CVE-2026-0647

The 1794-AENTR adapter (Rockwell Automation FLEX I/O dual‑port EtherNet/IP) has an improper authentication flaw in its embedded web server. An unauthenticated attacker can change the device web interface password by sending a crafted HTTP GET request to a specific endpoint, without prior authenti...

8.8CVSS5.3AI score0.00396EPSS

NVD•added 2026/06/10 2:16 p.m.•10 views

CVE-2026-49498

Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in...

8.8CVSS0.00259EPSS

Cvelist•added 2026/06/10 12:38 p.m.•32 views

CVE-2026-49498 Ghidra 11.0 < 12.1 - SQL Injection in PostgreSQL Password Change via Unescaped Username

8.8CVSS0.00259EPSS

Vulnrichment•added 2026/06/10 12:38 p.m.•5 views

CVE-2026-49498 Ghidra 11.0 < 12.1 - SQL Injection in PostgreSQL Password Change via Unescaped Username

8.8CVSS5.7AI score0.00259EPSS

CVE•added 2026/06/10 12:38 p.m.•14 views

CVE-2026-49498

Ghidra 11.0 before 12.1 is affected by a SQL injection in PostgresFunctionDatabase.changePassword(), which fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can craft username parameters in PasswordChange network messages to inject SQL com...

8.8CVSS5.7AI score0.00259EPSS

Exploits0References2Affected Software1

CNNVD•added 2026/06/10 12:0 a.m.•7 views

NSA Ghidra SQL注入漏洞

NSA Ghidra is an open-source reverse-engineering tool developed by the National Security Agency National Security Agency of the United States. Prior to version 12.1 of NSA Ghidra, there was a SQL injection vulnerability. This vulnerability stemmed from the changePassword method of the...

8.8CVSS5.7AI score0.00259EPSS