Lucene search
K

4762 matches found

Nuclei
Nuclei
added 11 hours ago53 views

Lotus Domino R5 and R6 WebMail - Information Disclosure

Lotus Domino R5 and R6 WebMail with 'Generate HTML for all fields' enabled which is by default allows remote attackers to read the HTML source to obtain sensitive information including the password hash in the HTTPPassword field, the password change date in the HTTPPasswordChangeDate field, and t...

5CVSS6.1AI score0.73635EPSS
Exploits11References5
Nuclei
Nuclei
added 11 hours ago8 views

LatePoint <= 5.0.11 - SQL Injection

The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

9.8CVSS6.1AI score0.02823EPSS
Exploits0References3
Nuclei
Nuclei
added 11 hours ago59 views

Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change

The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it...

9.8CVSS7.2AI score0.02145EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2 days ago6 views

Progress MOVEit Transfer 2022.0.x < 2022.0.10 / 2022.1.x < 2022.1.11 / 2023.0.x < 2023.0.8 / 2023.1.x < 2023.1.3 Unverified Password Change (January 2026)

The version of Progress MOVEit Transfer, formerly Ipswitch MOVEit DMZ, installed on the remote host is affected by an unverified password change vulnerability. - Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows REST API modules. This issue affects MOVEit Transfer:...

7.5CVSS6.1AI score0.00178EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 3 days ago9 views

PT-2026-57524

Name of the Vulnerable Software and Affected Versions H3C NX15 version V100R017 Description A flaw exists in the Administrator Password Modification Endpoint within the change passwd function of the '/api/login/modify' endpoint. Remote manipulation of the newPass argument can lead to weak passwor...

7.5CVSS7AI score0.00278EPSS
Exploits0References8
NVD
NVD
added 5 days ago6 views

CVE-2026-59190

grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change the password of any user account, including the super administrator, by sending a direct POST...

8.7CVSS0.00215EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago29 views

CVE-2026-59190 Grav Admin Plugin — IDOR Privilege Escalation via saveUser()

grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change the password of any user account, including the super administrator, by sending a direct POST...

8.7CVSS0.00215EPSS
Exploits0References2
OSV
OSV
added 5 days ago3 views

CVE-2026-59190 Grav Admin Plugin — IDOR Privilege Escalation via saveUser()

grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change the password of any user account, including the super administrator, by sending a direct POST...

8.7CVSS6.1AI score0.00215EPSS
Exploits0References4
CVE
CVE
added 5 days ago8 views

CVE-2026-59190

Grav plugin: grav-plugin-admin is affected. In versions ≤1.10.52, an authenticated user with admin.users permission can escalate privileges by altering another user’s password via POST to /admin/user/{username}?task=save with data[password]. The vulnerability stems from saveUser validating the ca...

8.7CVSS6.1AI score0.00215EPSS
Exploits0References2
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-42950

grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change the password of any user account, including the super administrator, by sending a direct POST...

8.7CVSS6.1AI score0.00215EPSS
Exploits0References2
NVD
NVD
added 5 days ago6 views

CVE-2026-56305

Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. Attackers with temporary session access can exploit this flaw to permanently lock out legitimate...

8.7CVSS0.00357EPSS
Exploits0References2
CVE
CVE
added 5 days ago5 views

CVE-2026-56305

Capgo before 12.128.2 exposes an authentication bypass in the password-change endpoint due to missing current-password validation. Attackers with temporary session access can change user passwords, potentially causing permanent user lockout and full account takeover. No official remediation detai...

8.7CVSS6.1AI score0.00357EPSS
Exploits0References2
EUVD
EUVD
added 5 days ago6 views

EUVD-2026-42882

Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. Attackers with temporary session access can exploit this flaw to permanently lock out legitimate...

8.7CVSS6.1AI score0.00357EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago31 views

CVE-2026-56305 Capgo - Authentication Bypass in Password Change via Missing Current Password Validation

Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. Attackers with temporary session access can exploit this flaw to permanently lock out legitimate...

8.7CVSS0.00357EPSS
Exploits0References2
OSV
OSV
added 5 days ago2 views

CVE-2026-56305 Capgo - Authentication Bypass in Password Change via Missing Current Password Validation

Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change endpoint that allows attackers to change user passwords without requiring current password confirmation. Attackers with temporary session access can exploit this flaw to permanently lock out legitimate...

8.7CVSS6.1AI score0.00357EPSS
Exploits0References4
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-42506

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the updateuser function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References2
CVE
CVE
added 6 days ago23 views

CVE-2026-5523

The CVE describes a privilege-escalation flaw in the Divi Form Builder plugin for WordPress (versions up to and including 5.1.8). The root cause is missing authorization checks: update_user() accepts a user ID from form submissions without validating the editor’s permission for that target user, ...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 6 days ago10 views

CVE-2026-5523

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the updateuser function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References3
EUVD
EUVD
added 6 days ago5 views

EUVD-2026-42500

A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the newPassword parameter in the password change functionality...

6.3CVSS7.5AI score0.00157EPSS
Exploits0References3
OSV
OSV
added 2026/07/08 12:0 a.m.3 views

CVE-2026-39179

A SQL injection vulnerability in SOGo before 5.12.7 allows authenticated users to execute arbitrary SQL statements via the newPassword parameter in the password change functionality...

6.3CVSS7.2AI score0.00157EPSS
Exploits0References4
Rows per page
Query Builder