Lucene search
K

1184 matches found

EUVD
EUVD
added 2026/04/23 9:31 p.m.8 views

EUVD-2026-25300

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user...

8.7CVSS5.7AI score0.00497EPSS
Exploits0References2
NVD
NVD
added 2026/04/23 9:16 p.m.7 views

CVE-2026-6376

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user...

8.7CVSS0.00497EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/23 8:10 p.m.36 views

CVE-2026-6376 Missing authentication for critical function in SpiceJet Online Booking System

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user...

8.7CVSS0.00497EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/23 6:0 a.m.5 views

CVE-2026-4106

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII such as full name, city, state and country of customers who placed orders in the last 7 days...

5.8AI score0.00742EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/23 6:0 a.m.3 views

CVE-2026-4106 HT Mega < 3.0.7 – Unauthenticated PII Disclosure

The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII such as full name, city, state and country of customers who placed orders in the last 7 days...

5.8AI score0.00742EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/21 10:35 p.m.7 views

EUVD-2026-24531

WWBN AVideo is an open source video platform. In versions 29.0 and below, the allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both...

8.1CVSS5.9AI score0.00335EPSS
Exploits1References2
CVE
CVE
added 2026/04/21 4:48 p.m.18 views

CVE-2026-40570

FreeScout prior to 1.8.213 exposes sensitive customer data. The load_customer_info action at POST /conversation/ajax returns full customer profile data to any authenticated user without mailbox-access verification, requiring only a valid email to retrieve PII. Affected version range is before 1.8...

7.1CVSS5.8AI score0.00249EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/21 4:48 p.m.4 views

CVE-2026-40570 FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the loadcustomerinfo action in POST /conversation/ajax returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retriev...

7.1CVSS5.8AI score0.00249EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.9 views

PT-2026-34202

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This...

8.1CVSS5.9AI score0.00335EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/04/20 7:22 p.m.5 views

CVE-2026-40480

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/personId endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson restrictions, the API layer...

7.1CVSS5.7AI score0.00336EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/18 7:22 a.m.6 views

CVE-2026-34164

Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data PII, citizen identifier...

4.9CVSS5.7AI score0.00366EPSS
Exploits0References1
NVD
NVD
added 2026/04/18 12:16 a.m.7 views

CVE-2026-40480

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/personId endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson restrictions, the API layer...

7.1CVSS0.00336EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/17 11:7 p.m.6 views

EUVD-2026-23589

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/personId endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson restrictions, the API layer...

7.1CVSS5.7AI score0.00336EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/17 11:7 p.m.34 views

CVE-2026-40480 ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/personId endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson restrictions, the API layer...

7.1CVSS0.00336EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/17 11:7 p.m.4 views

CVE-2026-40480 ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/personId endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson restrictions, the API layer...

7.1CVSS5.7AI score0.00336EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/17 9:31 a.m.8 views

EUVD-2025-209513

Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in certain situations...

9.3CVSS5.8AI score0.00261EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/17 8:37 a.m.32 views

CVE-2025-15623 Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user

Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in certain situations...

9.3CVSS0.00261EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/17 12:0 a.m.6 views

PT-2026-33424

Name of the Vulnerable Software and Affected Versions Sparx Pro Cloud Server affected versions not specified Description An unauthenticated user can retrieve the database password in plaintext. This issue allows for the exposure of private personal information and sensitive system information to ...

9.3CVSS5.8AI score0.00261EPSS
Exploits0References6
NVD
NVD
added 2026/04/16 10:16 p.m.5 views

CVE-2026-34164

Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data PII, citizen identifier...

4.9CVSS0.00366EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/16 9:17 p.m.20 views

CVE-2026-34164 Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService

Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data PII, citizen identifier...

4.9CVSS0.00366EPSS
Exploits0References5
Rows per page
Query Builder