CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

49 matches found

ATTACKERKB•added 2026/05/22 6:36 p.m.•7 views

CVE-2026-39967

TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authenticated user to load result data user answers, variable values from a different typebot by supplying a foreign resultId to the startChat...

3.1CVSS5.7AI score0.00186EPSS

Exploits0References4Affected Software1

Vulnrichment•added 2026/03/26 7:3 p.m.•4 views

CVE-2026-29055 Tandoor Recipes: WebP and GIF Image Uploads Bypass EXIF/Metadata Stripping, Leaking GPS Coordinates and PII

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF metadata stripping, image rescaling, and size validation for WebP and GIF image formats. A...

5.3CVSS5.9AI score0.00306EPSS

Exploits1References2

Github Security Blog•added 2026/03/11 7:23 p.m.•20 views

Shopware: Unauthenticated data extraction possible through store-api.order endpoint

Summary An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. Details Data Exposure Depending on the order payload configuration, attackers may retrieve: -...

8.9CVSS5.8AI score0.00237EPSS

Exploits0References3Affected Software2

CVE•added 2026/02/06 10:37 p.m.•12 views

CVE-2026-25757

Spree (Ruby on Rails) is affected prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2. The root cause is that the OrdersController#show endpoint allows unauthenticated access to view completed guest orders by Order ID, and authorize_access does not enforce proper authorization for guest orders. Thi...

8.7CVSS5.3AI score0.00441EPSS

Exploits1References8Affected Software1

RedhatCVE•added 2026/01/09 11:28 a.m.•5 views

CVE-2021-33981

An insecure, direct object vulnerability in hunting/fishing license retrieval function of the "Fish | Hunt FL" iOS app versions 3.8.0 and earlier allows a remote authenticated attacker to retrieve other people's personal information and images of their hunting/fishing licenses...

4.3CVSS6.1AI score0.00785EPSS

Exploits0References1

RedhatCVE•added 2026/01/09 8:54 a.m.•9 views

CVE-2021-41120

sylius/paypal-plugin is a paypal plugin for the Sylius development platform. In affected versions the URL to the payment page done after checkout was created with autoincremented payment id /pay-with-paypal/id and therefore it was easy to predict. The problem is that the Credit card form has...

7.5CVSS6.4AI score0.01493EPSS

Exploits0References1

NVD•added 2025/12/16 4:15 p.m.•6 views

CVE-2025-10450

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional Core Libraries allows Sniffing Network Traffic.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.2.0 before 7.3.1...

8.3CVSS0.00197EPSS

Exploits0References1

EUVD•added 2025/10/07 12:30 a.m.•4 views

EUVD-2016-2055

Malware in sbrugna...

7.5CVSS7.5AI score0.01143EPSS

Exploits0References2

EUVD•added 2025/10/07 12:30 a.m.•3 views

EUVD-2020-30109

Malware in sbrugna...

6.5CVSS6.5AI score0.00919EPSS

Exploits0References3

EUVD•added 2025/10/07 12:30 a.m.•3 views

EUVD-2021-10011

Malware in sbrugna...

5.3CVSS6.5AI score0.05301EPSS

Exploits1References22

EUVD•added 2025/10/07 12:30 a.m.•6 views

EUVD-2021-2535

Malware in sbrugna...

7.5CVSS5.6AI score0.0159EPSS

Exploits1References6

EUVD•added 2025/10/03 8:7 p.m.•8 views

EUVD-2025-21174