CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

93019 matches found

Positive Technologies•added 2026/02/28 12:0 a.m.•4 views

PT-2026-22463

The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog...

6AI score0.00105EPSS

Exploits0References2

Positive Technologies•added 2026/02/28 12:0 a.m.•7 views

PT-2026-22464

Name of the Vulnerable Software and Affected Versions WP Mail Logging versions prior to 1.15.1 Description The WP Mail Logging plugin for WordPress is susceptible to PHP Object Injection in versions up to and including 1.15.0. This occurs due to the deserialization of untrusted input from the ema...

7.5CVSS7.1AI score0.00072EPSS

Exploits0References10

CNNVD•added 2026/02/28 12:0 a.m.•4 views

WordPress plugin WP Mail Logging 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A code issue...

7.5CVSS7.2AI score0.00072EPSS

Exploits0References6

CVE•added 2026/02/27 9:52 p.m.•11 views

CVE-2026-28411

WeGIA Web Manager prior to version 3.6.5 is vulnerable to an authentication bypass via unsafe use of extract($_REQUEST). The issue allows an unauthenticated attacker to overwrite local variables across multiple PHP scripts, enabling unauthorized access to administrative and protected areas. remed...

9.8CVSS6AI score0.00325EPSS

Exploits1References1Affected Software1

CVE•added 2026/02/27 7:54 p.m.•12 views

CVE-2026-27836

phpMyFAQ prior to v4.0.18 is vulnerable due to the WebAuthn prepare endpoint (/api/webauthn/prepare), which creates new active user accounts without authentication, CSRF protection, captcha, or config checks. This allows unauthenticated attackers to create unlimited user accounts even when regist...

7.5CVSS5.9AI score0.00062EPSS

Exploits1References2Affected Software1

Cvelist•added 2026/02/27 5:23 p.m.•24 views

CVE-2019-25492 Homey BNB V4 SQL Injection via getcmsdata.php

Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with malicious 'pt' values to extract sensitive database...

8.8CVSS0.00098EPSS

Exploits1References3

EUVD•added 2026/02/27 12:31 p.m.•5 views

EUVD-2024-55454

The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper...

6.5CVSS6.1AI score0.00071EPSS

Exploits0References4

Cvelist•added 2026/02/27 9:23 a.m.•19 views

CVE-2024-10938 OVRI Payment 1.7.0 - Malicious .htaccess directive

6.5CVSS0.00071EPSS

Exploits0References3

CVE•added 2026/02/27 9:23 a.m.•9 views

CVE-2024-10938

The provided connected document identifies a concrete issue: WordPress OVRI Payment Plugin version 1.7.0 contains a Malicious .htaccess directive vulnerability. The vulnerability was reported/discovered by Marco Wotschka (Wordfence) per Patchstack. The available sources do not specify the exact r...

6.5CVSS6.1AI score0.00071EPSS

Exploits0References3

Positive Technologies•added 2026/02/27 12:0 a.m.•5 views

PT-2026-22361

Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET requests to the admin/getrecord.php endpoint with malicious 'val' values to extract sensitive databas...

8.8CVSS6AI score0.00098EPSS

Exploits1References4

Tenable Nessus•added 2026/02/27 12:0 a.m.•7 views

Linux Distros Unpatched Vulnerability : CVE-2026-27590

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a...

9.8CVSS7.5AI score0.00245EPSS

Exploits1References3

NVD•added 2026/02/26 10:20 p.m.•5 views

CVE-2026-3261

A flaw has been found in itsourcecode School Management System 1.0. This impacts an unknown function of the file /settings/index.php of the component Setting Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been published an...

9.8CVSS0.00045EPSS

Exploits1References5

EUVD•added 2026/02/26 9:31 p.m.•4 views

EUVD-2026-8884

SPIP versions prior to 4.4.10 contain a SQL injection vulnerability that allows authenticated low-privilege users to execute arbitrary SQL queries by manipulating union-based injection techniques. Attackers can exploit this SQL injection flaw combined with PHP tag processing to achieve remote cod...

8.7CVSS7AI score0.00224EPSS

Exploits0References4

OSV•added 2026/02/26 9:28 p.m.•2 views

DEBIAN-CVE-2026-22205

SPIP versions prior to 4.4.10 contain an authentication bypass vulnerability caused by PHP type juggling that allows unauthenticated attackers to access protected information. Attackers can exploit loose type comparisons in authentication logic to bypass login verification and retrieve sensitive...

8.7CVSS5.4AI score0.0043EPSS

Exploits0References1

OSV•added 2026/02/26 9:28 p.m.•4 views

DEBIAN-CVE-2026-22206

8.8CVSS7.1AI score0.00224EPSS

Exploits0References1