Lucene search
K

8338 matches found

Cvelist
Cvelist
added yesterday4 views

CVE-2026-6556 @fastify/express vulnerable to middleware bypass via non-string mount paths in prefixed plugins

@fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths arrays of paths and regular expressions are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms doe...

9.1CVSS
Exploits0References2
CVE
CVE
added yesterday6 views

CVE-2026-6556

The CVE concerns @fastify/express 4.0.6 and earlier, where non-string mount paths (arrays/regex) are not prefixed inside prefixed plugin scopes. This causes middleware registered with those forms to not match the actual prefixed request path, potentially bypassing path-scoped security middleware ...

9.1CVSS5.8AI score
Exploits0References2
Nuclei
Nuclei
added yesterday50 views

WordPress Redux Framework <=4.2.11 - Information Disclosure

WordPress Redux Framework plugin through 4.2.11 is susceptible to information disclosure. The plugin registers several unique AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php. These are predictable, given that they are based on an md5 has...

5.3CVSS5.9AI score0.28961EPSS
Exploits6References5
Nuclei
Nuclei
added yesterday25 views

Bloofox v0.5.2.1 - SQL Injection

bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the pid parameter at admin/index.php?mode=settings&page=plugins&action=edit. id: CVE-2023-34754 info: name: Bloofox v0.5.2.1 - SQL Injection author: ritikchaddha severity: critical description: | bloofox v0.5.2.1 was...

9.8CVSS7.3AI score0.03449EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday15 views

All Thrive Themes and Plugins - Unauthenticated Option Update

The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin...

5.3CVSS6.2AI score0.02076EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday35 views

WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection

The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. id: CVE-2023-0600 info: name: WP Visitor Statistics Real Time Traffic 6.9 - SQL Injection author: r3Y3r53,j4vaovo severity: critical description: | The...

9.8CVSS7.4AI score0.04234EPSS
Exploits2References3
Nuclei
Nuclei
added 2 days ago41 views

WordPress WHMCS Bridge <6.4b - Cross-Site Scripting

WordPress WHMCS Bridge plugin before 6.4b contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the error parameter before outputting it back in the admin dashboard. id: CVE-2021-25112 info: name: WordPress WHMCS Bridge 6.4b - Cross-Site Scripting author:...

6.1CVSS6.2AI score0.02187EPSS
Exploits2References4
Nuclei
Nuclei
added 2 days ago9 views

WordPress Widgets for Social Photo Feed <= 1.8 - Information Disclosure

Widgets for Social Photo Feed WordPress plugin = 1.8 contains a broken access control caused by missing capability checks on specific REST API endpoints, letting unauthenticated attackers access and modify plugin settings remotely. id: CVE-2025-14726 info: name: WordPress Widgets for Social Photo...

6.5CVSS5.8AI score0.0083EPSS
Exploits0References3
Nuclei
Nuclei
added 2 days ago58 views

OpenDreambox 2.0.0 - Remote Code Execution

OpenDreambox 2.0.0 is susceptible to remote code execution via the webadmin plugin. Remote attackers can execute arbitrary OS commands via shell metacharacters in the command parameter to the /script URI in enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py. id: CVE-2017-14135 info: nam...

10CVSS8.1AI score0.21842EPSS
Exploits1References5
Nuclei
Nuclei
added 2 days ago77 views

WordPress Visitor Statistics <=5.7 - SQL Injection

WordPress Visitor Statistics plugin through 5.7 contains multiple unauthenticated SQL injection vulnerabilities. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. id: CVE-2022-33965 info:...

9.8CVSS7.4AI score0.03413EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2 days ago4 views

Linux Distros Unpatched Vulnerability : CVE-2026-12891

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in the GStreamer gst-plugins-bad package. When processing a malformed H.266/VVC video stream with a crafted aspect ratio indicator value, the...

4.3CVSS5.8AI score0.00265EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2 days ago4 views

Linux Distros Unpatched Vulnerability : CVE-2026-12892

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in GStreamer's gst-plugins-bad package. When processing a specially crafted H.264 video file containing malformed MVC or SVC extension slice NA...

4.4CVSS5.8AI score0.00124EPSS
Exploits0References4
Nuclei
Nuclei
added 3 days ago52 views

GutenKit <= 2.1.0 - Arbitrary File Upload

The GutenKit Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the installandactivatepluginfromexternal function install-active-plugin REST API endpoint in all versions up to, a...

9.8CVSS7.7AI score0.10429EPSS
Exploits3References2
NVD
NVD
added 5 days ago9 views

CVE-2026-49869

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath.endsWith"/configs" to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match...

10CVSS0.00691EPSS
Exploits1References1
Cvelist
Cvelist
added 5 days ago23 views

CVE-2026-49869 Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath.endsWith"/configs" to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match...

10CVSS0.00691EPSS
Exploits1References1
EUVD
EUVD
added 5 days ago4 views

EUVD-2026-39778

Mattermost Plugins versions =11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries...

6.8CVSS5.8AI score0.00325EPSS
Exploits0References2
NVD
NVD
added 5 days ago9 views

CVE-2026-9699

Mattermost Plugins versions =11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries...

6.8CVSS0.00325EPSS
Exploits0References1
Rockylinux
Rockylinux
added 5 days ago4 views

containernetworking-plugins security update

An update is available for containernetworking-plugins. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The Container Network Interface CNI project consists of a...

7.5CVSS7.2AI score0.00728EPSS
Exploits0
OSV
OSV
added 5 days ago4 views

RHSA-2026:29703 Red Hat Security Advisory: containernetworking-plugins security update

Bulletin has no description...

7.5CVSS7.1AI score0.00728EPSS
Exploits0References33
Tenable Nessus
Tenable Nessus
added 5 days ago6 views

Oracle Linux 9 : containernetworking-plugins (ELSA-2026-29703)

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2026-29703 advisory. - Rebuild for CVE-2026-25679 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus...

7.5CVSS7.3AI score0.00728EPSS
Exploits0References5
Rows per page
Query Builder