Lucene search
+L

1684 matches found

Nuclei
Nuclei
added yesterday14 views

WP Projects Portfolio <= 3.0 - Cross-Site Scripting

WP Projects Portfolio with Client Testimonials WordPress plugin = 3.0 contains a reflected cross-site scripting caused by unsanitized parameter output, letting attackers execute scripts in the context of high privilege users, exploit requires attacker to craft a malicious URL. id: CVE-2024-13114...

6.1CVSS8AI score0.00562EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday40 views

Joomla! Portfolio Nexus - Remote File Inclusion

Joomla! Portfolio Nexus 1.5 contains a remote file inclusion vulnerability in the inertialFATE iF comifnexus component that allows remote attackers to include and execute arbitrary local files via a .. dot dot in the controller parameter to index.php. id: CVE-2009-4679 info: name: Joomla! Portfol...

7.5CVSS5.8AI score0.07866EPSS
Exploits1References4
NVD
NVD
added 5 days ago3 views

CVE-2026-57712

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WPZOOM WPZOOM Portfolio wpzoom-portfolio allows Reflected XSS.This issue affects WPZOOM Portfolio: from n/a through = 1.4.29...

7.1CVSS0.0018EPSS
Exploits0References1
CVE
CVE
added 5 days ago9 views

CVE-2026-57712

WPZOOM Portfolio plugin

7.1CVSS6.1AI score0.0018EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 5 days ago3 views

CVE-2026-57712

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WPZOOM WPZOOM Portfolio wpzoom-portfolio allows Reflected XSS.This issue affects WPZOOM Portfolio: from n/a through = 1.4.29...

7.1CVSS6.1AI score0.0018EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago28 views

CVE-2026-57712 WordPress WPZOOM Portfolio plugin <= 1.4.29 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WPZOOM WPZOOM Portfolio wpzoom-portfolio allows Reflected XSS.This issue affects WPZOOM Portfolio: from n/a through = 1.4.29...

7.1CVSS0.0018EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/07/10 7:34 a.m.5 views

WordPress WPZOOM Portfolio plugin <= 1.4.29 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Thaer Assfour in WordPress Plugin WPZOOM Portfolio versions = 1.4.29...

7.1CVSS6.1AI score0.0018EPSS
Exploits0Affected Software1
NVD
NVD
added 2026/07/07 7:16 p.m.10 views

CVE-2026-59708

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings,...

8.7CVSS0.00343EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/07 6:38 p.m.33 views

CVE-2026-59708 Ghostfolio - Unauthorized Portfolio Data Exposure via Public Endpoint

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings,...

8.7CVSS0.00343EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/07 6:38 p.m.6 views

EUVD-2026-42074

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings,...

8.7CVSS6AI score0.00343EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/07/07 6:38 p.m.4 views

CVE-2026-59708 Ghostfolio - Unauthorized Portfolio Data Exposure via Public Endpoint

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings,...

8.7CVSS6AI score0.00343EPSS
Exploits0References4
CVE
CVE
added 2026/07/07 6:38 p.m.11 views

CVE-2026-59708

Ghostfolio suffers an unauthorized data exposure via GET /api/v1/public/:accessId/portfolio. The endpoint accepts private access IDs without granteeUserId filtering, enabling unauthenticated retrieval of full portfolio data (holdings, quantities, buy prices, performance metrics). Impact is confid...

8.7CVSS6AI score0.00343EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/07 6:38 p.m.6 views

CVE-2026-59708

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings,...

8.7CVSS6AI score0.00343EPSS
Exploits0References5
OSV
OSV
added 2026/07/07 6:38 p.m.5 views

CVE-2026-59708 Ghostfolio - Unauthorized Portfolio Data Exposure via Public Endpoint

The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings,...

8.7CVSS6AI score0.00343EPSS
Exploits0References6
NVD
NVD
added 2026/07/07 3:16 p.m.8 views

CVE-2026-59709

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS0.002EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/07 2:12 p.m.8 views

CVE-2026-59709

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS6AI score0.002EPSS
Exploits0References5
CVE
CVE
added 2026/07/07 2:12 p.m.10 views

CVE-2026-59709

Ghostfolio CVE-2026-59709 affects the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint. The root cause is a missing verification of Access.permissions when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with va...

5.3CVSS6AI score0.002EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/07 2:12 p.m.35 views

CVE-2026-59709 Ghostfolio - Unauthorized Portfolio Holding Tag Modification via Missing Permission Check

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS0.002EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/07 2:12 p.m.5 views

EUVD-2026-42046

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS6AI score0.002EPSS
Exploits0References4
OSV
OSV
added 2026/07/07 2:12 p.m.3 views

CVE-2026-59709 Ghostfolio - Unauthorized Portfolio Holding Tag Modification via Missing Permission Check

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS6AI score0.002EPSS
Exploits0References6
Rows per page
Query Builder