Lucene search
+L

712 matches found

OSV
OSV
added 2026/04/24 2:42 a.m.3 views

CVE-2026-41430 Press vulnerable to reflected XSS on login redirection

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS. Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting...

5.3CVSS6AI score0.00155EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/24 2:40 a.m.3 views

CVE-2026-41317

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS.press.api.account.createapisecret is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit...

8.7CVSS5.8AI score0.00165EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/24 2:40 a.m.36 views

CVE-2026-41317 Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS.press.api.account.createapisecret is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit...

8.7CVSS0.00165EPSS
Exploits0References2
CVE
CVE
added 2026/04/24 2:40 a.m.22 views

CVE-2026-41317

The CVE concerns Press, a Frappe-based app, where the API endpoint press.api.account.create_api_secret is vulnerable to CSRF-like exploits. The issue stems from the endpoint accepting unsafe HTTP methods (GET) and writing to the database, enabling unauthorized actions without user interaction. A ...

8.7CVSS5.8AI score0.00165EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/24 2:40 a.m.4 views

CVE-2026-41317 Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS.press.api.account.createapisecret is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit...

8.7CVSS5.2AI score0.00165EPSS
Exploits0References2
OSV
OSV
added 2026/04/24 2:40 a.m.3 views

CVE-2026-41317 Frappe Press has an unsafe HTTP method / CSRF-adjacent issue on API secret generation

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS.press.api.account.createapisecret is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit...

8.7CVSS6AI score0.00165EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.14 views

Press 跨站请求伪造漏洞

Press is a custom application developed by Frappe that runs Frappe Cloud. Press has a cross-site request forgeing vulnerability. This vulnerability stems from the press.api.account.createapisecret endpoint, which is vulnerable to CSRF attacks. This endpoint can be accessed via a GET request and...

8.7CVSS5.7AI score0.00165EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.10 views

Press 跨站脚本漏洞

Press is a custom application developed by Frappe, based on the Frappe Cloud platform. Press has a cross-site scripting vulnerability, which stems from the redirection parameters on the login page, making them susceptible to reflection-type cross-site scripting attacks...

6.1CVSS5.6AI score0.00155EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/17 10:14 p.m.14 views

OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage

Summary Browser press/type interaction routes missed complete navigation guard coverage. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Some browser press/type style interactions could trigger navigation without complete post-action SSRF...

7.7CVSS5.7AI score0.00264EPSS
Exploits0References10Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.12 views

PT-2026-31293

Name of the Vulnerable Software and Affected Versions Beaver Builder Page Builder versions up to and including 2.10.1.1 Description The Beaver Builder Page Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting through the settingsjs parameter due to inadequate input...

6.4CVSS5.8AI score0.00261EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/04/04 11:16 a.m.2 views

CVE-2026-3309 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing fie...

6.5CVSS6.2AI score0.00407EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/01 12:0 a.m.13 views

VulnCheck KEV: CVE-2023-24000

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in GamiPress gamipress allows SQL Injection.This issue affects GamiPress: from n/a through 2.5.7...

9.8CVSS8.9AI score0.0257EPSS
In wildExploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 5:5 p.m.4 views

CVE-2026-25361

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.This issue affects WpEvently: from n/a through = 5.1.4...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:8 p.m.3 views

CVE-2026-2720

The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the hrp-fetch-employees AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level...

6.5CVSS5.8AI score0.00231EPSS
Exploits0References1
CVE
CVE
added 2026/03/25 4:14 p.m.10 views

CVE-2026-22507

CVE-2026-22507 describes a Deserialization of Untrusted Data vulnerability in the WordPress theme Beelove (AncoraThemes Beelove) up to version 1.2.6, allowing PHP object injection. Red Hat and ENISA ENISA-ENISA pages corroborate the same description. The issue affects Beelove: from n/a through

9.8CVSS5.8AI score0.0051EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/03/23 6:59 p.m.8 views

WordPress Hr Press Lite plugin <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Employee Information Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Employee Information Exposure vulnerability discovered by WordFence in WordPress Plugin Hr Press Lite versions = 1.0.2...

6.5CVSS5.8AI score0.00231EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/21 3:27 a.m.1 views

CVE-2026-2720 Hr Press Lite <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Employee Information Exposure

The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the hrp-fetch-employees AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level...

6.5CVSS5.8AI score0.00231EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/03/21 3:27 a.m.7 views

CVE-2026-2720

The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the hrp-fetch-employees AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level...

6.5CVSS5.8AI score0.00231EPSS
Exploits0References6
CVE
CVE
added 2026/03/21 3:27 a.m.11 views

CVE-2026-2720

The Hr Press Lite WordPress plugin is vulnerable due to a missing capability check on the hrp-fetch-employees AJAX action in all versions up to 1.0.2, allowing authenticated users with Subscriber-level access and above to fetch sensitive employee data (names, emails, phone numbers, salary/pay rat...

6.5CVSS5.8AI score0.00231EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/21 3:26 a.m.11 views

CVE-2026-3460 REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback updateuserwechatshopinfopermissionscheck only validating that the supplied 'openid' parameter corresponds to an...

5.3CVSS5.9AI score0.00324EPSS
Exploits0References7
Rows per page
Query Builder