Lucene search
K

1177 matches found

Nuclei
Nuclei
added 5 hours ago31 views

Glossy WordPress - Reflected XSS

Glossy WordPress plugin v2.3.5 contains a reflected cross-site scripting caused by unsanitized parameter output, letting attackers execute malicious scripts in high privilege users' browsers, exploit requires victim to click a malicious link. id: CVE-2024-13325 info: name: Glossy WordPress -...

6.1CVSS7AI score0.00567EPSS
Exploits1References1
Nuclei
Nuclei
added 5 hours ago59 views

Post Sync Plugin <= 1.1 - Cross-Site Scripting

Post Sync WordPress plugin = 1.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a maliciou...

6.1CVSS7AI score0.0061EPSS
Exploits1References2
Nuclei
Nuclei
added 5 hours ago81 views

Duplicate Page WordPress - Stored Cross-Site Scripting

Duplicate Page WordPress plugin = 4.4.2 contains a stored cross-site scripting caused by unsanitized Duplicate Post Suffix settings in output, letting high privilege users execute malicious scripts, exploit requires high privilege user role. id: CVE-2021-24681 info: name: Duplicate Page WordPress...

4.8CVSS6.1AI score0.0087EPSS
Exploits2References3
CVE
CVE
added yesterday6 views

CVE-2026-58408

ChurchCRM prior to version 7.4.0 exposes a CSV export endpoint that leaks full PII of every Person/Family. The POST /CSVCreateFile.php export is gated only by a coarse admin permission check and lacks a dedicated isAdmin/owner authorization, allowing any user with non-admin flags to trigger a bul...

6.5CVSS6.1AI score
Exploits0References1
NVD
NVD
added 6 days ago7 views

CVE-2026-55873

SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated...

4.3CVSS0.00199EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 6 days ago9 views

CVE-2026-57239

The user-controllable executable files will be directly executed by high-privilege processes, allowing low-privilege users to have the opportunity to elevate their privileges to NT AUTHORITY\SYSTEM...

8.2CVSS6AI score0.00115EPSS
Exploits0References2Affected Software2
CVE
CVE
added 2026/07/04 12:5 p.m.20 views

CVE-2026-12196

The CVE-2026-12196 entry describes a broken access control vulnerability in the HestiaCP panel cronjob feature. Low-privilege users can modify the panel cronjob to execute management scripts with passwordless sudo, enabling takeover of administrator users in the application and the underlying web...

8.3CVSS6AI score0.00256EPSS
Exploits0References2
NVD
NVD
added 2026/07/02 3:17 p.m.10 views

CVE-2026-9272

In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System ADS may send specially crafted requests that could result in unauthorized access to application data and its...

8.7CVSS0.00247EPSS
Exploits0References1
CVE
CVE
added 2026/07/02 2:2 p.m.18 views

CVE-2026-9272

CVE-2026-9272 affects Progress Flowmon ADS prior to 12.5.6 and 13.0.5. An adversary authenticated as a low-privileged ADS user can send specially crafted requests that lead to unauthorized access to and modification of application data. The CVE’s metrics indicate HIGH impact on confidentiality, i...

8.7CVSS5.8AI score0.00247EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/07/02 2:2 p.m.38 views

CVE-2026-9272 Possibility of unintended database operations when querying data related to detected anomalies in Progress Flowmon ADS

In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System ADS may send specially crafted requests that could result in unauthorized access to application data and its...

8.7CVSS0.00247EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 11:31 p.m.15 views

CVE-2026-50279

Craft CMS (versions 5.0.0-RC1 through 5.9.20) contains an authorization gap in EntriesController::actionSaveEntry where entry-edit checks precede author changes. The code path allows attacker-supplied authors to mutate the authors list when the current user is among the old authors, without re-ru...

7.6CVSS5.7AI score0.00245EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/01 4:32 p.m.8 views

CVE-2026-56152

Incorrect Authorization CWE-863 in Elastic Defend can lead to unauthorized information disclosure via Accessing Functionality Not Properly Constrained by ACLs CAPEC-1. Under certain conditions, a low-privileged authenticated user can access response action data that they are not authorized to vie...

5.3CVSS5.8AI score0.00181EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.8 views

PT-2026-54831

Name of the Vulnerable Software and Affected Versions MCO version 25.3.3.1 Description Insufficient authorization enforcement occurs in the '/customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure' endpoint. This allows an authenticated user with low privileges to retrieve...

7.1CVSS5.8AI score0.00183EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added 2026/06/29 10:57 p.m.2 views

mariadb: Arbitrary code execution via global system variable manipulation by a high-privileged user

A flaw was found in MariaDB server. A high-privileged MariaDB user could exploit this vulnerability by manipulating specific global system variables, namely wsrepsstreceiveaddress or wsrepsstdonor. This manipulation could allow the user to execute arbitrary shell commands as the user ID of the...

9.1CVSS6.2AI score0.00967EPSS
Exploits0References6
CVE
CVE
added 2026/06/26 1:11 a.m.21 views

CVE-2026-50739

Revive Adserver 6.0.7 and earlier expose a bypass of ownership validation in the reverse operation that links campaigns and trackers via tracker-campaigns.php. A low-privilege user could link their trackers to campaigns owned by other managers on the same instance, causing inconsistent ownership ...

4.3CVSS5.8AI score0.00287EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2026/06/21 1:27 p.m.18 views

CVE-2026-56385

Craft CMS suffers an authorization bypass in the assets/preview-file endpoint. Versions affected: 5.0.0-RC1–5.9.13 and 4.0.0-RC1–4.17.7. An authenticated low-privileged user can supply an assetId for an asset they should not view and still receive preview data (previewHtml), including a private p...

5.3CVSS5.9AI score0.00221EPSS
Exploits0References3
NVD
NVD
added 2026/06/17 6:17 p.m.13 views

CVE-2026-20265

In Splunk AI Toolkit versions below 5.7.4, a low-privileged user that does not hold the "admin" or "power" Splunk roles could cause the Splunk AI Toolkit to make outbound requests over HTTP to a server that an attacker controls, which could allow for data exfiltration. The vulnerability exists...

4.3CVSS0.00217EPSS
Exploits0References1
NVD
NVD
added 2026/06/17 3:16 p.m.13 views

CVE-2026-10850

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the descriptionhtml field when creating an intake work item through the API v1 intake endpoint...

6.9CVSS0.00165EPSS
Exploits1References2
OSV
OSV
added 2026/06/16 7:16 p.m.5 views

ALPINE-CVE-2026-4367

A flaw was found in libXpm. A local user with low privileges could exploit an Out-of-Bounds Read vulnerability in the xpmNextWord function by processing a specially crafted or very small XPM X PixMap image file. This improper validation of file boundaries can cause an internal pointer to read...

5.5CVSS4.7AI score0.00129EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.25 views

PT-2026-50030

🚨 CVE-2026-46926 Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM component: Siebel Cloud Manager. Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Siebel CRM...

8.8CVSS5.9AI score0.0012EPSS
Exploits0References3
Rows per page
Query Builder