112913 matches found
WordPress Bookit < 2.5.1 - Unauthenticated Stripe Settings Update
Bookit WordPress plugin 2.5.1 contains a broken access control vulnerability caused by a publicly accessible REST endpoint allowing unauthenticated update of Stripe payment options, letting remote attackers modify payment settings without authentication. id: CVE-2025-12841 info: name: WordPress...
YMC Filter WordPress - Unauthenticated Post Disclosure
YMC Filter WordPress plugin 3.11.3 contains a broken access control vulnerability caused by improper authorization and lack of validation in a REST API endpoint, letting unauthenticated attackers retrieve private and non-public post content, exploit requires no authentication. id: CVE-2026-10823...
Emby Server - Authentication Bypass
Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may allow administrative access to an Emby Server system,...
Vite Dev Server - Path Traversal
Vite is a frontend tooling framework for JavaScript. Prior to versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, files starting with the same name with the public directory were served bypassing the server.fs settings. Only apps that explicitly expose the Vite dev server to the network using --host or...
KeyCloak - Information Exposure
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients like client secret without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this...
Blinko <= 1.8.3 - User Information Leak
Blinko = 1.8.4 contains an information disclosure caused by a publicly accessible endpoint exposing user information including usernames, roles, and account creation dates, letting remote attackers access sensitive user data, exploit requires no special privileges. id: CVE-2026-23486 info: name:...
PKP Open Journal Systems 2.4.8-3.3 - Cross-Site Scripting
PKP Open Journal Systems 2.4.8 to 3.3 contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary code via the X-Forwarded-Host Header. id: CVE-2022-24181 info: name: PKP Open Journal Systems 2.4.8-3.3 - Cross-Site Scripting author: lucasljm2001,ekrause severit...
EUVD-2026-41266
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...
CVE-2026-11578
creationtimestamp| type| source ---|---|--- 2026-07-02 08:30:48+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mpnmjyq3om26...
CVE-2026-11965
creationtimestamp| type| source ---|---|--- 2026-07-02 08:15:45+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mpnlp5dwuo2m...
CVE-2026-11781
The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...
CVE-2026-11781 Adminify < 4.2.10 - Contributor+ Sensitive Information Disclosure via Global Search AJAX
The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...
EUVD-2026-41245
The Request a Quote plugin for WordPress is vulnerable to Code Injection in versions up to, and including, 2.5.5 via the emddeletefile AJAX action. This is due to the emddeletefile handler deriving a PHP function name from the attacker-controlled $POST'path' parameter and invoking it dynamically...
EUVD-2026-41244
The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs and Off Canvas widget's template rendering in versions up to, and including, 1.4.26. The render method of the Tabs...
CVE-2026-13707
creationtimestamp| type| source ---|---|--- 2026-07-02 02:18:47+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mpmxqtgpwn2t 2026-07-02 06:28:45+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mpnfpsguj62l...
CVE-2026-58399
creationtimestamp| type| source ---|---|--- 2026-07-02 00:34:01+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mpmrvi6m252q...
CVE-2026-14049
creationtimestamp| type| source ---|---|--- 2026-07-01 21:25:46+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mpmheuirk42q 2026-07-02 07:50:37+00:00| seen| https://www.hkcert.org/security-bulletin/google-chrome-multiple-vulnerabilities20260702...
CVE-2026-14340
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's intended scope. This was possible because the authorization...
CVE-2026-14340
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's intended scope. This was possible because the authorization...
EUVD-2026-41145
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's intended scope. This was possible because the authorization...