Lucene search
K

130 matches found

NVD
NVD
added 6 days ago6 views

CVE-2026-59805

Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that allows authenticated sellers to manipulate purchase access for other sellers' products by sending PUT requests to the revokeaccess and undorevokeaccess actions without seller ownership...

7.1CVSS0.0022EPSS
Exploits0References5
CVE
CVE
added 6 days ago8 views

CVE-2026-59805

Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController. Authenticated sellers can manipulate purchase access for other sellers' products by issuing PUT requests to revoke_access and undo_revoke_access without validating ownership. This lets attackers...

7.1CVSS6.1AI score0.0022EPSS
Exploits0References5
EUVD
EUVD
added 6 days ago5 views

EUVD-2026-42374

Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that allows authenticated sellers to manipulate purchase access for other sellers' products by sending PUT requests to the revokeaccess and undorevokeaccess actions without seller ownership...

7.1CVSS6.1AI score0.0022EPSS
Exploits0References5
Cvelist
Cvelist
added 6 days ago35 views

CVE-2026-59805 Gumroad < 2026.07.06.2 - Insecure Direct Object Reference in PurchasesController

Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that allows authenticated sellers to manipulate purchase access for other sellers' products by sending PUT requests to the revokeaccess and undorevokeaccess actions without seller ownership...

7.1CVSS0.0022EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 6 days ago6 views

PT-2026-56567

Name of the Vulnerable Software and Affected Versions Gumroad versions prior to 2026.07.06.2 Description Broken access control in the PurchasesController allows authenticated sellers to manipulate purchase access for products belonging to other sellers. By sending PUT requests to the revoke acces...

7.1CVSS6.2AI score0.0022EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/05/27 6:37 p.m.11 views

CVE-2026-42877

FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales Core/Lib/AjaxForms/SalesModalHTML.php and purchases documents Core/Lib/AjaxForms/PurchasesModalHTML.php. An...

5.4CVSS5.9AI score0.00165EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/27 6:37 p.m.17 views

CVE-2026-42877 FacturaScripts: Stored XSS via product reference in sales/purchases

FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales Core/Lib/AjaxForms/SalesModalHTML.php and purchases documents Core/Lib/AjaxForms/PurchasesModalHTML.php. An...

5.4CVSS5.9AI score0.00165EPSS
Exploits0References1
CVE
CVE
added 2026/05/27 6:37 p.m.17 views

CVE-2026-42877

CVE-2026-42877 describes a stored XSS in FacturaScripts where the product variant field referencia is injected into an onclick attribute in SalesModalHTML.php and PurchasesModalHTML.php without proper escaping. The vulnerability allows an authenticated user with warehouse access to create a malic...

5.4CVSS5.9AI score0.00165EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 6:37 p.m.48 views

CVE-2026-42877 FacturaScripts: Stored XSS via product reference in sales/purchases

FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales Core/Lib/AjaxForms/SalesModalHTML.php and purchases documents Core/Lib/AjaxForms/PurchasesModalHTML.php. An...

5.4CVSS0.00165EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/07 7:37 p.m.10 views

FacturaScripts vulnerable to stored XSS via product reference in sales/purchases

Summary A stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other use...

5.4CVSS6.1AI score0.00165EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/07 7:37 p.m.10 views

GHSA-R736-2678-FCRX FacturaScripts vulnerable to stored XSS via product reference in sales/purchases

Summary A stored Cross-Site Scripting XSS vulnerability exists in the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other use...

5.4CVSS6.1AI score0.00165EPSS
Exploits0References3
Packet Storm
Packet Storm
added 2026/05/04 12:0 a.m.57 views

📄 UltimatePOS 4.8 Cross Site Scripting

The administrative panel in UltimatePOS version 4.8 suffers from a persistent cross site scripting vulnerability. CVE-2025-60503 — Stored Cross-Site Scripting XSS in UltimatePOS UltimateFosters v4.8 Publication date: 2025-10-30 CVE ID: CVE-2025-60503 RESERVED Researcher: Vivien Lebas Vendor:...

8.7CVSS5.3AI score0.00375EPSS
Exploits3
RedhatCVE
RedhatCVE
added 2026/05/01 8:48 p.m.6 views

CVE-2026-2892

The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'getcustomerdata' method relying on an unsigned 'ostripedata' cookie to determine Stripe product ownership for unauthenticated users. The...

7.5CVSS5.8AI score0.0032EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/02 12:0 a.m.10 views

OneUptime 安全漏洞

OneUptime is a comprehensive solution developed by OneUptime OpenSource. It is used to monitor and manage your online services. Versions of OneUptime prior to 10.0.42 contained security vulnerabilities. These vulnerabilities stemmed from multiple notification API endpoints not registering...

9.2CVSS5.8AI score0.006EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.12 views

PT-2026-29316

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, a user may be able to purchase a lower tier subscription but grant themselves the benefits that comes along with a higher...

6.3CVSS5.7AI score0.00171EPSS
Exploits0References6
Wired Threat Level
Wired Threat Level
added 2026/03/12 6:0 p.m.10 views

US Lawmakers Move to Kill the FBI’s Warrantless Wiretap Access

A bipartisan bill would force the FBI to get a warrant to read Americans’ messages and ban the federal purchase of commercial data on US residents ahead of a critical April deadline...

5.8AI score
Exploits0
EUVD
EUVD
added 2025/11/09 12:17 a.m.2 views

EUVD-2025-38432

Malicious code in bf-purchases-frontend-web npm...

6.6AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/08 2:0 p.m.5 views

Malicious code in bf-purchases-frontend-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5dd380729ba06ecc83dd6bb54612311d4c2b15fc0b2eed47205416bf280f879 The package bf-purchases-frontend-web was found to contain malicious code. Source: ossf-package-analysis...

7.2AI score
Exploits0
OSV
OSV
added 2025/11/08 2:0 p.m.1 views

MAL-2025-49398 Malicious code in bf-purchases-frontend-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5dd380729ba06ecc83dd6bb54612311d4c2b15fc0b2eed47205416bf280f879 The package bf-purchases-frontend-web was found to contain malicious code. Source: ossf-package-analysis...

7AI score
Exploits0
EUVD
EUVD
added 2025/10/31 9:27 a.m.6 views

EUVD-2025-37322

The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2.1.9. This is due to the plugin not disabling the ability to name a custom price when it has been specifically disabled for a product. This makes it...

7.5CVSS5.5AI score0.00269EPSS
Exploits0References3
Rows per page
Query Builder