Lucene search
K

871 matches found

Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-13333 Groundhogg <= 4.5.5 - Authenticated (Sales Rep+) SQL Injection via 'query[select]' Parameter

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'queryselect' Parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

6.5CVSS0.00344EPSS
Exploits0References6
Cvelist
Cvelist
added 6 days ago31 views

CVE-2026-9800 Keycloak: keycloak policy enforcer: authorization bypass via incorrect uri comparison

A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...

8.1CVSS0.0031EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 6 days ago6 views

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

7.5CVSS6.8AI score0.01945EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/06/24 12:49 p.m.6 views

CVE-2026-13163

Open redirect vulnerability CWE-601 in the saferedirect function of the click-tracking endpoint /c// in Mailerup 1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the...

5.3CVSS6.1AI score0.00329EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/24 12:49 p.m.9 views

EUVD-2026-38759

Open redirect vulnerability CWE-601 in the saferedirect function of the click-tracking endpoint /c// in Mailerup 1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the...

5.3CVSS6.1AI score0.00329EPSS
Exploits0References1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.7 views

Astra Linux – Vulnerability in Docker-Registry

A flaw was discovered in the /v2/catalog endpoint located in the distribution/distribution directory. This endpoint accepts a parameter that controls the maximum number of records to be returned query string: n. This vulnerability allows a malicious user to submit an excessively large value for n...

6.5CVSS6.5AI score0.00938EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.5 views

Astra Linux – Vulnerability in Zabbix

There is a vulnerability related to arbitrary file reading in the Zabbix Web Service Report Generation module, which listens on port 10053. The service does not perform proper validation on URL parameters before reading the files...

5.9CVSS6.1AI score0.47772EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.3 views

Astra Linux - Vulnerability in Golang-1.23

The net/url package does not limit the number of query parameters in a query. Although the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing man...

7.5CVSS6.8AI score0.01945EPSS
Exploits0References2
NVD
NVD
added 2026/06/18 8:16 a.m.11 views

CVE-2026-12111

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabcappointmentscalendarload2 function, which is reachable vi...

4.3CVSS0.00285EPSS
Exploits0References10
NVD
NVD
added 2026/06/17 10:16 p.m.12 views

CVE-2026-54386

marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...

6.1CVSS0.00239EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/17 9:37 p.m.18 views

CVE-2026-54386 marimo < 0.23.9 XSS via file Query Parameter in assets.py

marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...

6.1CVSS0.00239EPSS
Exploits0References4
CVE
CVE
added 2026/06/17 9:37 p.m.16 views

CVE-2026-54386

CVE-2026-54386 affects marimo prior to 0.23.9. A reflected XSS in the notebook page arises from improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string. An unauthenticated attacker can craft a link with a payload (notably starting with new ) that ...

6.1CVSS5.1AI score0.00239EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.10 views

PT-2026-50547

Today I received a public security credit for a vulnerability I responsibly disclosed: CVE-2026-54683 – Improper authorization in NL Portal The vulnerability allowed any authenticated portal user to download documents belonging to other users when they had access to a valid document identifier. A...

6.5CVSS5.2AI score
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.12 views

PT-2026-49302

Name of the Vulnerable Software and Affected Versions Vector versions prior to 0.55.0 Description The ClickHouse sink contains a SQL/identifier injection flaw. The software escaped the table identifier but interpolated the database value raw into the INSERT statement, allowing a crafted database...

9.8CVSS5.4AI score0.00321EPSS
Exploits0References3
CVE
CVE
added 2026/06/15 12:0 a.m.12 views

CVE-2026-39196

Datadog Vector v0.54.0 contains a SQL injection in the set_uri_query parameter of KeyPartitioner::partition. The vulnerability could allow an attacker to access sensitive database information via crafted SQL statements. Affected component: Vector’s data routing/partition logic (KeyPartitioner::pa...

9.8CVSS5.7AI score0.00321EPSS
Exploits0References1
Rockylinux
Rockylinux
added 2026/06/11 12:3 p.m.15 views

osbuild-composer security update

An update is available for osbuild-composer. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list A service for building customized OS artifacts, such as VM images an...

10CVSS6.8AI score0.01945EPSS
Exploits3
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.12 views

PT-2026-48687

Name of the Vulnerable Software and Affected Versions meta-ads-mcp versions prior to 1.0.102 Description An improper authentication issue exists where the AuthInjectionMiddleware.dispatch function in http auth integration.py unconditionally forwards unauthenticated Streamable HTTP requests to...

9.1CVSS5.3AI score0.0013EPSS
Exploits0References10
NVD
NVD
added 2026/06/06 11:16 a.m.11 views

CVE-2026-11408

A vulnerability was identified in vertex-app vertex up to 2026.02.12. This issue affects some unknown processing of the file app/model/LogMod.js of the component Log Viewer Endpoint. Such manipulation of the argument req.query leads to os command injection. The attack can be executed remotely. Th...

6.5CVSS0.01114EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.7 views

CVE-2026-27949

Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling e.g., when an invalid magic code is submitted. Transmitting personally...

4.3CVSS5.5AI score0.00168EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:44 p.m.10 views

CVE-2026-39825

ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery...

5.3CVSS5.5AI score0.0039EPSS
Exploits0References1
Rows per page
Query Builder