Lucene search
K

9650 matches found

NVD
NVD
added yesterday7 views

CVE-2026-57821

A SQL Injection vulnerability exists in Apache Fineract's Office Search API GET /api/v1/offices in versions up to and including 1.14.0. The orderBy request parameter is concatenated into a SQL query without sufficient validation, allowing an authenticated user with permission to view offices to...

8.1CVSS0.00286EPSS
Exploits0References3
CVE
CVE
added yesterday13 views

CVE-2026-57821

Apache Fineract Office Search API (GET /api/v1/offices) is affected up to version 1.14.0. The vulnerability arises from a SQL injection in the orderBy parameter, which is concatenated into a SQL query without adequate validation. An authenticated user with permission to view offices can inject ar...

8.1CVSS6.1AI score0.00286EPSS
Exploits0References3Affected Software1
Nuclei
Nuclei
added yesterday11 views

YITH WooCommerce Ajax Search <= 2.4.0 - Cross-Site Scripting

The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'queryString' parameter in the REST API endpoint /ywcas/v1/register in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. id: CVE-2024-4455 info...

7.2CVSS6.1AI score0.0101EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday23 views

WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass

Burst Statistics – Privacy-Friendly WordPress Analytics plugin 3.4.0 to 3.4.1.1 contains an authentication bypass caused by incorrect return-value handling in ismainwpauthenticated function, letting unauthenticated attackers impersonate administrators, exploit requires knowledge of an administrat...

9.8CVSS6.1AI score0.14608EPSS
Exploits11References2
NVD
NVD
added 2 days ago5 views

CVE-2026-62393

Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kylin. Improper authorization in job information retrieval, where an attacker may get access to unauthorized jobs in other projects. This issue affects Apache Kylin: from 4 through 5.0.3. Users are recommended to...

4.3CVSS0.00463EPSS
Exploits0References2
Nuclei
Nuclei
added 2 days ago17 views

Web-Check < 2.0.1 Screenshot API - OS Command Injection

Lissy93/web-check contains a command injection caused by unsanitized user input in the screenshot API, letting attackers execute arbitrary system commands, exploit requires sending crafted url parameters. id: CVE-2025-32778 info: name: Web-Check 2.0.1 Screenshot API - OS Command Injection author:...

9.3CVSS6.3AI score0.19761EPSS
Exploits4References4
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-43599

A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched...

6.9CVSS5.9AI score0.00353EPSS
Exploits0References8
Cvelist
Cvelist
added 2 days ago29 views

CVE-2026-15622 poco-ai poco-claw Workspace API workspace.py get_workspace_file authorization

A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched...

6.9CVSS0.00353EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2 days ago6 views

PT-2026-58851

Name of the Vulnerable Software and Affected Versions zhinianboke xianyu-auto-reply versions prior to 19fc3282a1bb78a05c34945c088525d20e081cbd Description An issue in the Backend User Endpoint allows remote attackers to perform manipulations that result in missing authorization. This occurs withi...

7.5CVSS7AI score0.00297EPSS
Exploits0References9
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-43500

In the Apache Airflow FAB auth manager, a DAG whose dagid is DAGs collided with the global all-DAGs permission resource name produced by resourcename, so a user granted per-DAG accesscontrol on that one DAG was silently granted the global all-DAGs permission privilege escalation. The escalation...

8.1CVSS6.1AI score0.0036EPSS
Exploits0References2
Nuclei
Nuclei
added 3 days ago24 views

Apache ActiveMQ < 5.16.5/5.17.3 - Remote Code Execution

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandlerhandlePostRequest is able to create JmxRequest...

8.8CVSS7.1AI score0.8581EPSS
Exploits2References3
NVD
NVD
added 3 days ago6 views

CVE-2026-15520

A vulnerability was determined in GNU LibreDWG 0.13.4-154-g0b573035. This impacts the function decompressR2004section of the file src/decode.c of the component R2004 Section Decompression. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The explo...

5.3CVSS0.00136EPSS
Exploits0References10
Cvelist
Cvelist
added 3 days ago36 views

CVE-2026-15516 MacCMS Pro Installation Index.php step5 authorization

A vulnerability was detected in MacCMS Pro up to 2022.1000.3005. Impacted is the function step5 of the file application/install/controller/Index.php of the component Installation Module. The manipulation results in authorization bypass. The attack may be launched remotely. The attack requires a...

6.3CVSS0.00274EPSS
Exploits0References6
CVE
CVE
added 4 days ago14 views

CVE-2026-15513

The CVE-2026-15513 vulnerability affects the Wavlink WL-NU516U1 (model 260515) in the CGI handler /cgi-bin/adm.cgi, specifically the wlink_uci_set_value function. An attacker can remotely manipulate the lan_ip argument to trigger an OS command injection. Impact is described as network-accessible ...

6.5CVSS6.5AI score0.01422EPSS
Exploits0References6
NVD
NVD
added 6 days ago6 views

CVE-2026-49844

Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0. The fix for CVE-2026-34481 did not cover all code paths: wh...

6.3CVSS0.00659EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 6 days ago8 views

CVE-2026-55689

OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, when OpenFGA is configured to use OIDC authentication authn.method=oidc, authn.oidc.issuer set but authn.oidc.audience is left unset, the JWT audience claim on incoming bearer tokens is not validated. As a result...

8.1CVSS6.1AI score0.00301EPSS
Exploits0References8
NVD
NVD
added 6 days ago4 views

CVE-2026-40452

Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users. This issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10. Users are recommended to...

7.5CVSS0.00256EPSS
Exploits0References2
EUVD
EUVD
added 6 days ago9 views

EUVD-2026-42833

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Apache IoTDB. An attacker can write arbitrary files anywhere the IoTDB process has write permissions with unsafe API. This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are recommended to...

9.1CVSS6.2AI score0.00349EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 6 days ago7 views

CVE-2026-15330

A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function buildimagecontent/downloadtodataurl of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack c...

7.5CVSS6.6AI score0.00352EPSS
Exploits0References9Affected Software1
EUVD
EUVD
added last week8 views

EUVD-2026-42529

Permissive Cross-Origin Resource Sharing CORS in the REST API helix-rest, org.apache.helix.rest.server.filters.CORSFilter in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a web page visited by an authorized user to read responses from and issue cross-origin...

7.5CVSS6AI score0.00269EPSS
Exploits0References1
Rows per page
Query Builder