CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Nuclei•added yesterday•19 views

Flowise < 3.0.1 - Remote Command Execution

The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls RBAC. Furthermore, in Flowise versions before 3.0.1 the...

9.8CVSS6.1AI score0.82098EPSS

Exploits3References2

Nuclei•added yesterday•15 views

Uncanny Automator <= 6.3.0.2 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to addrole and userrole functions missing proper capability checks performed through the...

8.8CVSS7.3AI score0.1036EPSS

Exploits0References4

Nuclei•added yesterday•13 views

HyperComments <= 1.2.2 - Arbitrary Options Update

The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hcrequesthandler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to...

8.8CVSS5.9AI score0.13438EPSS

Exploits4References2

EUVD•added yesterday•7 views

EUVD-2026-34055

The EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the formsettingsui settings save handler, procedural include scope functio...

4.3CVSS5.7AI score0.00012EPSS

Exploits0References5

Vulnrichment•added 2 days ago•3 views

CVE-2026-9732 EmergencyWP <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update

4.3CVSS5.7AI score0.00012EPSS

Exploits0References4

Cvelist•added 2 days ago•16 views

CVE-2026-9732 EmergencyWP <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update

4.3CVSS0.00012EPSS

Exploits0References4

RedhatCVE•added 2 days ago•5 views

CVE-2026-46414

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK...

8.8CVSS5.8AI score0.00049EPSS

RedhatCVE•added 2 days ago•4 views

CVE-2026-48136

When Compliance is enabled on Check Point Multi-Domain Management, an authenticated administrator with read-write access to one Management Domain CMA can modify stored metadata associated with Compliance Best Practices in another Management Domain, where the administrator has no access permission...

4.1CVSS5.8AI score0.00056EPSS

Nuclei•added 2 days ago•92 views

Github Enterprise Authenticated Remote Code Execution

An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the...

9.8CVSS7.8AI score0.69506EPSS

Exploits1References5

NVD•added 2 days ago•8 views

CVE-2026-8422

The Remove meta boxes per user role plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.01. This is due to missing or incorrect nonce validation on the 'remove-meta-boxes-per-user-role' page. This makes it possible for unauthenticated attackers...

4.3CVSS0.00015EPSS

EUVD•added 2 days ago•6 views

EUVD-2026-33898

Vulnrichment•added 2 days ago•3 views

CVE-2026-8422 Remove meta boxes per user role <= 1.01 - Cross-Site Request Forgery to Settings Update

CVE•added 2 days ago•7 views

CVE-2026-8422

CVE-2026-8422 concerns the WordPress plugin Remove meta boxes per user role (versions up to and including 1.01). The vulnerability stems from missing or incorrect nonce validation on the remove-meta-boxes-per-user-role page, enabling CSRF. This could allow unauthenticated attackers to modify or r...

Cvelist•added 2 days ago•28 views

CVE-2026-8422 Remove meta boxes per user role <= 1.01 - Cross-Site Request Forgery to Settings Update

4.3CVSS0.00015EPSS

ATTACKERKB•added 2 days ago•5 views

CVE-2026-8422

Positive Technologies•added 2 days ago•4 views

Exploits0References8

PT-2026-45709

NVD•added 3 days ago•6 views

Exploits0References8

CVE-2026-24782

Kiteworks is a private data network PDN. Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global...

8.8CVSS0.00026EPSS

RedhatCVE•added 3 days ago•6 views

CVE-2026-10167

A weakness has been identified in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. This impacts the function signauthcookie of the file application/controllers/Login.php of the component MYController. Executing a manipulation of the argumen...

7.5CVSS5.5AI score0.00061EPSS