Lucene search
+L

7199 matches found

nvd
nvd
added 2026/06/24 7:16 a.m.11 views

CVE-2026-4297

The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the ncsetOption function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the us...

8.8CVSS0.00463EPSS
Exploits0References9
cvelist
cvelist
added 2026/06/24 5:33 a.m.34 views

CVE-2026-4297 Welcome Software Publishing <= 0.0.31 - Authenticated (Subscriber+) Arbitrary Options Update to Privilege Escalation via 'nc.setOption' XML-RPC Method

The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the ncsetOption function, which is exposed via the nc.setOption XML-RPC method. The function authenticates the us...

8.8CVSS0.00463EPSS
Exploits0References9
cve
cve
added 2026/06/24 5:33 a.m.12 views

CVE-2026-4297

The CVE concerns the Welcome Software Publishing WordPress plugin (

8.8CVSS5.8AI score0.00463EPSS
Exploits0References9
ptsecurity
ptsecurity
added 2026/06/24 12:0 a.m.11 views

PT-2026-52144

Name of the Vulnerable Software and Affected Versions Quest NetVault Backup affected versions not specified Description A flaw in the processing of NVBUDashboard JSON-RPC messages allows remote attackers to execute arbitrary code in the context of NETWORK SERVICE. The issue stems from improper...

8.8CVSS6.3AI score0.00689EPSS
Exploits0References7
ptsecurity
ptsecurity
added 2026/06/24 12:0 a.m.14 views

PT-2026-52147

Name of the Vulnerable Software and Affected Versions Quest NetVault Backup affected versions not specified Description A flaw in the processing of NVBUDeviceDrive JSON-RPC messages allows remote attackers to execute arbitrary code in the context of NETWORK SERVICE. The issue stems from...

8.8CVSS7.6AI score0.00689EPSS
Exploits0References9
ptsecurity
ptsecurity
added 2026/06/24 12:0 a.m.16 views

PT-2026-52103

Name of the Vulnerable Software and Affected Versions Appsmith versions prior to 2.1 Description The bundled supervisord exposes an XML-RPC interface on port 9001, which is accessible from outside the container through a Caddy reverse-proxy route at the '/supervisor/' endpoint. An authenticated...

8.9CVSS6AI score0.00271EPSS
Exploits1References4
ptsecurity
ptsecurity
added 2026/06/24 12:0 a.m.15 views

PT-2026-52152

Name of the Vulnerable Software and Affected Versions Quest NetVault Backup affected versions not specified Description A flaw in the processing of NVBULogDaemon JSON-RPC messages allows remote attackers to execute arbitrary code in the context of SYSTEM. The issue stems from insufficient...

8.8CVSS7.6AI score0.01373EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/06/24 12:0 a.m.12 views

PT-2026-52149

Name of the Vulnerable Software and Affected Versions Quest NetVault Backup affected versions not specified Description A flaw in the processing of NVBULibraryPort JSON-RPC messages allows remote attackers to execute arbitrary code in the context of NETWORK SERVICE. The issue stems from...

8.8CVSS7.7AI score0.00689EPSS
Exploits0References9
nvd
nvd
added 2026/06/23 5:17 p.m.6 views

CVE-2026-44961

The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper validation has been added where it was missing...

0.00338EPSS
Exploits1References1
nvd
nvd
added 2026/06/23 5:16 p.m.10 views

CVE-2026-44957

A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with...

4.3CVSS0.00235EPSS
Exploits0References1
nvd
nvd
added 2026/06/23 5:16 p.m.5 views

CVE-2026-34917

Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context web/API is now...

4.3CVSS0.0031EPSS
Exploits1References1
cve
cve
added 2026/06/23 4:14 p.m.21 views

CVE-2026-44961

The CVE-2026-44961 entry affects Revive Adserver’s XML‑RPC addUser API. The flaw is a validation bypass introduced in the fix for CVE-2025‑55129, enabling username-based impersonation or stored XSS unless proper validation is present. The available documents confirm that correct validation has no...

5.8AI score0.00338EPSS
Exploits1References1
euvd
euvd
added 2026/06/23 4:14 p.m.5 views

EUVD-2026-38504

The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper validation has been added where it was missing...

5.4CVSS5.9AI score0.00338EPSS
Exploits2References1
cve
cve
added 2026/06/23 4:14 p.m.17 views

CVE-2026-44957

The CVE-2026-44957 vulnerability affects Revive Adserver 6.0.6 and earlier, where a missing access control check in the XML-RPC API modify methods allowed entities to be reassigned to different parent entities, causing inconsistent ownership. The issue is exploitable only in combination with CVE-...

4.3CVSS5.9AI score0.00235EPSS
Exploits0References1
cvelist
cvelist
added 2026/06/23 4:14 p.m.35 views

CVE-2026-34917

Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context web/API is now...

4.3CVSS0.0031EPSS
Exploits1References1
euvd
euvd
added 2026/06/23 4:14 p.m.10 views

EUVD-2026-38502

A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with...

4.3CVSS5.8AI score0.0031EPSS
Exploits1References1
github
github
added 2026/06/22 9:27 p.m.7 views

Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)

Summary The Glances XML-RPC server glances -s introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE 2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: whenever corsorigins contains more than one entry. An operator who configur...

7.4CVSS5.9AI score0.00409EPSS
Exploits1References3Affected Software1
cvelist
cvelist
added 2026/06/22 9:4 p.m.23 views

CVE-2026-56311 Capgo - Unauthenticated Cross-Tenant Disclosure via get_current_plan_max_org RPC

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.getcurrentplanmaxorg RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase...

6.9CVSS0.00265EPSS
Exploits0References2
nvd
nvd
added 2026/06/22 6:16 p.m.13 views

CVE-2026-54269

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 8.6.0 and 7.6.3, protobufjs accepted certain schema-derived names that could collide with properties used by protobufjs runtime helpers. The known affected names are fields named hasOwnProperty, field or oneof names...

5.3CVSS0.00238EPSS
Exploits0References1
nvd
nvd
added 2026/06/21 2:16 p.m.10 views

CVE-2026-56239

Capgo before 12.128.2 contains a potential privilege escalation vulnerability in the public.applyusageoverage SECURITY DEFINER function, which performs sensitive billing operations without enforcing internal authorization checks no validation of auth.uid, org membership, or checkminrights. Becaus...

7.6CVSS0.00199EPSS
Exploits0References2
Rows per page
Query Builder