Lucene search
+L

299071 matches found

CVE
CVE
added 23 minutes ago2 views

CVE-2026-10130 QueryWeaver Authentication Bypass via Email Signup Token Issuance for Existing Accounts

QueryWeaver contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain valid session tokens for existing accounts by submitting a signup request with a known victim email address. The signup route unconditionally creates and links a new token to the matching...

8.8CVSS5.5AI score
Exploits0References3
Cvelist
Cvelist
added 23 minutes ago2 views

CVE-2026-10130 QueryWeaver Authentication Bypass via Email Signup Token Issuance for Existing Accounts

QueryWeaver contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain valid session tokens for existing accounts by submitting a signup request with a known victim email address. The signup route unconditionally creates and links a new token to the matching...

8.8CVSS
Exploits0References3
NVD
NVD
added 1 hour ago5 views

CVE-2026-12228

A stored cross-site scripting XSS vulnerability exists in the POST /api/prompts/share endpoint of parisneo/lollms latest version. The endpoint stores attacker-controlled promptcontent into DBDirectMessage.content without server-side sanitization. When a victim opens the direct message DM thread,...

8.7CVSS
Exploits0References1
GithubExploit
GithubExploit
added 1 hour ago8 views

Exploit for CVE-2026-63030

CVE-2026-63030 The WordPress REST API batch routing confusi...

9.8CVSS7AI score
Exploits27
GithubExploit
GithubExploit
added 1 hour ago7 views

Exploit for CVE-2026-60137

wp2shell-detect Blackbox, non-intrusive detector for wp...

9.8CVSS6AI score
Exploits27
Cvelist
Cvelist
added 2 hours ago9 views

CVE-2026-12228 Stored XSS in Direct Messages via Prompt Sharing in parisneo/lollms

A stored cross-site scripting XSS vulnerability exists in the POST /api/prompts/share endpoint of parisneo/lollms latest version. The endpoint stores attacker-controlled promptcontent into DBDirectMessage.content without server-side sanitization. When a victim opens the direct message DM thread,...

8.7CVSS
Exploits0References1
CVE
CVE
added 2 hours ago7 views

CVE-2026-12228

The CVE describes a stored XSS in parisneo/lollms via POST /api/prompts/share where attacker-controlled prompt_content is saved to DBDirectMessage.content and later rendered with v-html in the DM UI. The frontend regex-based sanitizer fails to fully sanitize HTML, enabling malicious payloads to r...

8.7CVSS7.8AI score
Exploits0References1
NVD
NVD
added 2 hours ago5 views

CVE-2026-57848

Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component reachable to any process on the device via the android.intent.action.SEND intent and accepts the file to share as a URI supplied through the android.intent.extra.STREAM extra. The activity does not validate or filte...

6.8CVSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 3 hours ago5 views

CVE-2026-57848

Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component reachable to any process on the device via the android.intent.action.SEND intent and accepts the file to share as a URI supplied through the android.intent.extra.STREAM extra. The activity does not validate or filte...

6.8CVSS5.4AI score
Exploits0References4
CVE
CVE
added 3 hours ago8 views

CVE-2026-57848

CVE-2026-57848 concerns Stoat for Android where the exported ShareTargetActivity does not validate the incoming android.intent.extra.STREAM URI before using it as the outgoing attachment. An attacker able to invoke intents can supply a file:// URI pointing to the app’s internal storage (e.g., dat...

6.8CVSS5.5AI score
Exploits0References3
Cvelist
Cvelist
added 3 hours ago11 views

CVE-2026-57848 Stoat for Android Internal File Disclosure via Exported ShareTargetActivity URI Validation

Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component reachable to any process on the device via the android.intent.action.SEND intent and accepts the file to share as a URI supplied through the android.intent.extra.STREAM extra. The activity does not validate or filte...

6.8CVSS
Exploits0References3
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-45395

Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component reachable to any process on the device via the android.intent.action.SEND intent and accepts the file to share as a URI supplied through the android.intent.extra.STREAM extra. The activity does not validate or filte...

6.8CVSS5.4AI score
Exploits0References3
GithubExploit
GithubExploit
added 3 hours ago10 views

Exploit for CVE-2026-60137

Unauthenticated pre-auth RCE PoC for the WordPress wp2shell chai...

9.8CVSS5.7AI score
Exploits27
GithubExploit
GithubExploit
added 5 hours ago18 views

FLOCK_CVE_SCANNER

FLOCKCVESCANNER Scan and exploit with permission Ov...

9.8CVSS5.4AI score0.01004EPSS
Exploits3
GithubExploit
GithubExploit
added 6 hours ago17 views

Exploit for CVE-2026-60137

wp2shell Pre-authentication Remote Code Execution against Wor...

9.8CVSS5.8AI score
Exploits27
GithubExploit
GithubExploit
added 11 hours ago27 views

Exploit for Missing Authentication for Critical Function in Splunk

Splunk Enterprise — CVE-2026-20253 Training Lab Splunk En...

9.8CVSS6.9AI score0.88171EPSS
Exploits6
Nuclei
Nuclei
added 14 hours ago17 views

FatPipe WARP/IPVPN/MPVPN - Backdoor Account

FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain an account named "cmuser" with administrative privileges and no password, letting attackers gain unauthorized admin access, exploit requires no authentication. id: CVE-2021-27856 info: name: FatPipe...

9.8CVSS8.4AI score0.05598EPSS
Exploits1References4
Nuclei
Nuclei
added 14 hours ago21 views

WordPress ProfilePress <= 3.1.3 - Privilege Escalation

ProfilePress plugin before 3.1.4 allows privilege escalation. Due to insufficient validation in the profile update functionality, authenticated users can supply arbitrary usermeta fields, including wpcapabilities, during profile updates. This enables a user to escalate their privileges to...

9.8CVSS8.4AI score0.0412EPSS
Exploits2References2
Nuclei
Nuclei
added 14 hours ago24 views

Memos 0.13.2 - Server-Side Request Forgery

SSRF vulnerabilities exist in the memos API service /o/get/httpmeta that allow unauthenticated and authenticated users to enumerate and read from the internal network. In addition, one SSRF vulnerability leads to a reflected XSS vulnerability, which may allow an attacker complete control over the...

5.8CVSS5.8AI score0.01049EPSS
Exploits1References2
Nuclei
Nuclei
added 14 hours ago96 views

Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover

The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to chan...

9.8CVSS8.9AI score0.18241EPSS
Exploits3References4
Rows per page
Query Builder