Lucene search
K

257203 matches found

Nuclei
Nuclei
added 18 hours ago151 views

kkFileView 4.1.0 - Cross-Site Scripting

kkFileView 4.1.0 is susceptible to cross-site scripting via the url parameter at /controller/OnlinePreviewController.java. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based...

6.1CVSS6.4AI score0.01084EPSS
Exploits1References2
Nuclei
Nuclei
added 18 hours ago62 views

Reprise License Manager 14.2 - Information Disclosure

Reprise License Manager 14.2 is susceptible to information disclosure via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostnames, system architecture and file/directory...

5.3CVSS6.3AI score0.08359EPSS
Exploits3References5
Nuclei
Nuclei
added 18 hours ago266 views

Node.js Embedded JavaScript 3.1.6 - Template Injection

Node.js Embedded JavaScript 3.1.6 is susceptible to server-side template injection via settingsview optionsoutputFunctionName, which is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is then executed upon template compilation. id:...

9.8CVSS6.8AI score0.32386EPSS
Exploits6References5
Nuclei
Nuclei
added 18 hours ago68 views

Trilium <0.52.4 - Cross-Site Scripting

Trilium prior to 0.52.4, 0.53.1-beta contains a cross-site scripting vulnerability which can allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. id: CVE-2022-2290 info: name: Trilium 0.52.4 - Cross-Site Scripting author:...

6.4CVSS6.8AI score0.03096EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago82 views

Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass

Zyxel NBG2105 V1.00AAGU.2C0 devices are susceptible to authentication bypass vulnerabilities because setting the login cookie to 1 provides administrator access. id: CVE-2021-3297 info: name: Zyxel NBG2105 V1.00AAGU.2C0 - Authentication Bypass author: gy741 severity: high description: Zyxel NBG21...

7.8CVSS7AI score0.20514EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago15 views

KeySight RF - smsRestoreDatabaseZip UNC path to Remote Code Execution

The com.keysight.tentacle.config.ResourceManager.smsRestoreDatabaseZip method is used to restore the HSQLDB database used in SMS. It takes the path of the zipped database file as the single parameter. An unauthenticated, remote attacker can specify an UNC path for the database file i.e., \\sms,...

9.8CVSS7AI score0.53389EPSS
Exploits0References2
Nuclei
Nuclei
added 18 hours ago37 views

WordPress Simple File List - Path Traversal

Simple File List plugin allows path traversal via file upload, enabling files to be written outside the upload directory. id: CVE-2020-12832 info: name: WordPress Simple File List - Path Traversal author: riteshs4hu severity: critical description: | Simple File List plugin allows path traversal v...

9.8CVSS7AI score0.07131EPSS
Exploits0References2
Nuclei
Nuclei
added 18 hours ago10 views

WordPress Front End Users - Reflected XSS

WordPress Front End Users plugin = 3.2.32 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...

7.1CVSS7AI score0.00485EPSS
Exploits1References1
Nuclei
Nuclei
added 18 hours ago22 views

ComfyUI-Manager < 3.38 - Configuration Overwrite

ComfyUI-Manager 3.38 contains an insecure file storage vulnerability caused by storing files in an insufficiently protected location accessible via the web interface, letting remote attackers manipulate configuration and critical data, exploit requires web access. id: CVE-2025-67303 info: name:...

7.5CVSS7.2AI score0.01361EPSS
Exploits3References3
Nuclei
Nuclei
added 18 hours ago9 views

Lodash Template - Server-Side Template Injection (RCE)

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. id: CVE-2021-23337 info: name: Lodash Template - Server-Side Template Injection RCE author: DhiyaneshDk severity: high description: | Lodash versions prior to 4.17.21 are vulnerable to Command Injectio...

7.2CVSS6.8AI score0.2241EPSS
Exploits3References4
Nuclei
Nuclei
added 18 hours ago11 views

Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scripting

Yonyou UFIDA ERP-NC V5.0 is vulnerable to reflected cross-site scripting XSS via the langcode parameter in /help/systop.jsp and /help/top.jsp. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution. id: CVE-2025-2712 info: name: Yonyou UFIDA ERP-NC V5.0 -...

6.1CVSS6.1AI score0.0079EPSS
Exploits1References1
Nuclei
Nuclei
added 18 hours ago13 views

Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scripting

Yonyou UFIDA ERP-NC V5.0 is vulnerable to reflected cross-site scripting XSS via the key and redirect parameters in login.jsp. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution. id: CVE-2025-2709 info: name: Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scriptin...

6.1CVSS6.1AI score0.00872EPSS
Exploits1References2
Nuclei
Nuclei
added 18 hours ago42 views

NetMRI < 7.6.1 - Authentication Bypass via Hardcoded Credentials

An issue was discovered in Infoblox NETMRI before 7.6.1. Authentication Bypass via a Hardcoded credential can occur. id: CVE-2025-32815 info: name: NetMRI 7.6.1 - Authentication Bypass via Hardcoded Credentials author: iamnoooob,pdresearch severity: medium description: | An issue was discovered i...

6.5CVSS6.6AI score0.34188EPSS
Exploits0References2
Nuclei
Nuclei
added 18 hours ago34 views

White Star Software ProTop - Directory Traversal

A directory traversal vulnerability was discovered in White Star Software Protop version 4.4.2-2024-11-27, specifically in the /pt3upd/ endpoint. An unauthenticated attacker can remotely read arbitrary files on the underlying OS using encoded traversal sequences. id: CVE-2025-44177 info: name:...

8.2CVSS7.1AI score0.04173EPSS
Exploits3References4
Nuclei
Nuclei
added 18 hours ago18 views

Apache OFBiz - XML External Entity Injection

The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figur...

7.5CVSS7AI score0.1591EPSS
Exploits0References2
Nuclei
Nuclei
added 18 hours ago17 views

Rank Math SEO <= 1.0.40.2 - Redirect Creation via Unprotected REST API Endpoint

The Rank Math plugin through 1.0.40.2 for WordPress allows unauthenticated remote attackers to create new URIs that redirect to an external web site via the unsecured rankmath/v1/updateRedirection REST API endpoint. In other words, this is not an "Open Redirect" issue; instead, it allows the...

6.1CVSS6.5AI score0.02072EPSS
Exploits2References3
Nuclei
Nuclei
added 18 hours ago13 views

Yellow Pencil Visual Theme Customizer < 7.2.1 - Privilege Escalation

The WaspThemes Visual CSS Style Editor aka yellow-pencil-visual-theme-customizer plugin before 7.2.1 for WordPress allows ypoptionupdate CSRF, as demonstrated by use of ypremoteget to obtain admin access. id: CVE-2019-11886 info: name: Yellow Pencil Visual Theme Customizer 7.2.1 - Privilege...

8.8CVSS7AI score0.0189EPSS
Exploits1References3
Nuclei
Nuclei
added 18 hours ago97 views

Google for WooCommerce <= 2.8.6 - Information Disclosure via Publicly Accessible PHP Info File

The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible printphpinformation.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PH...

5.3CVSS7AI score0.00879EPSS
Exploits0References2
Nuclei
Nuclei
added 18 hours ago33 views

WordPress Download Manager < 3.2.44 - Authenticated Cross-Site Scripting

The WordPress Download Manager plugin before version 3.2.44 does not properly sanitize and escape the userids parameter in the stats history dashboard. This allows authenticated attackers to perform Cross-Site Scripting attacks by injecting malicious JavaScript code. id: CVE-2022-2168 info: name:...

6.1CVSS6.4AI score0.0106EPSS
Exploits2References2
Nuclei
Nuclei
added 18 hours ago151 views

Kubio AI Page Builder <= 2.5.1 - Local File Inclusion

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubiohybridthemeloadtemplate function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the...

9.8CVSS7.5AI score0.76761EPSS
Exploits12References3
Rows per page
Query Builder