Lucene search
K

256747 matches found

Nuclei
Nuclei
added yesterday42 views

STAGIL Navigation for Jira Menu & Themes <2.0.52 - Local File Inclusion

STAGIL Navigation for Jira Menu & Themes plugin before 2.0.52 is susceptible to local file inclusion via modifying the fileName parameter to the snjFooterNavigationConfig endpoint. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site...

7.5CVSS7.2AI score0.11615EPSS
Exploits7References5
Nuclei
Nuclei
added yesterday86 views

Google for WooCommerce <= 2.8.6 - Information Disclosure via Publicly Accessible PHP Info File

The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible printphpinformation.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PH...

5.3CVSS7.1AI score0.00887EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday64 views

Brother Printers – Authentication Bypass via Default Admin Password

By leaking a target device's serial number, a remote attacker can generate the target device's default administrator password. The target device may leak its serial number via unauthenticated HTTP, HTTPS, IPP, SNMP, or PJL requests. id: CVE-2024-51978 info: name: Brother Printers – Authentication...

9.8CVSS7.2AI score0.23635EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday10 views

Yonyou UFIDA ERP-NC V5.0 - Cross-Site Scripting

Yonyou UFIDA ERP-NC V5.0 is vulnerable to reflected cross-site scripting XSS via the langcode parameter in /help/systop.jsp and /help/top.jsp. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution. id: CVE-2025-2712 info: name: Yonyou UFIDA ERP-NC V5.0 -...

6.1CVSS5.9AI score0.0079EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday58 views

Adobe ColdFusion - Access Control Bypass

There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrato...

7.5CVSS7.3AI score0.99732EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday53 views

phpIPAM 1.5.1 - Cross-site Scripting

Cross-site Scripting XSS - Reflected in GitHub repository phpipam/phpipam prior to 1.5.1. id: CVE-2023-0676 info: name: phpIPAM 1.5.1 - Cross-site Scripting author: ritikchaddha severity: medium description: | Cross-site Scripting XSS - Reflected in GitHub repository phpipam/phpipam prior to 1.5....

6.1CVSS6.3AI score0.01532EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday7 views

Letta Letta 0.7.12 - Remote Code Execution

Letta 0.7.12 is vulnerable to remote code execution via POST /v1/tools/run in letta.server.restapi.routers.v1.tools.runtoolfromsource, allowing attackers to execute arbitrary Python and OS commands via crafted tool source code. id: CVE-2025-51482 info: name: Letta Letta 0.7.12 - Remote Code...

8.8CVSS6.8AI score0.01862EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday34 views

PHPJabbers Food Delivery Script - SQL Injection

PHPJabbers Food Delivery Script 3.0 has a SQL injection SQLi vulnerability in the "q" parameter of index.php. id: CVE-2023-40748 info: name: PHPJabbers Food Delivery Script - SQL Injection author: ritikchaddha severity: critical description: | PHPJabbers Food Delivery Script 3.0 has a SQL injecti...

9.8CVSS7.2AI score0.02904EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday25 views

WP Go Maps (formerly WP Google Maps) < 9.0.29 - Cross-Site Scripting

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to, and including, 9.0.28 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

6.1CVSS7AI score0.0104EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday37 views

XWiki - Open Redirect

XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as //mydomain.com i.e. omitting the http:. It was also possible to bypass it when using URL...

6.1CVSS6.3AI score0.01756EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday49 views

Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access

The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them. id: CVE-2023-1263 info: name: Coming Soon & Maintenance 4.1.7 - Unauthenticated Post/Page Access author: r3Y3r53 severity: medium...

5.3CVSS6.8AI score0.01414EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday31 views

WordPress OrderConvo < 14 - Path Traversal

WooCommerce OrderConvo WordPress plugin \u003C 14 contains a path traversal vulnerability caused by improper validation of file download paths, letting unauthenticated attackers read or download arbitrary files remotely id: CVE-2025-10162 info: name: WordPress OrderConvo 14 - Path Traversal autho...

7.5CVSS6AI score0.03632EPSS
Exploits4References3
Nuclei
Nuclei
added yesterday18 views

Apache OFBiz - XML External Entity Injection

The /webtools/control/xmlrpc endpoint in OFBiz XML-RPC event handler is exposed to External Entity Injection by passing DOCTYPE declarations with executable payloads that discloses the contents of files in the filesystem. In addition, it can also be used to probe for open network ports, and figur...

7.5CVSS7AI score0.1591EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday79 views

InstaWP Connect < 0.1.0.86 - Local PHP File Inclusion

The InstaWP Connect - 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files ...

8.1CVSS7.7AI score0.10305EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday30 views

Tiki Wiki CMS Groupware 7.0 Cross-Site Scripting

Tiki Wiki CMS Groupware 7.0 is vulnerable to cross-site scripting via the GET "ajax" parameter to snarfajax.php. id: CVE-2011-4336 info: name: Tiki Wiki CMS Groupware 7.0 Cross-Site Scripting author: pikpikcu severity: medium description: Tiki Wiki CMS Groupware 7.0 is vulnerable to cross-site...

6.1CVSS6.3AI score0.07652EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday77 views

Order Delivery Date Pro for WooCommerce < 12.3.1 - Arbitrary Option Update

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modi...

9.8CVSS7AI score0.01286EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday32 views

Moodle Jmol Filter 6.1 - Local File Inclusion

Moodle Jmol Filter 6.1 is vulnerable to local file inclusion through the jsmol.php file, allowing attackers to read arbitrary files on the server. id: CVE-2025-34031 info: name: Moodle Jmol Filter 6.1 - Local File Inclusion author: madrobot severity: high description: | Moodle Jmol Filter 6.1 is...

8.7CVSS7.3AI score0.02963EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday19 views

CodiMD <2.5.4 - Insecure Filename Randomization

CodiMD does not require valid authentication to access uploaded images or to upload new image data. An attacker who can determine an uploaded image's URL can gain unauthorised access to uploaded image data. Due to the insecure random filename generation in the underlying Formidable library, an...

5.3CVSS6AI score0.01158EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday49 views

Mingsoft MCMS - SQL Injection

SQL injection vulnerability in Mingsoft MCMS up to 5.2.9 via the sqlWhere parameter in /cms/category/list. id: CVE-2022-4375 info: name: Mingsoft MCMS - SQL Injection author: ritikchaddha severity: critical description: | SQL injection vulnerability in Mingsoft MCMS up to 5.2.9 via the sqlWhere...

9.8CVSS7.2AI score0.0289EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday45 views

Reprise License Manager 14.2 - Information Disclosure

Reprise License Manager 14.2 is susceptible to information disclosure via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostnames, system architecture and file/directory...

5.3CVSS6.2AI score0.08359EPSS
Exploits3References5
Rows per page
Query Builder