CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 2026/06/04 11:49 a.m.•7 views

CVE-2025-52608 HCL iControl was affected by Missing Cookie Attributes vulnerability.

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

3.1CVSS5.8AI score0.00098EPSS

Exploits0References1

Positive Technologies•added 2026/06/04 12:0 a.m.•14 views

PT-2026-46224

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially...

5.3CVSS5.8AI score0.00176EPSS

NVD•added 2026/06/03 8:16 p.m.•10 views

CVE-2026-40495

FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the hideversionpublic security setting. The FOSSBilling version is embedded in the query string of every a...

6.9CVSS0.00279EPSS

RedHat Linux•added 2026/06/03 5:6 a.m.•12 views

OpenSSH: OpenSSH: Arbitrary command execution via shell metacharacters in username

A flaw was found in OpenSSH. This vulnerability allows a remote attacker to achieve arbitrary command execution by injecting shell metacharacters into a username provided on the command line. Exploitation requires an untrusted username and a non-default configuration of the '%' character in...

8.1CVSS6AI score0.00247EPSS

Positive Technologies•added 2026/06/03 12:0 a.m.•15 views

PT-2026-45903

Name of the Vulnerable Software and Affected Versions Vinyl Cache versions prior to 9.0.1 Varnish Cache versions prior to 9.0.3 Description A deficiency in HTTP/2 request parsing allows for backend request desync attacks, also known as request smuggling. This occurs when the frontend and backend...

2.3CVSS5.2AI score0.00317EPSS

Exploits0References11

Cvelist•added 2026/06/02 11:27 p.m.•40 views

CVE-2026-7421 Passeum Ticketing <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'shop_name' Setting

The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the getshopurl method returning the shopname setting value without sanitization when it begins with "http", combined with insufficient validation in th...

4.4CVSS0.00208EPSS

CVE•added 2026/06/02 11:27 p.m.•22 views

CVE-2026-7421

The Passeum Ticketing plugin for WordPress (all versions up to 1.0) is vulnerable to Stored XSS when the shop_name setting starts with http. The get_shop_url() method returns the raw shop_name without sufficient sanitization, and validate_shop_name() only checks for emptiness and type, allowing a...

4.4CVSS6AI score0.00208EPSS

Vulnrichment•added 2026/06/02 11:27 p.m.•8 views

CVE-2026-7421 Passeum Ticketing <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'shop_name' Setting

4.4CVSS6AI score0.00208EPSS

EUVD•added 2026/06/02 7:48 a.m.•10 views

EUVD-2026-33894

The Tectite Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the admininit function. This makes it possible for unauthenticated attackers to modify the plugin's settings,...

4.3CVSS5.7AI score0.00128EPSS

Exploits0References4

EUVD•added 2026/06/02 7:48 a.m.•10 views

EUVD-2026-33890

The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due to missing or incorrect nonce validation on the googlePlusOneAdmin function. This makes it possible for unauthenticated attackers to modify the...

4.3CVSS5.7AI score0.00128EPSS

Exploits0References4

EUVD•added 2026/06/02 12:31 a.m.•11 views

EUVD-2026-33767

In updateProvidersWhenServiceRemoved of CredentialManagerService.java, there is a possible way to override settings across users due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

3.3CVSS5.9AI score0.00065EPSS

NVD•added 2026/06/01 7:16 p.m.•10 views

CVE-2026-10283

A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to fix this issue...

6.5CVSS0.00295EPSS

CVE•added 2026/06/01 6:45 p.m.•16 views

CVE-2026-10283

CVE-2026-10283 affects Bottelet DaybydayCRM up to version 2.2.1. The vulnerability is in an unknown function of the Setting Handler, where manipulation leads to missing authentication. Remote exploitation is possible. A patch is recommended to fix the issue.

6.5CVSS6.2AI score0.00295EPSS

Cvelist•added 2026/06/01 6:45 p.m.•29 views

CVE-2026-10283 Bottelet DaybydayCRM Setting missing authentication

6.5CVSS0.00295EPSS

Vulnrichment•added 2026/06/01 6:45 p.m.•8 views

CVE-2026-10283 Bottelet DaybydayCRM Setting missing authentication

6.5CVSS6.2AI score0.00295EPSS

EUVD•added 2026/06/01 6:45 p.m.•14 views

EUVD-2026-33747

6.5CVSS6.2AI score0.00295EPSS

Snyk•added 2026/06/01 10:26 a.m.•5 views

Exposure of Sensitive Information Through Metadata

Overview org.apache.activemq:activemq-all is a package that puts together an ActiveMQ jar bundle. Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata in the BrokerInfo component. An attacker can obtain sensitive metadata, including client...

8.2CVSS5.5AI score0.00328EPSS