CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

323 matches found

Trendnet AC2600 TEW-827DRU - Credentials Disclosure

Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. A user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page. id: CVE-2021-20150 info: name: Trendnet AC2600 TEW-827DR...

5.3CVSS6AI score0.4006EPSS

Exploits0References2

Github Security Blog•added 2026/06/11 5:10 p.m.•7 views

Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset

Summary Several Kolibri API endpoints accept an unvalidated baseurl parameter and fetch attacker-controlled URLs from the Kolibri server, reflecting the response body back to the caller. The original report identified two endpoints on the RemoteFacilityUser viewsets; remediation review found two...

5.8AI score0.00047EPSS

Exploits0References3Affected Software1

OSSF Malicious Packages•added 2026/05/21 11:27 a.m.•8 views

Malicious code in @autoheal/setup (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a8b8b7d51e8865d048583893b08ad3d3d95a8371963b82adc6bf4b7938fe4c1 When the user runs this setup wizard, bin/setup.js posts the user's GitHub Personal Access Token scope repo,user:email, GitHub repo name, branch,...

6AI score

Exploits0References1

OSV•added 2026/05/21 11:27 a.m.•10 views

MAL-2026-4366 Malicious code in @autoheal/setup (npm)

6AI score

Exploits0References1

RedhatCVE•added 2026/05/18 7:58 p.m.•9 views

CVE-2026-42288

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DBPASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2...

10CVSS6.4AI score0.00576EPSS

Exploits0References1

NVD•added 2026/05/12 11:16 p.m.•20 views

CVE-2026-42288

10CVSS0.00576EPSS

Exploits0References1

Vulnrichment•added 2026/05/12 10:25 p.m.•7 views

CVE-2026-42288 ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD

10CVSS6.4AI score0.00715EPSS

Exploits0References1

Cvelist•added 2026/05/12 10:25 p.m.•39 views

CVE-2026-42288 ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD

10CVSS0.00576EPSS

Exploits0References1

ATTACKERKB•added 2026/05/12 10:25 p.m.•6 views

CVE-2026-42288

10CVSS6.4AI score0.00715EPSS

Exploits0References2Affected Software1

CVE•added 2026/05/12 10:25 p.m.•27 views

CVE-2026-42288

ChurchCRM prior to version 7.1.0 is affected by a pre-auth RCE in the setup wizard due to unsanitized DB_PASSWORD handling, enabling unauthenticated PHP code injection during initial install. The issue stems from an incomplete fix for a previous CVE and is fixed in 7.1.0. Impact is described as f...

10CVSS6.4AI score0.00576EPSS

Exploits0References1

EUVD•added 2026/05/12 10:25 p.m.•8 views

EUVD-2026-29876

10CVSS6.4AI score0.00715EPSS

Exploits0References1

Positive Technologies•added 2026/05/12 12:0 a.m.•13 views

PT-2026-40458

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.3.2 Description A pre-authentication remote code execution issue exists in the setup wizard. The flaw allows for remote code execution via the unsanitized DB PASSWORD variable. Recommendations Update to version...

10CVSS6.4AI score0.00576EPSS

Exploits0References4

NVD•added 2026/04/07 6:16 p.m.•7 views

CVE-2026-39337

ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...

10CVSS0.00715EPSS

Exploits0References1

ATTACKERKB•added 2026/04/07 6:8 p.m.•5 views

CVE-2026-39337

10CVSS6.6AI score0.04151EPSS

Exploits3References2Affected Software1

Positive Technologies•added 2026/04/07 12:0 a.m.•5 views

PT-2026-30960

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, has a critical pre-authentication remote code execution issue in its setup wizard. Unauthenticated attackers can inject arbitrary PHP code during...

10CVSS6.6AI score0.00715EPSS

Exploits0References10

RedhatCVE•added 2026/03/26 2:59 p.m.•4 views

CVE-2026-2992

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated...

8.2CVSS5.8AI score0.00248EPSS

Exploits0References1

Patchstack•added 2026/03/20 10:21 a.m.•6 views

WordPress KiviCare plugin <= 4.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard vulnerability

Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard vulnerability discovered by WordFence in WordPress Plugin KiviCare versions = 4.1.2...

8.2CVSS5.8AI score0.00248EPSS

Exploits0References1Affected Software1

NVD•added 2026/03/18 4:16 p.m.•5 views

CVE-2026-2992

8.2CVSS0.00248EPSS

Exploits0References4

Cvelist•added 2026/03/18 3:28 p.m.•23 views

CVE-2026-2992 KiviCare <= 4.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard

8.2CVSS0.00248EPSS

Exploits0References4

Vulnrichment•added 2026/03/18 3:28 p.m.•5 views

CVE-2026-2992 KiviCare <= 4.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard