Lucene search
+L

2928 matches found

nuclei
nuclei
added 10 hours ago82 views

WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the /includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive...

9.8CVSS7AI score0.77956EPSS
Exploits1References5
nuclei
nuclei
added 10 hours ago99 views

WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the currentpagetype parameter found in the /includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain...

9.8CVSS7AI score0.3298EPSS
Exploits1References5
nuclei
nuclei
added 10 hours ago31 views

Uptime-Kuma < v1.23.0 - Improper Access Control

Uptime-Kuma before v1.23.0 is vulnerable to an information disclosure issue due to missing authorization on the /api/badge/1/ping/24 endpoint. An unauthenticated attacker can access this endpoint to leak ping statistics, such as average ping and ping history, for existing monitors without needing...

5.3CVSS6.1AI score0.00905EPSS
Exploits1References2
nuclei
nuclei
added 10 hours ago23 views

WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass

Burst Statistics – Privacy-Friendly WordPress Analytics plugin 3.4.0 to 3.4.1.1 contains an authentication bypass caused by incorrect return-value handling in ismainwpauthenticated function, letting unauthenticated attackers impersonate administrators, exploit requires knowledge of an administrat...

9.8CVSS6.1AI score0.14608EPSS
Exploits11References2
nuclei
nuclei
added 10 hours ago31 views

LearnPress < 4.3.2 - Broken Access Control

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders...

5.3CVSS6.1AI score0.00917EPSS
Exploits0References2
nuclei
nuclei
added 10 hours ago61 views

WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection

The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. id: CVE-2023-0600 info: name: WP Visitor Statistics Real Time Traffic 6.9 - SQL Injection author: r3Y3r53,j4vaovo severity: critical description: | The...

9.8CVSS7.1AI score0.04234EPSS
Exploits2References3
nuclei
nuclei
added 10 hours ago67 views

WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection

WordPress Visitor Statistics Real Time Traffic plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks. id: CVE-2021-247...

8.8CVSS7AI score0.38298EPSS
Exploits5References5
euvd
euvd
added 2 days ago5 views

EUVD-2026-43547

9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit the...

9.3CVSS6.1AI score0.00371EPSS
Exploits0References3
osv
osv
added 3 days ago3 views

CVE-2026-62327 9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats

9Router through version 0.4.41 contains an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit th...

9.3CVSS6.1AI score0.00521EPSS
Exploits0References5
nvd
nvd
added 4 days ago8 views

CVE-2026-56238

Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST globalstats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics using only the public apikey. Remote attackers can query the /rest/v1/globalstats endpoin...

8.7CVSS0.00368EPSS
Exploits0References2
cvelist
cvelist
added 4 days ago30 views

CVE-2026-56238 Capgo - Unauthenticated Information Disclosure via PostgREST global_stats Endpoint

Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST globalstats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics using only the public apikey. Remote attackers can query the /rest/v1/globalstats endpoin...

8.7CVSS0.00368EPSS
Exploits0References2
nvd
nvd
added last week6 views

CVE-2026-45780

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This...

5.3CVSS0.00364EPSS
Exploits0References9
attackerkb
attackerkb
added last week8 views

CVE-2026-45780

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This...

5.3CVSS5.9AI score0.00364EPSS
Exploits0References10Affected Software1
redhat
redhat
added 2026/07/08 6:13 a.m.3 views

kernel: procfs: fix missing RCU protection when reading real_parent in do_task_stat()

A flaw was found in the Linux kernel's procfs component. When reading /proc/pid/stat, the dotaskstat function accesses task-realparent without proper Read-Copy-Update RCU protection. This missing protection creates a race condition, which can lead to a Use-After-Free UAF vulnerability. A local...

7.8CVSS5.9AI score0.0012EPSS
Exploits0References5
osv
osv
added 2026/07/06 9:22 p.m.11 views

GHSA-VJC7-JRH9-9J86 9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats

--- title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats product: 9Router version: = 0.4.41 severity: critical cverequest: true --- Summary Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The /api/providers endpoin...

10CVSS6.1AI score0.00521EPSS
Exploits0References2
osv
osv
added 2026/07/06 4:5 p.m.1 views

OPENSUSE-SU-2026:21265-1 Security update for cadvisor

This update for cadvisor fixes the following issues: Changes in cadvisor: - update to 0.60.3: Move OOM watching out of the lib module into the binary lib/model: make ContainerStats sub-stats pointers to convey collection presence - update to 0.60.1: cpuload/netlink: report the real error and skip...

9.6CVSS6.8AI score0.00804EPSS
Exploits2References10
redhatcve
redhatcve
added 2026/07/02 4:38 p.m.6 views

CVE-2026-48706

A flaw was found in Envoy, an open-source edge and service proxy. An attacker can exploit a heap write overflow vulnerability in Envoy's TCP StatsD sink by sending exceptionally long statistic names, such as those found in HTTP or gRPC request paths. This can lead to a denial-of-service, causing...

7.5CVSS5.9AI score0.0061EPSS
Exploits0References4
redhatcve
redhatcve
added 2026/07/01 7:21 p.m.7 views

CVE-2026-53342

A flaw was found in the Linux kernel, specifically within the ARM64 architecture's memory management. This vulnerability occurs because the system fails to properly deallocate page tables that have been hot-removed, leading to memory leaks. This can result in incorrect memory usage statistics and...

5.8AI score0.00154EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2026/07/01 2:54 p.m.8 views

CVE-2026-58033 "Total number of distinct authors" statistic at action=info does not exclude revisions where the author name was deleted

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Actions/InfoAction.Php. This issue affects MediaWiki: from before 1.46.0, 1.45.4, 1.44.6, 1.43.9...

5.3CVSS5.8AI score0.00413EPSS
Exploits0References1
redhat
redhat
added 2026/07/01 9:48 a.m.8 views

kernel: cachestat: fix page cache statistics permission checking

In the Linux kernel, the following vulnerability has been resolved: cachestat: fix page cache statistics permission checking When the 'cachestat' system call was added in commit cf264e1329fb "cachestat: implement cachestat syscall", it was meant to be a much more convenient and performant version...

5.5CVSS6.2AI score0.00199EPSS
Exploits0References5
Rows per page
Query Builder