Lucene search
K

20432 matches found

Nuclei
Nuclei
added 6 hours ago45 views

WordPress amtyThumb Posts 8.1.3 - Cross-Site Scripting

WordPress amty-thumb-recent-post plugin 8.1.3 contains a cross-site scripting vulnerability via the query string to amtyThumbPostsAdminPg.php. id: CVE-2017-17059 info: name: WordPress amtyThumb Posts 8.1.3 - Cross-Site Scripting author: daffainfo severity: medium description: WordPress...

6.1CVSS6.4AI score0.03419EPSS
Exploits1References4
Nuclei
Nuclei
added 6 hours ago90 views

NocoBase - SQL Injection

NocoBase versions prior to 2.0.39 contain a SQL injection vulnerability in the @nocobase/database package. The queryParentSQL function in eager-loading-tree.ts constructs a recursive CTE query by directly concatenating user-controlled primary key values into the SQL WHERE IN clause without...

8.8CVSS6.2AI score0.01875EPSS
Exploits1References2
EUVD
EUVD
added 13 hours ago4 views

EUVD-2026-43546

Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lorex 2K Indoor Wi-Fi Security Cameras. Authentication is not required to exploit th...

7.5CVSS7.3AI score
Exploits0References2
CVE
CVE
added yesterday5 views

CVE-2026-15680

CVE-2026-15680 affects Lorex 2K Indoor Wi‑Fi Security Camera. The vulnerability is in the sonia binary’s JSON request parsing, where lack of validation of a user‑supplied string used as a format specifier can allow a network‑adjacent attacker to execute arbitrary code with root privileges. Authen...

7.5CVSS7.3AI score
Exploits0References1
Cvelist
Cvelist
added yesterday16 views

CVE-2026-15680 Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability

Lorex 2K Indoor Wi-Fi Security Camera CDeviceOperator Format String Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Lorex 2K Indoor Wi-Fi Security Cameras. Authentication is not required to exploit th...

7.5CVSS
Exploits0References1
NVD
NVD
added yesterday5 views

CVE-2026-13221

Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perlstudychunk. When such branches are combined into a trie, the delta between the first branch and the shared tail is stored ...

Exploits0References3
Nuclei
Nuclei
added yesterday14 views

WordPress Contact Form by Supsystic - Server-Side Template Injection

Contact Form by Supsystic WordPress plugin = 1.7.36 contains a server-side template injection caused by unsandboxed TwigLoaderString and cfsPreFill functionality, letting unauthenticated attackers execute arbitrary code remotely via GET parameters. id: CVE-2026-4257 info: name: WordPress Contact...

9.8CVSS6.3AI score0.41475EPSS
Exploits9References3
NVD
NVD
added 4 days ago5 views

CVE-2026-59162

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, Excelize parses shared-string cell values with strconv.Atoi and checks only the upper bound before indexing the shared string slice, allowing an XLSX file containing a shared-string cell with ...

6.9CVSS0.00524EPSS
Exploits0References4
CVE
CVE
added 4 days ago15 views

CVE-2026-59162

The CVE concerns the Go-based Excelize library (v2.x) where, prior to 2.11.0, shared-string cell values could be indexed with -1, causing a panic in GetCellValue and GetRows. The issue stems from parsing shared-strings with strconv.Atoi and only an upper bound check before indexing the sharedStri...

6.9CVSS6.1AI score0.00524EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago27 views

CVE-2026-59162 Excelize: Negative shared-string index causes panic in GetCellValue and GetRows

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, Excelize parses shared-string cell values with strconv.Atoi and checks only the upper bound before indexing the shared string slice, allowing an XLSX file containing a shared-string cell with ...

6.9CVSS0.00524EPSS
Exploits0References4
NVD
NVD
added 4 days ago6 views

CVE-2026-61444

PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agentsfile parameter is directly interpolated into an f-string without sanitization. Attackers can inject arbitrary Python code that executes when the generated server code runs via subprocess.Popen...

9.4CVSS0.00392EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-61444 PraisonAI before 4.6.78 Code Injection via f-string

PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agentsfile parameter is directly interpolated into an f-string without sanitization. Attackers can inject arbitrary Python code that executes when the generated server code runs via subprocess.Popen...

9.4CVSS0.00392EPSS
Exploits0References2
CVE
CVE
added 4 days ago10 views

CVE-2026-61444

PRAISONAi before 4.6.78 has a code‑injection vulnerability in deploy/api.py: the agents_file parameter is interpolated into an f-string without sanitization, allowing arbitrary Python code execution when the generated server code runs via subprocess.Popen(). Affected: PraisonAI

9.4CVSS6.2AI score0.00392EPSS
Exploits0References2
NVD
NVD
added 4 days ago9 views

CVE-2026-15300

The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $SERVER'QUERYSTRING' via parsestr bypassing wpmagicquotes, which does not cover $SERVER, then passed through bare...

9.1CVSS0.00349EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-57196

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.6.78 Description A code injection issue exists in the deploy/api.py file. The agents file parameter is directly interpolated into an f-string without proper sanitization. This interpolated string is used to genera...

9.4CVSS6.3AI score0.00392EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 5 days ago6 views

CVE-2026-55590

CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect method contains a weakness to backslash bypasses that allows redirect targets with attacker-controlled hostnames through the...

5.1CVSS5.9AI score0.00578EPSS
Exploits0References11Affected Software1
RedHat Linux
RedHat Linux
added 5 days ago3 views

ruby: net-imap: Net::IMAP: Denial of Service via crafted IMAP responses

A flaw was found in Net::IMAP, a Ruby library implementing the Internet Message Access Protocol IMAP client functionality. A hostile server can exploit a quadratic time complexity issue in the Net::IMAP::ResponseReader when processing large responses containing numerous string literals. This can...

7.5CVSS5.8AI score0.0041EPSS
Exploits0References11
Snyk
Snyk
added 6 days ago6 views

Prototype Pollution

Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Prototype Pollution through the textformat file. An attacker can modify the prototype of the returned map object by supplyi...

8.3CVSS6.4AI score0.00221EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 6 days ago4 views

crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate

A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the HostnameError.Error function. This flaw, caused by unbounded string concatenation, leads to excessive resource...

7.5CVSS7.1AI score0.00459EPSS
Exploits2References8
Cvelist
Cvelist
added 6 days ago31 views

CVE-2026-59876 protobufjs: Text Format string map parsing can mutate returned map object prototype

protobufjs compiles protobuf definitions into JavaScript JS functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key proto to change the prototype of the returned map object instead of...

4.8CVSS0.00221EPSS
Exploits0References4
Rows per page
Query Builder