Lucene search
+L

24 matches found

NVD
NVD
added 2026/07/10 8:16 p.m.5 views

CVE-2026-54714

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute...

6.1CVSS0.00253EPSS
Exploits0References4
CVE
CVE
added 2026/07/10 7:54 p.m.12 views

CVE-2026-54714

Technical details about CVE-2026-54714 are not publicly available in the provided documents. Monitor for updates from Logto advisories and releases.

6.1CVSS6.1AI score0.00253EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/10 7:54 p.m.36 views

CVE-2026-54714 Logto: XSS via unescaped RelayState in SAML auto-submit form

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute...

6.1CVSS0.00253EPSS
Exploits0References4
OSV
OSV
added 2026/07/10 7:54 p.m.3 views

CVE-2026-54714 Logto: XSS via unescaped RelayState in SAML auto-submit form

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute...

6.1CVSS6.1AI score0.00253EPSS
Exploits0References6
CVE
CVE
added 2026/07/10 2:30 a.m.16 views

CVE-2026-14894

The CVE concerns the WordPress plugin Super Forms – Drag & Drop Form Builder. All versions up to 6.3.313 are vulnerable to Arbitrary File Upload via the submit_form function due to missing file type validation and absence of any capability check on the submit_form nopriv AJAX handler; the only ba...

9.8CVSS6.6AI score0.00523EPSS
Exploits2References2
EUVD
EUVD
added 2026/07/10 2:30 a.m.9 views

EUVD-2026-42779

The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submitform function. This is due to missing file type validation and the absence of any capability check on the submitform nopriv AJAX...

9.8CVSS6.6AI score0.00523EPSS
Exploits2References2
RedhatCVE
RedhatCVE
added 2025/12/14 4:6 a.m.8 views

CVE-2025-14581

The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submitformreply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level acces...

5.3CVSS5.5AI score0.00221EPSS
Exploits0References1
NVD
NVD
added 2025/12/13 4:16 p.m.6 views

CVE-2025-14581

The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submitformreply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level acces...

4.3CVSS0.00221EPSS
Exploits0References4
CVE
CVE
added 2025/12/13 3:20 a.m.24 views

CVE-2025-14581

CVE-2025-14581 affects the WordPress plugin “HAPPY – Helpdesk Support Ticket System.” The issue is an authorization bypass caused by a missing capability check on the submit_form_reply AJAX action, allowing authenticated users with Subscriber+ privileges to post replies to arbitrary tickets regar...

4.3CVSS5.1AI score0.00221EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2025/12/13 3:20 a.m.3 views

CVE-2025-14581 HAPPY – Helpdesk Support Ticket System <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Reply

The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submitformreply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level acces...

4.3CVSS5.1AI score0.00221EPSS
Exploits0References4
NVD
NVD
added 2025/10/01 4:15 a.m.7 views

CVE-2025-10735

The Block For Mailchimp – Easy Mailchimp Form Integration plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.12 via the mcbSubmitFormData. This makes it possible for unauthenticated attackers to make web requests to arbitrary location...

4CVSS0.00285EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/05/22 9:25 p.m.8 views

CVE-2021-38565

An issue was discovered in Foxit PDF Reader before 11.0.1 and PDF Editor before 11.0.1. It allows writing to arbitrary files via submitForm...

7.5CVSS7AI score0.00848EPSS
Exploits0References1
CNNVD
CNNVD
added 2024/11/27 12:0 a.m.3 views

WordPress plugin Hustle – Email Marketing, Lead Generation, Optins, Popups 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPress...

5.3CVSS8.1AI score0.00379EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2024/11/27 12:0 a.m.5 views

PT-2024-16380 · WordPress · Hustle

Name of the Vulnerable Software and Affected Versions: Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress versions up to and including 7.8.5 Description: The issue is related to unauthorized form submissions due to a missing capability check on the submit form function...

5.3CVSS7.3AI score0.00379EPSS
Exploits0References5
OSV
OSV
added 2024/09/06 2:15 p.m.7 views

CVE-2024-8428

The ForumWP – Forum & Discussion Board Plugin plugin for WordPress is vulnerable to Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the submitformhandler due to missing validation on the 'userid' user controlled key. This makes it possible...

8.8CVSS5.8AI score0.00485EPSS
Exploits0References2
OSV
OSV
added 2024/06/13 8:16 a.m.4 views

CVE-2024-36230

Adobe Experience Manager versions 6.5.20 and earlier are affected by a DOM-based Cross-Site Scripting XSS vulnerability. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser session. Exploitation of this issue typically requires us...

5.4CVSS6.2AI score0.00402EPSS
Exploits0References1
wpexploit
wpexploit
added 2023/12/22 12:0 a.m.169 views

WP Crowdfunding < 2.1.10 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Affected settings: - Crowdfunding...

4.8CVSS5.7AI score0.00402EPSS
Exploits2
CNNVD
CNNVD
added 2023/03/29 12:0 a.m.4 views

PDF-XChange Editor 缓冲区错误漏洞

Tracker Software PDF-XChange Editor is a suite of software for viewing and editing PDF format files from Tracker Software, a Canadian company. A buffer error vulnerability exists in PDF-XChange Editor, which is caused by a buffer overflow problem in the submitForm method...

7.8CVSS7.7AI score0.0077EPSS
Exploits0References3
CNNVD
CNNVD
added 2022/12/30 12:0 a.m.6 views

Joget 跨站脚本漏洞

Joget is an open source no-code/low-code application platform from Joget Open Source. For faster and simpler digital conversion DX. Joget versions prior to 7.0.34 cross-site scripting vulnerability , the vulnerability stems from the file...

6.1CVSS4.3AI score0.00499EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2022/12/30 12:0 a.m.12 views

PT-2022-28145 · Joget · Joget

Name of the Vulnerable Software and Affected Versions: Joget versions up to 7.0.33 Description: A problematic issue has been found in Joget, affecting the submitForm function of the UserProfileMenu component. The manipulation of the firstName/lastName arguments leads to cross-site scripting. The...

6.1CVSS4.3AI score0.00499EPSS
Exploits0References10
Rows per page
Query Builder