Lucene search
K

2778 matches found

NVD
NVD
added 2026/05/14 3:16 p.m.50 views

CVE-2026-41937

Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows superadmin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a...

8.6CVSS0.00403EPSS
Exploits0References3
CVE
CVE
added 2026/05/14 2:30 p.m.21 views

CVE-2026-41937

Summary: CVE-2026-41937 affects Vvveb prior to 1.0.8.3. An unrestricted file upload in the plugin upload endpoint lets super_admin users craft a ZIP (plugin.php with a valid Slug header and public/index.php) that executes arbitrary PHP code as the web server user when accessed at the plugin’s pub...

8.6CVSS6.2AI score0.00403EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/14 2:30 p.m.8 views

CVE-2026-41937

Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows superadmin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a...

8.6CVSS6.2AI score0.00403EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.17 views

PT-2026-40944

Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a...

8.6CVSS6.2AI score0.00403EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/12 9:43 p.m.41 views

CVE-2026-42844 Grav: Low-privileged API users can create super-admin accounts via blueprint-upload

Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full...

8.7CVSS0.00336EPSS
Exploits1References1
CVE
CVE
added 2026/05/12 9:43 p.m.21 views

CVE-2026-42844

Grav 2.0.0-beta.2 contains an authenticated API privilege-escalation in the blueprint-upload flow. A low-privileged API user (api.media.write) can write an arbitrary YAML file into user/accounts/ via /api/v1/blueprint-upload, then log in as the created account with api.super, resulting in full ad...

8.8CVSS5.9AI score0.00336EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/12 9:43 p.m.12 views

CVE-2026-42844 Grav: Low-privileged API users can create super-admin accounts via blueprint-upload

Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full...

8.7CVSS5.9AI score0.00336EPSS
Exploits1References1
NVD
NVD
added 2026/05/11 5:16 p.m.17 views

CVE-2026-42845

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload GHSA-w4rc-p66m-x6qq. Public form uploads now strip path components from the POST-supplied filename and hard-block page-content extensions md, yaml...

8.7CVSS0.00622EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/11 3:54 p.m.37 views

CVE-2026-42843 grav-plugin-api: Grav API Privilege Escalation to Super Admin

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin UsersController::update allows any...

8.8CVSS0.0035EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/11 3:54 p.m.12 views

CVE-2026-42843 grav-plugin-api: Grav API Privilege Escalation to Super Admin

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin UsersController::update allows any...

8.8CVSS5.8AI score0.0035EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/11 3:54 p.m.6 views

CVE-2026-42843

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin UsersController::update allows any...

8.8CVSS5.8AI score0.0035EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/05/11 3:54 p.m.20 views

CVE-2026-42843

The CVE-2026-42843 entry concerns Grav API Plugin for Grav CMS. It describes an insecure direct object reference and logic flaw in UsersController::update that lets any authenticated API user with api.access modify their own permission configuration, potentially escalating to Super Administrator ...

8.8CVSS5.8AI score0.0035EPSS
Exploits1References1Affected Software1
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.13 views

Grav CMS 安全漏洞

Grav CMS is an open-source file-based content management system developed by Grav. Versions of Grav CMS prior to 1.0.0-beta.15 contained security vulnerabilities. These vulnerabilities were caused by insecure direct object references and logical flaws, which could allow authenticated users to...

8.8CVSS5.8AI score0.0035EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.11 views

Grav 输入验证错误漏洞

Grav is a scalable content management system CMS developed by the Grav open-source community, suitable for use in personal blogs, small content publishing platforms, and single-page product displays. Prior to Grav 2.0.0-beta.2, there was a vulnerability related to input validation errors. This...

9.4CVSS5.8AI score0.00939EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/09 2:25 a.m.60 views

CVE-2026-7652 LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the saveconnectedwordpressuser function propagating a LatePoint customer's email address to it...

5.3CVSS0.00719EPSS
Exploits0References15
ATTACKERKB
ATTACKERKB
added 2026/05/09 2:25 a.m.8 views

CVE-2026-7652

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the saveconnectedwordpressuser function propagating a LatePoint customer's email address to it...

5.3CVSS5.8AI score0.00719EPSS
Exploits0References16
RedhatCVE
RedhatCVE
added 2026/05/08 2:21 p.m.13 views

CVE-2026-34427

Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject roleid=1 into profile save requests to escalate to Super Administrator privileges,...

8.8CVSS6.1AI score0.00562EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/06 9:19 p.m.31 views

Low-privileged Grav API users can create super-admin accounts via blueprint-upload

Summary In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of...

8.8CVSS6.3AI score0.00336EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/05/06 9:19 p.m.12 views

Arbitrary File Upload

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Arbitrary File Upload via the blueprint-upload process. An attacker can gain full administrative access by uploading a crafted YAML file to th...

8.8CVSS5.9AI score0.00336EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/05/06 4:50 p.m.11 views

CVE-2025-71271

A flaw was found in the hfsplus filesystem driver in the Linux kernel. A bug was introduced during the conversion of hfsplus to the new mount API, leading to a memory leak. If the setupbdevsuper function fails after a new superblock is allocated but before hfsplusfillsuper takes ownership of the...

5.5CVSS5.8AI score0.00126EPSS
Exploits0References4
Rows per page
Query Builder