Lucene search
+L

6 matches found

OSV
OSV
added last week2 views

CVE-2026-56238 Capgo - Unauthenticated Information Disclosure via PostgREST global_stats Endpoint

Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST globalstats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics using only the public apikey. Remote attackers can query the /rest/v1/globalstats endpoin...

8.7CVSS6.1AI score0.00368EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/04/16 7:22 p.m.6 views

CVE-2026-32271

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step...

7.7CVSS6.5AI score0.00476EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/13 9:13 p.m.9 views

SQL Injection

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to SQL Injection via the TotalRevenue widget, where unsanitized widget settings are interpolated into SQL expressions. An attacker can execute arbitrary commands on the server by injecting a maliciousl...

7.7CVSS6.4AI score0.00476EPSS
Exploits0References2
CVE
CVE
added 2026/04/13 8:19 p.m.15 views

CVE-2026-32271

CVE-2026-32271 affects Craft Commerce (Craft CMS) in versions 4.0.0–4.10.2 and 5.0.0–5.5.4, where an SQL injection in the Commerce TotalRevenue widget allows any authenticated control panel user to achieve remote code execution. The exploit involves unsanitized widget settings interpolated into S...

7.7CVSS6.5AI score0.00476EPSS
Exploits0References2
OSV
OSV
added 2026/04/13 8:19 p.m.2 views

CVE-2026-32271 Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step...

7.7CVSS6.7AI score0.00476EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/12/16 4:31 a.m.39 views

CVE-2025-13956 LearnPress – WordPress LMS Plugin <= 4.3.1 - Missing Authorization to Unauthenticated Orders Statistics Exposure

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders...

5.3CVSS0.00917EPSS
Exploits0References2
Rows per page
Query Builder