Lucene search
K

47899 matches found

CVE
CVE
added 2 hours ago3 views

CVE-2026-12937

The Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'postid' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficie...

7.5CVSS6AI score
Exploits0References5
CVE
CVE
added 3 hours ago5 views

CVE-2026-9702

Summary : CVE-2026-9702 affects the InPost PL WordPress plugin prior to version 1.9.1. The vulnerability occurs because the plugin does not verify that a request originates from the legitimate buyer before updating the WooCommerce order parcel-locker destination. This allows unauthenticated attac...

5.9AI score
Exploits0References1
CVE
CVE
added 3 hours ago7 views

CVE-2026-10824

The Masteriyo LMS WordPress plugin is affected up to version 2.2.0; the course-progress REST API controller fails authorization checks, allowing unauthenticated users to read and permanently delete any user’s course-progress records. This vulnerability stems from missing access controls in the AP...

5.8AI score
Exploits0References1
CVE
CVE
added 4 hours ago11 views

CVE-2026-2238

CVE-2026-2238 affects GitLab CE/EE, impacting all versions from 17.5 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1. An unauthorized user could view confidential issue references on public projects due to improper authorization checks. The issue is mitigated in GitLab releases 18.11.6...

5.3CVSS5.9AI score
Exploits0References3
CVE
CVE
added 4 hours ago6 views

CVE-2026-10712

GitLab CVE-2026-10712 affects GitLab CE/EE with versions 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1. The issue is described as improper path validation that could, under certain conditions, allow an unauthenticated user to execute arbitrary JavaScript in a user’s browser ses...

8CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 4 hours ago3 views

EUVD-2026-39171

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path...

8CVSS6.1AI score
Exploits0References3
CVE
CVE
added 5 hours ago8 views

CVE-2026-12077

CVE-2026-12077 : The Dokan Pro plugin for WordPress (up to version 5.0.4) is vulnerable to a time-based SQL Injection via the latitude and longitude parameters. The root cause is insufficient escaping of user-supplied input and lack of proper preparation in the existing SQL query, enabling unauth...

7.5CVSS6AI score
Exploits0References2
EUVD
EUVD
added 8 hours ago4 views

EUVD-2026-39114

ATEN Unizon writeFileToHttpServletResponse Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ATEN Unizon. Authentication is not required to exploit this vulnerability. The specific fl...

7.5CVSS7AI score
Exploits0References3
CVE
CVE
added yesterday4 views

CVE-2026-54068

SiYuan before 3.7.0: unauthenticated access to /api/icon/getDynamicIcon where type=8 with a valid block id runs Go templates that execute arbitrary SQL (RenderDynamicIconContentTemplate), enabling an attacker to exfiltrate extensive SQLite data (notes, tags, asset refs, block attributes). The roo...

5.9CVSS6AI score0.00089EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-52816

Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Jupyter Notebook ipynb sanitizer endpoint at POST /-/api/sanitizeipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting XSS. The endpoint uses bluemonday.UGCPolicy with...

6.4CVSS6AI score
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-52799

Gogs is an open source self-hosted Git service. Prior to 0.14.3, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRESIGNINVIEW = false, we...

7.5CVSS5.9AI score
Exploits0References3Affected Software1
CVE
CVE
added yesterday6 views

CVE-2026-52815

Summary (CVE-2026-52815, Gogs) Gogs before 0.14.3 exposes unauthenticated access to org teams via GET /api/v1/orgs/:orgname/teams. The route group lacks reqToken() and ListTeams() does not perform authentication, allowing retrieval of all teams’ IDs, names, descriptions, and permission levels for...

6.9CVSS5.9AI score
Exploits0References1
NVD
NVD
added yesterday6 views

CVE-2026-49980

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /remote:path/object. The remote value is parsed from the URL and passed...

9.8CVSS0.00371EPSS
Exploits0References1
EUVD
EUVD
added yesterday5 views

EUVD-2026-38801

Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The userdefinedfunction.body field of an OnDemandFeatureView spec is decoded from...

9.8CVSS6.8AI score
Exploits0References5
Cvelist
Cvelist
added yesterday12 views

CVE-2026-48793 Jellyfin: Potential FFmpeg argument injection via unescaped subtitle file path

Jellyfin is an open source self hosted media server. Prior to 10.11.10, a potential FFmpeg argument injection vulnerability exists in the subtitle conversion code path. SubtitleEncoder.ConvertTextSubtitleToSrtInternal SubtitleEncoder.cs, line 382 interpolates the subtitle file path into FFmpeg...

8.8CVSS0.00082EPSS
Exploits0References1
CVE
CVE
added yesterday41 views

CVE-2026-49980

Summary of risks and remediation for CVE-2026-49980 : Rclone 1.46.0 through 1.74.3 is vulnerable to unauthenticated command execution via rcd --rc-serve. An unauthenticated GET/HEAD request to paths like /[remote:path]/object can cause the remote value to be parsed and used during backend initial...

9.8CVSS6AI score0.00371EPSS
Exploits0References1
EUVD
EUVD
added yesterday4 views

EUVD-2026-36907

OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration...

3.7CVSS5.8AI score0.00269EPSS
Exploits0References4
CVE
CVE
added yesterday8 views

CVE-2026-56121

Feast

9.8CVSS6.8AI score
Exploits0References4
Cvelist
Cvelist
added yesterday16 views

CVE-2026-56121 Feast < 0.63.0 Unauthenticated RCE via ApplyFeatureView gRPC Deserialization

Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The userdefinedfunction.body field of an OnDemandFeatureView spec is decoded from...

9.8CVSS
Exploits0References4
NVD
NVD
added yesterday7 views

CVE-2026-57288

Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native ADSI authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a...

3.7CVSS
Exploits0References1
Rows per page
Query Builder