Lucene search
K

136 matches found

Nuclei
Nuclei
added 16 hours ago16 views

FatPipe WARP/IPVPN/MPVPN - Backdoor Account

FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain an account named "cmuser" with administrative privileges and no password, letting attackers gain unauthorized admin access, exploit requires no authentication. id: CVE-2021-27856 info: name: FatPipe...

9.8CVSS7AI score0.05598EPSS
Exploits1References4
NVD
NVD
added 5 days ago4 views

CVE-2026-55207

Pimcore is an Open Source Data & Experience Management Platform. Prior to 2025.4.6 and 2026.1.6, an unauthenticated attacker who knows a valid admin username can take over any Pimcore admin account by sending a password reset request with an attacker-controlled resetPasswordUrl. The server...

8.8CVSS0.0035EPSS
Exploits0References5
NVD
NVD
added 2026/07/07 6:16 a.m.10 views

CVE-2026-12375

The uncanny-automator-pro WordPress plugin before 7.3.0.6 was distributed with malicious code after the vendor's uncanny-automator-pro WordPress plugin before 7.3.0.6 update/distribution infrastructure was compromised; the injected backdoor grants unauthenticated attackers an administrator sessio...

9.8CVSS0.00303EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/07 6:0 a.m.35 views

CVE-2026-12375 Uncanny Automator Pro 7.3.0.5 - Backdoor via Compromised Vendor Update Server

The uncanny-automator-pro WordPress plugin before 7.3.0.6 was distributed with malicious code after the vendor's uncanny-automator-pro WordPress plugin before 7.3.0.6 update/distribution infrastructure was compromised; the injected backdoor grants unauthenticated attackers an administrator sessio...

0.00303EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.10 views

PT-2026-56148

Name of the Vulnerable Software and Affected Versions uncanny-automator-pro WordPress plugin versions prior to 7.3.0.6 Description The software was distributed with malicious code following a compromise of the vendor's update and distribution infrastructure. This supply chain compromise introduce...

9.8CVSS6AI score0.00303EPSS
Exploits0References3
NVD
NVD
added 2026/07/02 8:17 p.m.12 views

CVE-2026-58466

AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via adddefaultuser in the database user module when the users table is empt...

9.8CVSS0.00505EPSS
Exploits0References4
CVE
CVE
added 2026/06/24 9:17 p.m.19 views

CVE-2026-54069

SiYuan Note

9.2CVSS5.9AI score0.00607EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 9:1 p.m.19 views

CVE-2026-33543 FOSSBilling: Authentication bypass allows unauthenticated administrator creation

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already...

9.3CVSS0.00289EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 9:1 p.m.15 views

CVE-2026-33543

FOSSBilling versions 0.7.2 and earlier expose a guest API endpoint /api/guest/staff/create intended for initial admin bootstrap. A flawed admin-existence check (is_countable() used on a Model_Admin object or null) makes the guard always evaluate true, allowing unauthenticated creation of an admin...

9.3CVSS5.8AI score0.00289EPSS
Exploits0References2
CVE
CVE
added 2026/06/15 6:0 a.m.22 views

CVE-2026-8935

The CVE concerns the WP MAPS PRO WordPress plugin prior to version 6.1.1. The vulnerability arises from an unauthenticated AJAX action that, when a valid nonce (publicly emitted on frontend pages enqueuing the map script) is supplied, unconditionally creates an administrator account and returns a...

9.8CVSS5.3AI score0.00268EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/08 4:12 p.m.10 views

CVE-2026-41448

AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie, exploiting unsanitized string concatenation in the token file path...

9.4CVSS5.6AI score0.00542EPSS
Exploits0References3
GithubExploit
GithubExploit
added 2026/06/04 4:22 p.m.92 views

Exploit for CVE-2026-8732

CVE-2026-8732 – WordPress WP Maps Pro Exploit Unauthenticat...

9.8CVSS6AI score0.09461EPSS
Exploits7
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.18 views

WordPress plugin Frontend Admin by DynamiApps 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

8.8CVSS5.8AI score0.00433EPSS
Exploits0References10
Vulnrichment
Vulnrichment
added 2026/05/20 7:52 p.m.7 views

CVE-2026-9141 Taiko AG1000-01A Rev 7.3/8 Authentication Bypass via Web Interface

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages without any session management or server-side authentication checks. Attacker...

9.8CVSS5.8AI score0.00481EPSS
Exploits0References2
Packet Storm News
Packet Storm News
added 2026/05/14 12:0 a.m.18 views

GestioIP 3.5.7 Remote Command Execution

This Metasploit module exploits a command execution via file upload. If GestioIP is configured to use no authentication for admin account, no password is required to exploit the vulnerability. Otherwise, an authenticated user with admin right on the web site is required to exploit...

9.8CVSS7.3AI score0.45109EPSS
Exploits5
RedhatCVE
RedhatCVE
added 2026/05/11 8:26 p.m.11 views

CVE-2026-1749

There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission...

6.8CVSS5.8AI score0.00282EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.16 views

PT-2026-39734

Name of the Vulnerable Software and Affected Versions SOCFortress CoPilot versions prior to 0.1.57 Description The application contains a hardcoded JSON Web Token JWT signing secret used as a fallback value in the backend/app/auth/utils.py file and the .env.example file. In deployments where the...

10CVSS5.8AI score0.0044EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/05/09 12:0 a.m.10 views

Hikvision HikCentral Professional 安全漏洞

Hikvision HikCentral Professional is a professional edition of the AI Cloud-based application management platform designed for edge domains by Hikvision, a Chinese company. Hikvision HikCentral Professional has security vulnerabilities, particularly an access control issue that may allow...

6.8CVSS5.8AI score0.00282EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/24 6:29 p.m.5 views

CVE-2026-41492 Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars in Dgraph

Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on Alpha. Because the admin token is commonly supplied via the --security "token=..." startup flag, an unauthenticated attacker can...

9.8CVSS5.3AI score0.02187EPSS
Exploits1References2
EUVD
EUVD
added 2026/04/24 4:8 p.m.7 views

EUVD-2026-25576

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the...

9.8CVSS5.4AI score0.00254EPSS
Exploits0References3
Rows per page
Query Builder