Lucene search
K

1398 matches found

NVD
NVD
added 2026/04/10 2:16 a.m.4 views

CVE-2026-1924

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the ahscajaxresetoptions function. This makes it possible for unauthenticated attackers to reset all plugin settings t...

4.3CVSS0.00181EPSS
Exploits0References4
NVD
NVD
added 2026/04/08 7:24 p.m.5 views

CVE-2026-0811

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vszcf7savesettingcallback' function. This makes it possible for unauthenticated attackers to...

5.4CVSS0.00136EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.10 views

PT-2026-31291

Name of the Vulnerable Software and Affected Versions The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net versions up to and including 1.1.5 Description The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPre...

4.3CVSS5.5AI score0.00128EPSS
Exploits0References8
CVE
CVE
added 2026/04/07 11:25 p.m.15 views

CVE-2026-4406

The CVE concerns Gravity Forms for WordPress (≤ 2.9.30) with a Reflected XSS in the gform_get_config AJAX action via the form_ids parameter. The root cause is that GFCommon::send_json() returns JSON wrapped in HTML comments using echo/wp_die(), sending a text/html header instead of application/js...

4.7CVSS6.1AI score0.00356EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.5 views

CVE-2026-22675

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft...

6.1CVSS6AI score0.00218EPSS
Exploits0References1
PyPA
PyPA
added 2026/04/07 4:16 p.m.10 views

PYSEC-2026-134

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...

7.5CVSS5.8AI score0.00274EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/07 3:23 p.m.11 views

CVE-2026-35526

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...

7.5CVSS5.9AI score0.00274EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/06 3:40 p.m.31 views

CVE-2026-34756 vLLM Affected by Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server

vLLM is an inference and serving engine for large language models LLMs. From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionReques...

6.5CVSS0.00346EPSS
Exploits0References3
UbuntuCve
UbuntuCve
added 2026/04/06 3:17 p.m.5 views

CVE-2026-26263

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6...

9.8CVSS5.9AI score0.08741EPSS
Exploits0References2
CVE
CVE
added 2026/04/02 10:30 a.m.20 views

CVE-2026-32145

CVE-2026-32145 affects gleam-wisp wisp. The multipart_body and multipart_headers code paths can bypass configured max_body_size and max_files_size, allowing an unauthenticated attacker to exhaust server memory or disk by sending arbitrarily large multipart form submissions in a single HTTP reques...

8.7CVSS5.9AI score0.00622EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/04/01 12:13 a.m.2 views

GHSA-37FQ-47QJ-6J5J YesWiki has Persistent Blind XSS at "/?BazaR&vue=consulter"

Summary A stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. Type: Stored an...

7.1CVSS6AI score0.00213EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/01 12:3 a.m.10 views

TorchGeo Remote Code Execution Vulnerability

Impact TorchGeo 0.4–0.6.0 used an eval statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose torchgeo.models.getweight or torchgeo.trainers as an external API could be affected. Patches The eval statement wa...

8.1CVSS6.2AI score0.01221EPSS
Exploits0References9Affected Software1
NVD
NVD
added 2026/03/31 4:16 p.m.6 views

CVE-2026-34240

JOSE is a Javascript Object Signing and Encryption JOSE library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header jwk. The vulnerability exists because key selection could tre...

7.5CVSS0.0013EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/31 2:2 p.m.6 views

CVE-2026-34202

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic crash. This is triggered by sending a specially crafted V5...

9.2CVSS5.8AI score0.00725EPSS
Exploits0References4Affected Software2
NVD
NVD
added 2026/03/31 2:15 a.m.43 views

CVE-2026-3300

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...

9.8CVSS0.40992EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/03/27 2:23 p.m.9 views

CVE-2021-27931

LumisXP aka Lumis Experience Platform before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service...

9.1CVSS6.8AI score0.18607EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/27 12:38 a.m.27 views

CVE-2026-33890 MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without...

9.3CVSS0.00492EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:9 p.m.5 views

CVE-2026-33281

Ella Core is a 5G core designed for private networks. Versions prior to 1.6.0 panic when processing NGAP messages with invalid PDU Session IDs outside of 1-15. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected...

7.5CVSS5.8AI score0.00393EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 2:59 p.m.5 views

CVE-2026-28253

A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition...

8.7CVSS5.8AI score0.00307EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/25 4:24 p.m.28 views

CVE-2026-26233 Denial of Service via HTTP/2 single packet attack on login endpoint

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service server crash and restart via HTTP/2 single packet attack with 100+ parallel login requests...

4.3CVSS0.00305EPSS
Exploits0References1
Rows per page
Query Builder