Lucene search
K

2368 matches found

NVD
NVD
added 2026/05/20 4:16 a.m.18 views

CVE-2025-15369

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getcontenteditor function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to create...

5.3CVSS0.00248EPSS
Exploits0References2
CVE
CVE
added 2026/05/20 1:25 a.m.44 views

CVE-2026-7284

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress (up to version 1.4.4) is affected by unauthenticated privilege escalation. The issue arises from the easyel_handle_register function not restricting the allowed user roles during registration, enabling an attacker t...

9.8CVSS5.8AI score0.00494EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/19 10:52 a.m.15 views

EUVD-2026-30883

A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language SAML endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service DoS where the server becomes...

7.5CVSS5.8AI score0.00743EPSS
Exploits0References2
CVE
CVE
added 2026/05/19 12:0 a.m.19 views

CVE-2026-31070

The CVE-2026-31070 vulnerability affects the LalanaChami Pharmacy Management System (commit 5c3d028). The /api/user/signup endpoint fails to validate the role parameter in the request body, allowing unauthenticated remote attackers to self-assign an administrative role during registration and esc...

9.8CVSS5.8AI score0.00476EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/16 3:26 p.m.41 views

CVE-2021-47956 EgavilanMedia PHPCRUD 1.0 SQL Injection via firstname

EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Attackers can send POST requests to insert.php with malicious firstname values to extract sensitive databas...

8.8CVSS0.00276EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.11 views

DHTMLX Gantt 路径遍历漏洞

DHTMLX Gantt is a JavaScript Gantt chart component developed by DHTMLX Corporation. It supports project planning, task scheduling, and timeline visualization. Versions of DHTMLX Gantt prior to 0.7.6 contained a path traversal vulnerability. This vulnerability stemmed from a lack of HTML cleaning,...

9.2CVSS5.8AI score0.00497EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 5:38 a.m.24 views

CVE-2025-14869

GitLab CVE-2025-14869 affects GitLab CE/EE versions 18.5–before 18.9.7, 18.10–before 18.10.6, and 18.11–before 18.11.3. It could allow an unauthenticated attacker to cause a denial of service by sending specially crafted payloads to certain API endpoints. CVSSv3.1 base score 7.5 (HIGH), with NETW...

7.5CVSS5.8AI score0.00354EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/05/13 6:30 p.m.9 views

EUVD-2020-31223

Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoint. Attackers can send POST requests to /web/?c=bbs&a=reply with HTML and JavaScript payloads in t...

7.2CVSS5.9AI score0.00311EPSS
Exploits0References5
NVD
NVD
added 2026/05/12 11:16 p.m.17 views

CVE-2026-44341

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access ...

5.3CVSS0.00239EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 9:16 a.m.24 views

CVE-2026-6808

The Pricing Tables for WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS0.00255EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/12 7:48 a.m.67 views

CVE-2026-7626 Slek Gateway for WooCommerce <= 1.0 - Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields

The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsbhandleslekpaymentredirect function placing the merchant's slekkey and sleksecret API credentials directly into a client-side HTML form, and additionally embedding the...

5.3CVSS0.00251EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/05/12 2:27 a.m.10 views

CVE-2026-41456

Bludit CMS prior to commit 6732dde contains a reflected cross-site scripting vulnerability in the search plugin that allows unauthenticated attackers to inject arbitrary JavaScript by crafting a malicious search query. Attackers can execute malicious scripts in the browsers of users who visit...

5.1CVSS5.8AI score0.00379EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 2:19 a.m.39 views

CVE-2026-34258 Content Spoofing vulnerability in SAPUI5 (Search UI)

SAPUI5 Search UI allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low...

4.7CVSS0.00249EPSS
Exploits0References2
NVD
NVD
added 2026/05/11 6:16 p.m.25 views

CVE-2026-44226

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/ is reachable without authentication and renders attacker-controlled template names, an...

5.3CVSS0.00336EPSS
Exploits1References1
NVD
NVD
added 2026/05/08 11:16 p.m.16 views

CVE-2026-44286

FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery SSRF vulnerability allows attackers or authenticated users with App editing privileges to send arbitrary HTTP requests to internal/private network addresses. The fetchData function i...

2.3CVSS0.00228EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 12:59 a.m.6 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the stampExpression and watermarkExpression parameters in the merge, split, and convert routes. An attacker can access the contents of arbitrary PDF files on the server by supplying a path to a...

6.9CVSS5.9AI score0.00311EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/05/07 12:0 a.m.14 views

PT-2026-38588

Name of the Vulnerable Software and Affected Versions GitHub Enterprise Server versions prior to 3.21 Description An authentication bypass allows an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication is enable...

6.3CVSS5.8AI score0.00266EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/05/06 6:47 a.m.5 views

CVE-2026-7332

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookingformpageurl' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possib...

7.2CVSS6AI score0.0045EPSS
Exploits0References12
ATTACKERKB
ATTACKERKB
added 2026/05/05 11:24 a.m.4 views

CVE-2023-54349

AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Attackers can enter script tags in the search box to execute arbitrary JavaScript that fires when...

6.1CVSS5.9AI score0.00265EPSS
Exploits0References4Affected Software1
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.7 views

VulnCheck KEV: CVE-2024-12281

The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by...

9.8CVSS7.3AI score0.00402EPSS
In wildExploits0References2
Rows per page
Query Builder