CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

78 matches found

Vulnrichment•added 2026/05/21 5:11 p.m.•4 views

CVE-2026-48243 Open ISES Tickets < 3.44.2 Hardcoded WhitePages API Key in wp1.php

Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...

6.9CVSS5.8AI score0.00037EPSS

Exploits0References3

OSV•added 2026/05/05 10:20 p.m.•3 views

GHSA-XR49-F4RH-QCJF AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization

Summary An unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints e.g. userslist without logging in. Details objects/plugins.json.php is public and still exposes plugin objectdata containing APISecret. That secret is accepted by...

8.7CVSS5.8AI score0.00066EPSS

Exploits0References4

Snyk•added 2026/04/17 10:20 p.m.•0 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the service invocation access control process. An attacker can bypass access control policies and invoke unauthorized methods by submitting specially crafted method paths containing encoded path traversal...

8.6CVSS5.8AI score0.00035EPSS

Exploits0References3

Snyk•added 2026/04/17 10:20 p.m.•1 views

Access Control Bypass

8.6CVSS5.8AI score0.00035EPSS

Exploits0References3

ATTACKERKB•added 2026/04/14 12:8 a.m.•0 views

CVE-2026-34261

Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects...

6.5CVSS5.8AI score0.0003EPSS

Exploits0References3Affected Software1

NVD•added 2026/04/01 1:16 a.m.•1 views

CVE-2025-71281

XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations...

9.8CVSS0.00061EPSS

Exploits0References2

CNNVD•added 2026/04/01 12:0 a.m.•2 views

Xenforo 代码注入漏洞

Xenforo is a forum software developed by the Xenforo company. Versions of XenForo prior to 2.3.7 had a code injection vulnerability. This vulnerability stemmed from improper restrictions on methods that could be called within templates, allowing unauthorized method calls to occur...

9.8CVSS5.9AI score0.00061EPSS

Exploits0References2

CNNVD•added 2026/03/31 12:0 a.m.•2 views

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.67 and 9.7.0-alpha.11. These vulnerabilities stemmed from a flaw where attackers could...

9.1CVSS5.8AI score0.00041EPSS

Exploits0References5

NVD•added 2026/03/19 10:16 p.m.•1 views

CVE-2026-32001

OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject...

5.4CVSS0.00069EPSS

Exploits0References3

EUVD•added 2026/03/19 10:6 p.m.•1 views

EUVD-2026-13253

5.4CVSS5.8AI score0.00069EPSS

Exploits0References3

RedhatCVE•added 2026/02/24 10:25 p.m.•3 views

CVE-2026-23693

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor elementskit-lite WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API...

10CVSS5.5AI score0.00198EPSS

Exploits0References1

OSV•added 2026/01/12 9:15 a.m.•1 views

CVE-2025-14279

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An...

8.1CVSS6.8AI score

Exploits0References2

Wallarm Lab•added 2025/10/21 11:0 a.m.•8 views

Key API Security Takeaways from the Postman 2025 State of API Report

API security has never been more important because modern APIs are operational necessities. Unfortunately, many organizations are failing to adapt their security models to a rapidly changing API threat landscape. Like it or not, we live in an AI-first world, and API security must reflect that...

7AI score

Exploits0

Positive Technologies•added 2025/10/14 12:0 a.m.•2 views

PT-2025-41885

Name of the Vulnerable Software and Affected Versions SiPass integrated versions prior to 3.0 Description A broken access control issue exists in SiPass integrated server applications. The authorization mechanism does not have enough server-side checks, which allows an attacker to execute a...

5.1CVSS6.7AI score0.0004EPSS

Exploits0References3

EUVD•added 2025/10/07 12:30 a.m.•1 views

EUVD-2017-11837

Malware in sbrugna...

4.3CVSS4.2AI score0.0007EPSS

Exploits0References3

EUVD•added 2025/10/07 12:30 a.m.•1 views

EUVD-2001-1234

Malware in sbrugna...

4.6CVSS6.4AI score0.00053EPSS

Exploits0References3