CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

66 matches found

EUVD•added 2026/05/08 9:26 p.m.•7 views

EUVD-2026-28836

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of...

8.8CVSS5.7AI score0.00044EPSS

Exploits0References2

CNNVD•added 2026/05/08 12:0 a.m.•4 views

Avo 访问控制错误漏洞

Avo is an open-source Ruby on Rails management panel framework developed by Avo itself. Versions of Avo prior to 3.31.2 contained a security vulnerability related to access control. This vulnerability stemmed from insecure operation search logic in the ActionsController, allowing authenticated...

8.8CVSS5.7AI score0.00044EPSS

Exploits0References2

Github Security Blog•added 2026/04/24 4:11 p.m.•5 views

Avo: Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources

Summary A critical Broken Access Control vulnerability was identified in the ActionsController of the Avo framework v3.x. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of Avo::BaseAction on any resource, even if the action is not registered fo...

8.8CVSS5.7AI score0.00044EPSS

Exploits0References4Affected Software1

Snyk•added 2026/03/06 10:19 p.m.•3 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the Object.assign function. An attacker can manipulate internal entity fields such as id, createdDate, and chatId by...

9.2CVSS5.8AI score0.00455EPSS

Exploits1References2

ATTACKERKB•added 2026/02/27 12:9 a.m.•1 views

CVE-2026-27772

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then...

9.8CVSS5.8AI score0.00197EPSS

Exploits0References4

RedhatCVE•added 2026/01/09 10:12 a.m.•8 views

CVE-2019-2860

Vulnerability in the Oracle Clusterware component of Oracle Support Tools subcomponent: Trace File Analyzer TFA Collector. The supported version that is affected is 12.1.0.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to...

6.8CVSS6AI score0.00536EPSS

Exploits0References1

Vulnrichment•added 2026/01/07 9:21 a.m.•2 views

CVE-2025-13990 Mamurjor Employee Info <= 1.0.0 - Cross-Site Request Forgery to Arbitrary Employee and Related Data Manipulation

The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create, update, or delete...

4.3CVSS5AI score0.00017EPSS

Exploits0References7

EUVD•added 2025/10/14 9:15 a.m.•3 views

EUVD-2025-34158

A vulnerability has been identified in SiPass integrated All versions V3.0. Affected server applications contains a broken access control vulnerability. The authorization mechanism lacks sufficient server-side checks, allowing an attacker to execute a specific API request. Successful exploitation...

5.1CVSS6.7AI score0.0004EPSS

Exploits0References2

EUVD•added 2025/10/07 12:30 a.m.•1 views

EUVD-2019-12499

Malware in sbrugna...

6.8CVSS6.1AI score0.00536EPSS

Exploits0References2

EUVD•added 2025/10/07 12:30 a.m.•2 views

EUVD-2018-15060

Malware in sbrugna...

6.1CVSS6.7AI score0.00463EPSS

Exploits0References4

EUVD•added 2025/10/03 8:7 p.m.•3 views

EUVD-2024-0089