Lucene search
K

522 matches found

NVD
NVD
added 5 days ago6 views

CVE-2026-59853

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /api/storage/getCriteria endpoint returns saved search criteria from data/storage/criteria.json without the publish-access filtering used by sibling storage endpoints, allowing a publish-mode Reader to read private...

6.5CVSS0.00235EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 5 days ago6 views

CVE-2026-59853

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, the /api/storage/getCriteria endpoint returns saved search criteria from data/storage/criteria.json without the publish-access filtering used by sibling storage endpoints, allowing a publish-mode Reader to read private...

6.5CVSS6AI score0.00235EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-57010

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.1 Description The '/api/storage/getCriteria' endpoint returns saved search criteria from the data/storage/criteria.json file without applying the publish-access filtering used by other storage endpoints. This allow...

6.5CVSS6.1AI score0.00235EPSS
Exploits0References5
NVD
NVD
added 2026/07/02 10:16 a.m.9 views

CVE-2026-12122

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the getsinglesymbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and...

5.3CVSS0.00285EPSS
Exploits0References8
CVE
CVE
added 2026/07/02 8:33 a.m.14 views

CVE-2026-12122

The CVE-2026-12122 entry documents a vulnerability in the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions up to and including 6.0.11). The issue is a Sensitive Information Exposure via get_single_symbol that allows unauthenticated attackers to extract full b...

5.3CVSS5.8AI score0.00285EPSS
Exploits0References8
NVD
NVD
added 2026/07/02 6:16 a.m.9 views

CVE-2026-11781

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

2.7CVSS0.00189EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/02 6:0 a.m.40 views

CVE-2026-11781 Adminify < 4.2.10 - Contributor+ Sensitive Information Disclosure via Global Search AJAX

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

0.00189EPSS
Exploits0References1
CVE
CVE
added 2026/07/02 6:0 a.m.16 views

CVE-2026-11781

The CVE-2026-11781 entry affects the Adminify WordPress plugin prior to version 4.2.10. The vulnerability arises because the plugin does not perform per-user read-capability checks on results returned by an administration search feature. As a result, users with a low-privilege role (Contributor) ...

2.7CVSS5.7AI score0.00189EPSS
Exploits0References1
NVD
NVD
added 2026/06/27 8:16 a.m.16 views

CVE-2026-11987

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This...

4.3CVSS0.00271EPSS
Exploits0References14
EUVD
EUVD
added 2026/06/27 6:50 a.m.9 views

EUVD-2026-39948

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This...

4.3CVSS5.7AI score0.00271EPSS
Exploits0References14
CVE
CVE
added 2026/06/27 6:50 a.m.19 views

CVE-2026-11987

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution (WordPress) up to version 5.0.4 is vulnerable to Insecure Direct Object Reference via the id parameter due to missing validation on a user‑controlled key. Authenticated attackers with subscriber+ access can read other vendors’ pro...

4.3CVSS5.7AI score0.00271EPSS
Exploits0References14
Positive Technologies
Positive Technologies
added 2026/06/27 12:0 a.m.15 views

PT-2026-53052

Name of the Vulnerable Software and Affected Versions Dokan: AI Powered WooCommerce Multivendor Marketplace Solution versions prior to 5.0.5 Description An Insecure Direct Object Reference exists due to missing validation on a user-controlled key. Authenticated attackers with subscriber-level...

4.3CVSS5.8AI score0.00271EPSS
Exploits0References20
OSV
OSV
added 2026/06/24 6:42 p.m.4 views

DRUPAL-CONTRIB-2026-060

The optional Paragraphs Library module allows the reuse of paragraphs in multiple places. The module doesn't sufficiently restrict access to unpublished library items in lists. This vulnerability is mitigated by the fact the paragraphs\library module must be in use, and that an attacker must have...

6.5CVSS5.9AI score0.00132EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.10 views

PT-2026-52173

Name of the Vulnerable Software and Affected Versions Drupal Paragraphs versions 0.0.0 through 1.21.0 Description A missing authorization issue in the Paragraphs Library module allows forceful browsing. The module does not sufficiently restrict access to unpublished library items within lists. Th...

6.1AI score0.00132EPSS
Exploits0References3
OSV
OSV
added 2026/06/19 5:47 p.m.6 views

GHSA-MQQ5-J7W8-2HGH AlchemyCMS: Unauthenticated nested page API leaks restricted & unpublished content

Unauthenticated nested page API leaks restricted & unpublished content - Location: app/controllers/alchemy/api/pagescontroller.rb:28 Api::PagesControllernested - Affected version: Alchemy CMS 8.3.0.dev Rails 8.1.3 Description The unauthenticated GET /api/pages/nested endpoint returns the full pag...

7.5CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 5:19 p.m.7 views

Interpretation Conflict

Overview org.webjars.npm:tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of PAX extended header size overrides in intermediary metadata headers. An attacker can cause inconsistent archive parsing results...

6.9CVSS5.3AI score0.00107EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/08 3:14 a.m.14 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via the OAuth2Client function. An attacker can redirect users to arbitrary external sites by crafting a malicious link and tricking them into clicking it. Remediation A fix was pushed into the master branch but not yet...

5.3CVSS5.6AI score0.00303EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/06 2:28 a.m.10 views

CVE-2026-8502 LearnPress <= 4.3.6 - Unauthenticated Sensitive Information Exposure via 'c_status' and 'return_type' Parameters

The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the 'returntype' parameter. This makes it possible for unauthenticated attackers to extract sensitive data...

5.3CVSS5.5AI score0.00353EPSS
Exploits0References14
CNNVD
CNNVD
added 2026/06/06 12:0 a.m.12 views

WordPress plugin LearnPress – WordPress LMS Plugin for Create and Sell Online Courses 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

5.3CVSS5.4AI score0.00353EPSS
Exploits0References15
RedhatCVE
RedhatCVE
added 2026/06/05 7:28 p.m.11 views

CVE-2026-4019

The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/postid/blockid using returntrue as the permissioncallback, allowing any...

5.3CVSS5.4AI score0.00276EPSS
Exploits0References1
Rows per page
Query Builder