Lucene search
+L

73 matches found

nvd
nvd
added 2026/07/02 6:16 a.m.10 views

CVE-2026-11781

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

2.7CVSS0.00189EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/07/02 6:0 a.m.7 views

CVE-2026-11781

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

5.7AI score0.00189EPSS
Exploits0References1
osv
osv
added 2026/06/19 5:47 p.m.7 views

GHSA-MQQ5-J7W8-2HGH AlchemyCMS: Unauthenticated nested page API leaks restricted & unpublished content

Unauthenticated nested page API leaks restricted & unpublished content - Location: app/controllers/alchemy/api/pagescontroller.rb:28 Api::PagesControllernested - Affected version: Alchemy CMS 8.3.0.dev Rails 8.1.3 Description The unauthenticated GET /api/pages/nested endpoint returns the full pag...

7.5CVSS5.9AI score
Exploits0References2
redhatcve
redhatcve
added 2026/03/26 9:42 p.m.7 views

CVE-2026-4933

A flaw was found in Drupal's Unpublished Node Permissions module. This incorrect authorization vulnerability allows an attacker to bypass intended access controls, potentially enabling them to view unpublished content through forceful browsing...

5.7AI score0.00232EPSS
Exploits0References2
redhatcve
redhatcve
added 2026/03/26 3:18 p.m.5 views

CVE-2026-29113

Craft is a content management system CMS. Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an...

4.3CVSS5.8AI score0.00174EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/03/26 3:5 p.m.4 views

CVE-2026-31891

Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/model endpoint is...

7.7CVSS5.9AI score0.00397EPSS
Exploits0References1
cvelist
cvelist
added 2026/03/18 2:58 a.m.28 views

CVE-2026-31891 Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()

Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/model endpoint is...

7.7CVSS0.00397EPSS
Exploits0References2
cve
cve
added 2026/03/18 2:58 a.m.47 views

CVE-2026-31891

CVE-2026-31891 affects Cockpit CMS 2.13.4 and earlier with API access enabled. A SQL injection in the MongoLite Aggregation Optimizer allows an attacker with a valid read-only API key to inject arbitrary SQL via unsanitized field names in aggregation queries (toJsonExtractRaw()), bypassing the pu...

7.7CVSS5.9AI score0.00397EPSS
Exploits0References2Affected Software1
vulnrichment
vulnrichment
added 2026/03/18 2:58 a.m.4 views

CVE-2026-31891 Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()

Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/model endpoint is...

7.7CVSS5.9AI score0.00397EPSS
Exploits0References2
nvd
nvd
added 2026/03/10 8:16 p.m.5 views

CVE-2026-29113

Craft is a content management system CMS. Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an...

4.3CVSS0.00174EPSS
Exploits0References2
vulnrichment
vulnrichment
added 2026/03/10 7:44 p.m.2 views

CVE-2026-29113 Craft has a potential information disclosure vulnerability in preview tokens

Craft is a content management system CMS. Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an...

2.3CVSS5.8AI score0.00174EPSS
Exploits0References2
cve
cve
added 2026/03/10 7:44 p.m.17 views

CVE-2026-29113

Craft CMS prior to versions 4.17.4 and 5.9.7 suffers a CSRF flaw in the preview token endpoint (/actions/preview/create-token). The endpoint accepts an attacker-supplied previewToken without requiring a CSRF token, allowing a logged-in editor to mint a preview token chosen by an attacker. The att...

4.3CVSS5.8AI score0.00174EPSS
Exploits0References2Affected Software1
attackerkb
attackerkb
added 2026/03/10 7:44 p.m.2 views

CVE-2026-29113

Craft is a content management system CMS. Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an...

2.3CVSS5.8AI score0.00174EPSS
Exploits0References3Affected Software1
osv
osv
added 2026/03/10 7:44 p.m.4 views

CVE-2026-29113 Craft has a potential information disclosure vulnerability in preview tokens

Craft is a content management system CMS. Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an...

2.3CVSS5.8AI score0.00174EPSS
Exploits0References4
cvelist
cvelist
added 2026/03/10 7:44 p.m.33 views

CVE-2026-29113 Craft has a potential information disclosure vulnerability in preview tokens

Craft is a content management system CMS. Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an...

2.3CVSS0.00174EPSS
Exploits0References2
osv
osv
added 2026/03/10 6:22 p.m.4 views

GHSA-VG3J-HPM9-8V5V Craft CMS has a potential information disclosure vulnerability in preview tokens

Summary Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview...

2.3CVSS5.8AI score0.00174EPSS
Exploits0References4
github
github
added 2026/03/10 6:22 p.m.10 views

Craft CMS has a potential information disclosure vulnerability in preview tokens

Summary Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview...

4.3CVSS5.8AI score0.00174EPSS
Exploits0References4Affected Software1
ptsecurity
ptsecurity
added 2026/03/10 12:0 a.m.5 views

PT-2026-24638

Summary Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview...

5.8AI score
Exploits0References4
ptsecurity
ptsecurity
added 2026/03/10 12:0 a.m.8 views

PT-2026-24403

Craft is a content management system CMS. Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an...

2.3CVSS5.8AI score0.00174EPSS
Exploits0References3
redhatcve
redhatcve
added 2026/01/09 11:48 a.m.6 views

CVE-2009-4517

Cross-site request forgery CSRF vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to hijack the authentication of arbitrary users for requests that access unpublished content...

6.8CVSS7.6AI score0.00604EPSS
Exploits0References1
Rows per page
Query Builder