Lucene search
K

11397 matches found

EUVD
EUVD
added yesterday9 views

EUVD-2026-43262

A vulnerability was found in usestrix strix up to 1.0.2. This affects an unknown function of the file systemprompt.jinja of the component PyPI Handler. Performing a manipulation results in inclusion of functionality from untrusted control sphere. The attack is possible to be carried out remotely...

5.1CVSS5.4AI score0.00238EPSS
Exploits0References5
NVD
NVD
added 3 days ago7 views

CVE-2026-6801

The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the contextblogmodalpopup. This makes it possible for unauthenticated attackers to extract the content of password-protected posts...

5.3CVSS0.00239EPSS
Exploits0References2
NVD
NVD
added 3 days ago12 views

CVE-2026-15097

The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'heightslider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00201EPSS
Exploits0References6
Cvelist
Cvelist
added 3 days ago29 views

CVE-2026-2354 Swiss Toolkit For WP <= 1.4.6 - Authenticated (Author+) Arbitrary File Upload via upload_extension_files()

The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the uploadextensionfiles function in all versions up to, and including, 1.4.6. The uploadextensionfiles function hooks into WordPress's wpcheckfiletypeandext filter...

8.8CVSS0.00553EPSS
Exploits0References5
CVE
CVE
added 3 days ago16 views

CVE-2026-15338

CVE-2026-15338 concerns the LA-Studio Element Kit for Elementor plugin for WordPress. Affected: all versions up to 1.6.1. Issue: Local File Inclusion via the get_type_template function in the progress_type widget setting. Exploitation requires authenticated access at contributor level or higher, ...

7.5CVSS6.5AI score0.00565EPSS
Exploits0References7
CVE
CVE
added 4 days ago11 views

CVE-2026-55377

Technical details about CVE-2026-55377 are not publicly available in the provided documents. Monitor for updates.

8.1CVSS6.1AI score0.00259EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago37 views

CVE-2026-55377 Logto: Account Center MFA management step-up bypass via WebAuthn registration verification

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new...

8.1CVSS0.00259EPSS
Exploits0References4
OSV
OSV
added 4 days ago1 views

CVE-2026-55377 Logto: Account Center MFA management step-up bypass via WebAuthn registration verification

Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, Logto's Account Center step-up check accepted any active verification record that belonged to the current user and had isVerified === true. A WebAuthn registration verification record for binding a new...

8.1CVSS6.1AI score0.00259EPSS
Exploits0References6
Cvelist
Cvelist
added 4 days ago35 views

CVE-2026-12918 Mail Mint <= 1.24.1 - Authenticated (Administrator+) SQL Injection via 'recipients' Parameter

The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to generic SQL Injection via the 'recipients' parameter in all versions up to, and including, 1.24.1 due to insufficient escaping on the user supplied parameter and lack of...

4.9CVSS0.00319EPSS
Exploits0References6
Patchstack
Patchstack
added 4 days ago5 views

WordPress NEX-Forms plugin <= 9.2.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin NEX-Forms versions = 9.2.2...

7.1CVSS6.1AI score0.00251EPSS
Exploits0Affected Software1
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-6440 GoodMeet <= 1.1.8 - Cross-Site Request Forgery to Google Meet Credential Reset via 'goodmeet_reset_google_meet_credential'

The GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1.8. This is due to a missing nonce verification in the resetcredential function, which handles the...

4.3CVSS0.00168EPSS
Exploits0References8
CVE
CVE
added 4 days ago5 views

CVE-2026-6802

The CVE-2026-6802 entry concerns the WordPress plugin Easy Upload Files During Checkout, affected up to version 3.0.1. The vulnerability stems from missing authorization checks in the ufdc_custom_init() function, which processes the eufdc-delete parameter without nonce verification, capability ch...

5.3CVSS6.2AI score0.00243EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 4 days ago8 views

CVE-2026-13347

The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the hewrapperjs and hewrappercss query parameters processed by the elementorassetsfilter function. This is due to the function concatenating user-supplied input directly onto...

7.5CVSS6.1AI score0.00512EPSS
Exploits0References4
Patchstack
Patchstack
added 4 days ago9 views

WordPress LoginPress Pro plugin <= 6.2.3 - Unauthenticated Authentication Bypass vulnerability

Unauthenticated Authentication Bypass vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin LoginPress Pro versions = 6.2.3...

8.1CVSS5.9AI score0.00347EPSS
Exploits0References1Affected Software1
CVE
CVE
added 4 days ago7 views

CVE-2026-15296

The CVE-2026-15296 entry identifies a Stored Cross-Site Scripting vulnerability in the affiliate-toolkit – WP Affiliate Plugin with Amazon for WordPress, exploitable via the atkp_product shortcode in all versions

6.4CVSS6.1AI score0.00266EPSS
Exploits0References3
Patchstack
Patchstack
added 5 days ago4 views

WordPress Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin <= 1.24.1 - Authenticated (Administrator+) SQL Injection vulnerability

Authenticated Administrator+ SQL Injection vulnerability discovered by PRISM in WordPress Plugin Mail Mint versions = 1.24.1...

4.9CVSS6.1AI score0.00319EPSS
Exploits0References1Affected Software1
NVD
NVD
added 5 days ago7 views

CVE-2026-54695

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Prior to 1.4.0, the pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without authentication, reads an attacker-supplied callSid...

7.5CVSS0.00327EPSS
Exploits1References5
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-54695 Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Prior to 1.4.0, the pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without authentication, reads an attacker-supplied callSid...

7.5CVSS0.00327EPSS
Exploits1References5
Patchstack
Patchstack
added 5 days ago4 views

WordPress 777 theme <= 1.13.0 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Bonds in WordPress Theme 777 versions = 1.13.0...

9.8CVSS6.1AI score0.00564EPSS
Exploits0Affected Software1
Patchstack
Patchstack
added 5 days ago5 views

WordPress AIWU plugin <= 1.5.4 - SQL Injection vulnerability

SQL Injection vulnerability discovered by VanTastic in WordPress Plugin AIWU versions = 1.5.4...

9.3CVSS6.1AI score0.004EPSS
Exploits0Affected Software1
Rows per page
Query Builder