Lucene search
K

2584 matches found

CVE
CVE
added yesterday9 views

CVE-2026-61684

CVE-2026-61684 affects FastGPT, specifically versions around 4.15.0-beta4. The vulnerability stems from plugin invoke reverse-call endpoints under /api/invoke/* that authenticated solely by a JWT signed with INVOKE_TOKEN_SECRET, which defaults to the literal string token and was not set in offici...

8.8CVSS6.1AI score
Exploits0References4
Cvelist
Cvelist
added yesterday13 views

CVE-2026-61684 FastGPT: Unauthenticated cross-tenant data access via forgeable plugin-invoke JWT (default INVOKE_TOKEN_SECRET='token')

FastGPT is a knowledge-based AI application platform. In 4.15.0-beta4, FastGPT plugin invoke reverse-call endpoints under /api/invoke/ authenticate only by verifying a JWT signed with INVOKETOKENSECRET, which defaults to the constant string token and was not set in official deployment templates. ...

8.8CVSS
Exploits0References4
Nuclei
Nuclei
added yesterday82 views

AntD Admin - Sensitive Information Disclosure

AntD Admin has a security vulnerability that stems from Antd-admin 5.5.0 being affected by an incorrect access control vulnerability. Attackers can exploit this vulnerability to gain unauthorized access to some front-end interfaces, resulting in the leakage of sensitive information such as user...

7.5CVSS6.9AI score0.04305EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday84 views

FortiWeb - Cross Site Scripting

FortiWeb 6.3.0 through 6.3.7 and versions before 6.2.4 contain an unauthenticated cross-site scripting vulnerability. Improper neutralization of input during web page generation can allow a remote attacker to inject malicious payload in vulnerable API end-points. id: CVE-2021-22122 info: name:...

6.1CVSS6.4AI score0.1052EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday56 views

FREEDOM Administration - Default Login

The Web GUI configuration panel of Hirsch formerly Identiv and Viscount Enterphone MESH through 2024 ships with default credentials username freedom, password viscount. The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires ma...

10CVSS7.1AI score0.02329EPSS
Exploits0References3
Nuclei
Nuclei
added 2 days ago34 views

WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure

An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username. id: CVE-2019-9880 info: name: WPEngine WPGraphQL 0.2.3 -...

9.1CVSS7AI score0.34761EPSS
Exploits3References4
OSV
OSV
added 2026/06/30 2:2 a.m.9 views

MAL-2026-6673 Malicious code in anthropic-toolkit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 90ec82c6478e3a82eac71597b1c1fffc17d1b138e11e1a2aeadec7c00344c65e [email protected] is a typosquat against the @anthropic-ai/sdk ecosystem. The package ships no library code — its declared main dist/index.js i...

6.1AI score
Exploits0References23
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/25 10:30 p.m.9 views

Malicious code in gx-npm-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e919710d2f28ec776b8165821ebe2fbe480c1e432ec9416c7b73bd1315ee6a6e Package published at version 99.99.99 under a generic name gx-npm-lib — the canonical dependency-confusion shape used to overshadow internal packages...

5.8AI score
Exploits0References2
OSV
OSV
added 2026/06/25 5:6 p.m.8 views

MAL-2026-6466 Malicious code in gx-npm-feature-flags (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fcad1b944d9ceb92389673398df9f471911a788fe608774a3298c69900bb1c7 [email protected] is a dependency-confusion squat max-semver 99.99.99 on a gx--prefixed name to outrank a private internal package that...

5.8AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/23 2:12 p.m.10 views

Malicious code in @outmarket/utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2cd90f0d706cda01a5740f120f6e8d22ae57d907a5000854439c201b3c53a8c0 package.json declares a postinstall lifecycle script that fires automatically on npm install. The inline node -e payload uses hex-encoded property...

5.9AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/15 5:23 p.m.11 views

Malicious code in flowdefi (npm)

flow/surf-lending DeFi cred-exfil campaign sibling c1655. preinstall node index.js || true exfils env secrets to raw C2 2.25.140.71:8443/surflending/npm-confusion verified identical. No-renotify. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...

5.4AI score
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.14 views

CVE-2016-20072

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL...

8.8CVSS0.0027EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/15 12:0 p.m.8 views

CVE-2016-20072 BBS e-Franchise 1.1.1 WordPress Plugin SQL Injection via uid

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL...

8.8CVSS6.1AI score0.0027EPSS
Exploits0References4
CVE
CVE
added 2026/06/15 12:0 p.m.24 views

CVE-2016-20072

CVE-2016-20072 affects the BBS e-Franchise 1.1.1 WordPress plugin. The vulnerability is an SQL injection in the uid parameter used by the plugin’s shortcode, enabling unauthenticated attackers to craft requests (Union-based SQLi) to extract sensitive data (e.g., user information, taxonomy terms)....

8.8CVSS6.2AI score0.0027EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/15 11:56 a.m.17 views

Malicious code in unico-android (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c642a2e29290c07b5c7eb9481ad34f1b907e43ffe5edd8c33f67254f4e9a192 On npm install, the package.json preinstall hook runs curl against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f with query parameters...

5.5AI score
Exploits0References1
Cvelist
Cvelist
added 2026/06/15 3:15 a.m.41 views

CVE-2026-12213 hcengineering Huly Platform User Information operations.ts getAccountInfo improper authorization

A vulnerability was found in hcengineering Huly Platform up to 0.7.0. Affected by this vulnerability is the function getAccountInfo of the file server/account/src/operations.ts of the component User Information Handler. The manipulation results in improper authorization. The attack may be launche...

5.3CVSS0.00203EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/15 3:15 a.m.7 views

CVE-2026-12213 hcengineering Huly Platform User Information operations.ts getAccountInfo improper authorization

A vulnerability was found in hcengineering Huly Platform up to 0.7.0. Affected by this vulnerability is the function getAccountInfo of the file server/account/src/operations.ts of the component User Information Handler. The manipulation results in improper authorization. The attack may be launche...

5.3CVSS4.8AI score0.00203EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/13 9:17 p.m.15 views

Malicious code in patientdocuments (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 56c5ab4dc6470deaebe29f4851edb91bc5d5704e9f9578a91e238490708c007b package.json declares a preinstall lifecycle script that runs wget --quiet...

6.2AI score
Exploits0References2
OSV
OSV
added 2026/06/12 7:3 p.m.15 views

MAL-2026-5707 Malicious code in ttspc-server-sample (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 98ea79d9fce12a87d3949dc748617f8077a1ae0822fadab451c27d2c8a2feb9b [email protected] declares postinstall: node index.js in package.json, so on npm install it automatically executes index.js. The script...

5.5AI score
Exploits0References7
OSV
OSV
added 2026/06/12 7:2 p.m.14 views

MAL-2026-5703 Malicious code in eslint-plugin-mistica-local-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1d21f50741178986b63d1f330373131c2f3f502a5b94e76ca921ce185fab123 package.json declares a preinstall hook that runs index.js automatically on npm install. index.js collects host identity os.hostname, os.platform,...

5.3AI score
Exploits0References1
Rows per page
Query Builder