Lucene search
K

363 matches found

Nuclei
Nuclei
added yesterday35 views

Blinko <= 1.8.3 - User Information Leak

Blinko = 1.8.4 contains an information disclosure caused by a publicly accessible endpoint exposing user information including usernames, roles, and account creation dates, letting remote attackers access sensitive user data, exploit requires no special privileges. id: CVE-2026-23486 info: name:...

6.9CVSS6.1AI score0.00711EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 4 days ago7 views

CVE-2026-59262

A flaw was found in AFFiNE. This vulnerability allows an authenticated workspace member to bypass document read permissions by supplying arbitrary document Globally Unique Identifiers GUIDs to the histories GraphQL field. This can lead to information disclosure, enabling attackers to retrieve ful...

7.1CVSS6.1AI score0.00238EPSS
Exploits0References7
Cvelist
Cvelist
added 6 days ago31 views

CVE-2026-59262 AFFiNE - Unauthorized Document Edit History Access via GraphQL histories Field

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails...

7.1CVSS0.00238EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/02 6:0 a.m.40 views

CVE-2026-11781 Adminify < 4.2.10 - Contributor+ Sensitive Information Disclosure via Global Search AJAX

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

0.00189EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 7:41 p.m.28 views

CVE-2026-44731 OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetings via "invited_user_id" in GET parameter "filters" leads to user names disclosure

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user account...

4.3CVSS0.00186EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/19 5:48 p.m.5 views

CVE-2019-25762

Joomla! Component JoomProject 1.1.3.2 contains an information disclosure vulnerability that allows unauthenticated attackers to access sensitive user data by exploiting the projects endpoint. Attackers can send requests to index.php with option=comjpprojects&view=projects&tmpl=component&format=js...

8.7CVSS5.9AI score0.00442EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.16 views

PT-2026-50998

Name of the Vulnerable Software and Affected Versions Joomla! Component JoomProject version 1.1.3.2 Description An information disclosure issue allows unauthenticated attackers to access sensitive user data by exploiting the projects endpoint. By sending requests to 'index.php' using the paramete...

8.7CVSS5.9AI score0.00442EPSS
Exploits0References8
OSV
OSV
added 2026/06/16 12:37 p.m.5 views

BIT-DISCOURSE-2026-44782 Discourse: GroupPostSerializer leaks hidden full names through reaction post association

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.4, 2026.3.0 to before 2026.3.1, and 2026.4.0 to before 2026.4.1, GroupPostSerializer declared includeuserlongname? as the predicate for its :name attribute, but AMS looks for includename?. The misnamed...

4.3CVSS5.3AI score0.00189EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 8:23 p.m.12 views

EUVD-2026-36585

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared includeuserlongname? as the predicate for its :name attribute, but AMS looks for includename?...

4.3CVSS5.3AI score0.00189EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/04 12:0 a.m.12 views

Niche Office All in One Video Downloader SQL注入漏洞

Niche Office All in One Video Downloader is an online video download tool developed by the Turkish company Niche Office. Version 1.2 of Niche Office All in One Video Downloader has a SQL injection vulnerability. This vulnerability arises from injecting malicious code through the id parameter, whi...

8.8CVSS6.2AI score0.0027EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.20 views

PT-2026-45617

Pixa Bank 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter. Attackers can send POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads to retrieve user information includi...

8.8CVSS5.9AI score0.00344EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/27 6:30 p.m.10 views

CVE-2026-42197 RELATE Vulnerable to Stored XSS via Unprivileged User Profile

RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin...

8.7CVSS5.9AI score0.0031EPSS
Exploits0References3
CVE
CVE
added 2026/05/27 6:30 p.m.26 views

CVE-2026-42197

CVE-2026-42197 affects RELATE, a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 are vulnerable to a stored XSS via an unprivileged user profile. The vulnerability arises in the get_user() method of ParticipationAdmin, which renders user-controlled ...

8.7CVSS5.9AI score0.0031EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/27 6:30 p.m.20 views

EUVD-2026-32627

RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin...

8.7CVSS5.9AI score0.0031EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.16 views

PT-2026-44073

RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin...

8.7CVSS5.9AI score0.0031EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/05/21 12:0 a.m.12 views

F5 Networks BIG-IP : iControl REST vulnerability (K000160903)

The version of F5 Networks BIG-IP installed on the remote host is prior to 17.1.3.2 / 17.5.1.6 / 21.0.0.2. It is, therefore, affected by a vulnerability as referenced in the K000160903 advisory. An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information le...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.4 views

Astra Linux – Vulnerability in OpenSSH

In SSH in OpenSSH before version 9.6, OS command injection could occur if a user name or host name contained shell metacharacters, and this name was referenced by an expansion token in certain situations. For example, a untrusted Git repository might contain a submodule with shell metacharacters ...

6.5CVSS6.4AI score0.19753EPSS
Exploits8References2
RedhatCVE
RedhatCVE
added 2026/05/14 7:58 p.m.15 views

CVE-2026-42058

An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/13 6:30 p.m.9 views

EUVD-2026-29993

An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References2
NVD
NVD
added 2026/05/13 4:16 p.m.11 views

CVE-2026-42058

An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

5.3CVSS0.00187EPSS
Exploits0References1
Rows per page
Query Builder