CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Nuclei•added yesterday•15 views

User Profile Picture < 2.5.0 - Sensitive Information Disclosure

The REST API endpoint getusers in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less...

7.5CVSS7.2AI score0.42147EPSS

Exploits2References3

Nuclei•added yesterday•89 views

WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of...

9.8CVSS8.4AI score0.92912EPSS

Exploits8References5

RedhatCVE•added 2 days ago•6 views

CVE-2026-50213

The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings...

8.7CVSS5.4AI score0.00035EPSS

RedhatCVE•added 2 days ago•4 views

CVE-2026-42280

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0...

7.1CVSS5.4AI score0.00043EPSS

ATTACKERKB•added 2 days ago•5 views

CVE-2026-9088

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

Vulnrichment•added 2 days ago•4 views

CVE-2026-9088 Keycloak: keycloak: information disclosure due to user profile permission bypass

EUVD•added 2 days ago•7 views

EUVD-2026-34790

RedhatCVE•added 2 days ago•6 views

CVE-2026-9088

2.7CVSS5AI score0.00007EPSS

Positive Technologies•added 2 days ago•9 views

PT-2026-47074

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the profile template scope function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files...

7.5CVSS6.3AI score0.00447EPSS

Exploits0References14

Positive Technologies•added 2 days ago•5 views

PT-2026-46909

EUVD•added 3 days ago•5 views

EUVD-2026-34225

The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings...

8.7CVSS5.8AI score0.00035EPSS

Vulnrichment•added 3 days ago•5 views

CVE-2026-50213 Bulk User Private Data Harvesting

The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings...

8.7CVSS5.8AI score0.00035EPSS

CNNVD•added 2026/05/29 12:0 a.m.•7 views

StrongDM 安全漏洞

StrongDM is an infrastructure access management platform developed by the US company StrongDM. Versions of StrongDM prior to 23.74.0 contained security vulnerabilities. These vulnerabilities stemmed from the storage of authentication status in plaintext, including JSON Web Tokens and key material...

2CVSS5.8AI score0.00007EPSS

CVE•added 2026/05/27 2:39 p.m.•5 views

CVE-2026-42280

The CVE reports an issue in auth0-js where versions 8.11.0–9.32.0 may improperly return user profile information when a valid access token is used with a crafted invalid ID token, in scenarios where access control relies on Auth0 Actions. Root cause: improper validation in the Auth0.js SDK. Impac...

7.1CVSS5.8AI score0.00043EPSS

Exploits0References1Affected Software1

Cvelist•added 2026/05/27 2:39 p.m.•37 views

CVE-2026-42280 Improper Permission Checking in Auth.js SDK

7.1CVSS0.00043EPSS

Vulnrichment•added 2026/05/27 2:39 p.m.•5 views

CVE-2026-42280 Improper Permission Checking in Auth.js SDK

7.1CVSS5.8AI score0.00043EPSS

Positive Technologies•added 2026/05/21 12:0 a.m.•5 views

PT-2026-42564

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.0 Description The user-profile edit controller passes the entire raw POST array to the UserInfo::update function without field whitelisting. This allows registered users to change passwords without providing...

5.3CVSS5.8AI score0.00025EPSS

Exploits0References4

Snyk•added 2026/05/19 10:19 a.m.•5 views

Insufficient Granularity of Access Control

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Granularity of Access Control via the user handler in the resource account service. An attacker...

5.3CVSS5.9AI score0.00013EPSS

NVD•added 2026/05/16 4:16 p.m.•5 views

CVE-2021-47934

MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in the timeline.php...

6.9CVSS0.00038EPSS