Lucene search
+L

461 matches found

CVE
CVE
added last week12 views

CVE-2026-55452

CVE-2026-55452 concerns Snipe-IT (IT asset/license management) where pre-8.5.0 builds store the User-Agent header via Actionlog::logaction() and export it in Activity Report CSV without formula escaping. This allows a low-privileged authenticated user to inject a formula-like payload that can exe...

7.3CVSS6.2AI score0.00234EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/07/08 10:37 p.m.9 views

Cross-site Scripting (XSS)

Overview @appium/base-driver is a Base driver class for Appium drivers Affected versions of this package are vulnerable to Cross-site Scripting XSS via compileLodashTemplate. An attacker can execute arbitrary JavaScript in the context of the server origin by injecting malicious input into the...

9.6CVSS6.2AI score0.0022EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/07/08 8:57 p.m.34 views

CVE-2026-58191 Appium: Reflected XSS / arbitrary JS in @appium/base-driver /test/guinea-pig* routes

Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 10.7.0, Appium's base-driver unconditionally mounts the /test/guinea-pig, /test/guinea-pig-scrollable, and /test/guinea-pig-app-banner routes, and compileLodashTemplate...

6.5CVSS0.0022EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/07/08 1:51 p.m.33 views

CVE-2026-60092 AVideo - Stored Cross-Site Scripting via Unescaped User-Agent in Participants Panel

AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored meetjoinlog.useragent without...

6.1CVSS0.002EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/07/08 1:51 p.m.6 views

CVE-2026-60092 AVideo - Stored Cross-Site Scripting via Unescaped User-Agent in Participants Panel

AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored meetjoinlog.useragent without...

6.1CVSS5.7AI score0.002EPSS
Exploits0References3
OSV
OSV
added 2026/06/23 7:11 p.m.25 views

GHSA-7CQP-7CFV-6C3Q AVideo Meet plugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panel

Summary The Meet plugin stores the raw HTTP User-Agent header of every meeting participant and later renders it without output encoding in the meeting-management "Participants" panel that the meeting host and site administrators open. An anonymous, unauthenticated attacker can join any public...

6.4CVSS6.2AI score0.002EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 7:11 p.m.6 views

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS via the useragent field in the participant logging process. An attacker can execute arbitrary JavaScript in the browser of a privileged us...

9.3CVSS6.1AI score0.002EPSS
Exploits0References2
NVD
NVD
added 2026/06/18 5:16 p.m.12 views

CVE-2026-56022

Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641...

6.9CVSS0.00308EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/18 4:11 p.m.11 views

EUVD-2026-37907

Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641...

6.9CVSS5.2AI score0.00308EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/18 4:11 p.m.7 views

CVE-2026-56022

Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641...

6.9CVSS5.3AI score0.00308EPSS
Exploits0References5
CVE
CVE
added 2026/06/18 4:11 p.m.53 views

CVE-2026-56022

CVE-2026-56022 affects Webmin. The issue allows bypass of MFA by using basic authentication without session cookies when the attacker supplies the header User-Agent: webmin, enabling MFA bypass. The vulnerability is mitigated in Webmin 2.641. "Fixed in 2.641" from the advisory. No exploit details...

6.9CVSS5.2AI score0.00308EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/18 4:11 p.m.22 views

CVE-2026-56022 Webmin MFA bypass

Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641...

6.9CVSS0.00308EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.21 views

PT-2026-50713

Name of the Vulnerable Software and Affected Versions Webmin versions prior to 2.641 Description Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header. This behavior allows the bypass of additional multi-factor authentication MFA...

6.9CVSS5.8AI score0.00308EPSS
Exploits0References9
EUVD
EUVD
added 2026/06/16 11:20 a.m.8 views

EUVD-2026-37066

syracom AG Secure Login 2FA for Atlassian Jira, Confluence, and Bitbucket 3.4.0.x contains an authentication bypass vulnerability. An attacker with valid credentials for a user account can bypass the two-factor authentication flow by sending HTTP requests with a crafted User-Agent header containi...

8.7CVSS5.5AI score0.00481EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:22 p.m.12 views

CVE-2026-7635

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

8.1CVSS5.5AI score0.00481EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:22 p.m.9 views

CVE-2026-7634

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we...

7.2CVSS5.6AI score0.00436EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/28 8:13 p.m.15 views

CVE-2026-46364

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captc...

9.8CVSS5.8AI score0.01709EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 8:16 a.m.13 views

CVE-2026-7634

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we...

7.2CVSS0.00436EPSS
Exploits0References14
CVE
CVE
added 2026/05/28 6:45 a.m.26 views

CVE-2026-7634

Technical details are not publicly available in the provided documents. Monitor for updates.

7.2CVSS6AI score0.00436EPSS
Exploits0References14
Vulnrichment
Vulnrichment
added 2026/05/28 6:45 a.m.12 views

CVE-2026-7634 SlimStat Analytics <= 5.4.11 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we...

7.2CVSS6AI score0.00436EPSS
Exploits0References14
Rows per page
Query Builder