Lucene search
+L

96 matches found

cvelist
cvelist
added 5 days ago33 views

CVE-2026-15072 KiviCare <= 4.5.0 - Authenticated (Doctor+) SQL Injection via 'orderby' Parameter in KCQueryBuilder

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

6.5CVSS0.00281EPSS
Exploits0References8
nvd
nvd
added 2026/07/02 10:16 a.m.9 views

CVE-2026-14029

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'select' parameter in all versions up to, and including, 4.5.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

6.5CVSS0.00441EPSS
Exploits0References10
cvelist
cvelist
added 2026/06/27 1:27 a.m.41 views

CVE-2026-13331 Groundhogg <= 4.5.5 - Authenticated (Marketer+) SQL Injection via 'search' Parameter

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

6.5CVSS0.0028EPSS
Exploits0References7
euvd
euvd
added 2026/06/26 2:52 p.m.7 views

EUVD-2026-39710

Subscriber PHP Object Injection in RealHomes = 4.5.3 versions...

8.8CVSS5.8AI score0.00391EPSS
Exploits0References1
euvd
euvd
added 2026/06/26 1:27 a.m.12 views

EUVD-2026-39615

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

6.5CVSS6AI score0.00281EPSS
Exploits0References8
cve
cve
added 2026/06/24 5:33 a.m.18 views

CVE-2026-9643

WP Meta SEO for WordPress insert(). This allows injection of arbitrary scripts that execute when an administrator visits the 404 & Redirects admin page (/wp-admin/admin.php?page=metaseo_broken_link). Exploitation details are not provided beyond the generic flow; no fixes, mitigations, or exploita...

7.2CVSS6AI score0.00241EPSS
Exploits0References6
redhatcve
redhatcve
added 2026/06/05 7:29 p.m.9 views

CVE-2026-2712

The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the receiveheartbeat function in includes/class-wp-optimize-heartbeat.php in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly...

5.4CVSS5.4AI score0.00427EPSS
Exploits0References1
euvd
euvd
added 2026/05/21 7:34 a.m.9 views

EUVD-2026-31234

An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism...

7.2CVSS6AI score0.00532EPSS
Exploits0References1
euvd
euvd
added 2026/05/21 7:34 a.m.9 views

EUVD-2026-31235

A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data...

6.4CVSS6.1AI score0.00253EPSS
Exploits0References1
osv
osv
added 2026/05/15 8:41 a.m.7 views

BIT-JUPYTER-BASE-NOTEBOOK-2026-42557 jupyterlab: Command linker attributes in HTML enable one-click command execution from untrusted content

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all cli...

9.6CVSS6.3AI score0.00386EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/05/15 12:0 a.m.16 views

PT-2026-41388

Name of the Vulnerable Software and Affected Versions NukeViet CMS versions prior to 4.5.08 Description Stored Cross-Site Scripting XSS occurs due to insufficient server-side input sanitization in the Request class. The application relies on client-side filtering to sanitize HTML tags and...

8.7CVSS5.8AI score0.00349EPSS
Exploits0References6
nvd
nvd
added 2026/05/14 10:16 a.m.16 views

CVE-2025-11024

Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Blind SQL Injection. This issue affects E-Commerce Website: before 4.5.001...

9.8CVSS0.00358EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/05/14 9:25 a.m.9 views

CVE-2026-2347 IDOR in Akıllı Ticaret's E-Commerce Pack

Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. This issue affects E-Commerce Website: before 4.5.001...

9.8CVSS5.8AI score0.00426EPSS
Exploits0References1
euvd
euvd
added 2026/05/14 9:21 a.m.16 views

EUVD-2025-209838

Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Blind SQL Injection. This issue affects E-Commerce Website: before 4.5.001...

9.8CVSS5.8AI score0.00358EPSS
Exploits0References1
cvelist
cvelist
added 2026/05/12 2:0 p.m.46 views

CVE-2026-43937 YAF.NET: Pre-Handler Authorization Bypass on Admin Pages Enabling Blind SQL Execution via `/Admin/RunSql`

YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and...

8.8CVSS0.00488EPSS
Exploits0References1
cve
cve
added 2026/05/07 11:53 a.m.22 views

CVE-2026-42285

GoBGP CVE-2026-42285 causes a panic (nil pointer dereference) in AdjRib.Update when a remote unauthenticated BGP UPDATE message with inconsistent/short attribute lengths is processed as a withdraw, crashing the GoBGP process and causing DoS. The issue is triggered in version 4.4.0 and has a fix i...

7.5CVSS5.8AI score0.00418EPSS
Exploits1References2Affected Software1
attackerkb
attackerkb
added 2026/05/03 10:0 p.m.8 views

CVE-2026-7705

A flaw has been found in JD Cloud JDCOS 4.5.1.r4518. This vulnerability affects the function setiptvinfo of the file /jdcap of the component Service Interface. Executing a manipulation of the argument vid can lead to command injection. It is possible to launch the attack remotely. The exploit has...

6.5CVSS6.3AI score0.01158EPSS
Exploits0References4Affected Software1
debiancve
debiancve
added 2026/04/20 11:19 p.m.6 views

CVE-2026-35587

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery SSRF vulnerability exists in the Glances IP plugin due to improper validation of the publicapi configuration parameter. The value of publicapi is used directly in outbound HTTP...

8.8CVSS5.7AI score0.00396EPSS
Exploits1
ptsecurity
ptsecurity
added 2026/04/10 12:0 a.m.9 views

PT-2026-32596

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.133 Description An SQL identifier injection exists in SQLiteConversationStore where the table prefix configuration value is directly concatenated into SQL queries using f-strings without validation or...

9.8CVSS5.8AI score0.00297EPSS
Exploits1References16
cnnvd
cnnvd
added 2026/04/10 12:0 a.m.10 views

PraisonAI 安全漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.128 contained security vulnerabilities. These vulnerabilities stemmed from the Python sandbox based on AST, which could be exploited through type.getattribute, potentially...

8.6CVSS6.1AI score0.0024EPSS
Exploits1References1
Rows per page
Query Builder