Lucene search
K

455242 matches found

Nuclei
Nuclei
added yesterday38 views

AppCMS - Cross-Site Scripting

AppCMS 2.0.101 has a cross-site scripting vulnerability in \templates\m\inchead.php. id: CVE-2021-45380 info: name: AppCMS - Cross-Site Scripting author: pikpikcu severity: medium description: AppCMS 2.0.101 has a cross-site scripting vulnerability in \templates\m\inchead.php. impact: | Successfu...

6.1CVSS6.3AI score0.02542EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday449 views

Next.js - Server Side Request Forgery (SSRF)

Next.Js, inferior to version 14.1.1, have its image optimization built-in component prone to SSRF. id: CVE-2024-34351 info: name: Next.js - Server Side Request Forgery SSRF author: righettod severity: high description: | Next.Js, inferior to version 14.1.1, have its image optimization built-in...

7.5CVSS7.1AI score0.05453EPSS
Exploits3References5
Nuclei
Nuclei
added yesterday38 views

mooSocial v.3.1.8 - Cross-Site Scripting

Cross-Site Scripting XSS vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the mode parameter of the invite friend login function. id: CVE-2023-44813 info: name: mooSocial v.3.1.8 - Cross-Site Scripting author: ritikchaddha severity:...

6.1CVSS6.8AI score0.01769EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday37 views

WP Helper Lite < 4.3 - Cross-Site Scripting

The WP Helper Lite WordPress plugin, in versions 4.3, returns all GET parameters unsanitized in the response, resulting in a reflected cross-site scripting vulnerability. id: CVE-2023-0448 info: name: WP Helper Lite 4.3 - Cross-Site Scripting author: ritikchaddha severity: medium description: | T...

6.1CVSS6.3AI score0.44513EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday26 views

Atom CMS v2.0 - SQL Injection

AtomCMS v2.0 was discovered to contain a SQL injection vulnerability via /admin/login.php. id: CVE-2022-24223 info: name: Atom CMS v2.0 - SQL Injection author: theamanrawat severity: critical description: | AtomCMS v2.0 was discovered to contain a SQL injection vulnerability via /admin/login.php...

9.8CVSS7.2AI score0.61965EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday36 views

WordPress WPQA <5.4 - Cross-Site Scripting

WordPress WPQA plugin prior to 5.4 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape a parameter on its reset password form. id: CVE-2022-1597 info: name: WordPress WPQA 5.4 - Cross-Site Scripting author: veshraj severity: medium description: | WordPress WPQ...

6.1CVSS6.3AI score0.0291EPSS
Exploits2References5
Nuclei
Nuclei
added yesterday41 views

NeDi 1.9C - Cross-Site Scripting

NeDi 1.9C is vulnerable to cross-site scripting because of an incorrect implementation of sanitize in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a...

6.1CVSS6.2AI score0.03442EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday26 views

DomainMOD 4.13.0 - Cross-Site Scripting

DomainMOD 4.13.0 is vulnerable to cross-site scripting via reporting/domains/cost-by-owner.php in the "or Expiring Between" parameter. id: CVE-2020-20988 info: name: DomainMOD 4.13.0 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.13.0 is vulnerable to...

5.4CVSS6AI score0.01331EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday33 views

Extreme Management Center 8.4.1.24 - Cross-Site Scripting

Extreme Management Center 8.4.1.24 contains a cross-site scripting vulnerability via a parameter in a GET request. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

6.1CVSS6.4AI score0.03465EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday29 views

Tiempo.com <= 0.1.2 - Cross-Site Scripting

Tiempo.com before 0.1.2 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to stea...

6.1CVSS6.9AI score0.0085EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday12 views

OpenMetaData - SpEL Injection in PUT /api/v1/policies

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. CompiledRule::validateExpression is also called from PolicyRepository.prepare. prepare is called from...

9.4CVSS7.4AI score0.12527EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday20 views

Flarum < 1.8.5 - Open Redirect

Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum /logout route includes a redirect parameter that allows any third party to redirect users from a trusted domain of the Flarum installation to redirect to any link. For logged-in users, the logout must be...

6.5CVSS6.3AI score0.01067EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday30 views

WordPress Eventin (Themewinter) ≤ 4.0.26 - Arbitrary File Download

Themewinter Eventin contains a path traversal caused by relative path manipulation, letting attackers access arbitrary files on the server, exploit requires no specific privileges or user interaction. id: CVE-2025-47445 info: name: WordPress Eventin Themewinter ≤ 4.0.26 - Arbitrary File Download...

9.8CVSS7.3AI score0.0465EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday9 views

URL Shortify <= 1.12.1 - Open Redirect

The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirectto' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentiall...

4.7CVSS5.9AI score0.00592EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday11 views

MindsDB - Remote Code Execution

MindsDB 25.9.1.1 contains a remote code execution caused by path traversal in the /api/files upload file module, letting authenticated attackers write arbitrary files and execute commands, exploit requires authentication. id: CVE-2026-27483 info: name: MindsDB - Remote Code Execution author:...

8.8CVSS6.7AI score0.11113EPSS
Exploits4References4
Nuclei
Nuclei
added yesterday16 views

Mail Mint < 1.19.5 - Unauthenticated Email Disclosure

Mail Mint WordPress plugin 1.19.5 contains an information disclosure vulnerability caused by lack of authorization in a REST API endpoint, letting unauthenticated users retrieve email addresses of blog users, exploit requires no authentication. id: CVE-2026-2025 info: name: Mail Mint 1.19.5 -...

7.5CVSS5.9AI score0.01379EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday38 views

Budibase - Authentication Bypass

Budibase = 3.31.4 contains an authentication bypass caused by unanchored regex in authorized middleware matching webhook path patterns in query strings, letting unauthenticated remote attackers access any server-side API endpoint, exploit requires crafted request with webhook pattern in URL. id:...

9.1CVSS6AI score0.15339EPSS
Exploits2References2
Nuclei
Nuclei
added yesterday16 views

Glances - Information Disclosure

Glances 4.5.2 contains an information disclosure vulnerability caused by the web server running without authentication by default, letting remote attackers access sensitive system information including credentials, exploit requires no special privileges. id: CVE-2026-32596 info: name: Glances -...

8.7CVSS7.1AI score0.0155EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday11 views

WordPress TS Poll < 2.4.0 - SQL Injection

WordPress TS Poll plugin 2.4.0 contains a SQL injection caused by lack of sanitization and escaping of a parameter before using it in a SQL statement, letting attackers perform SQL injection attacks, exploit requires admin privileges. id: CVE-2024-8625 info: name: WordPress TS Poll 2.4.0 - SQL...

7.2CVSS6AI score0.02277EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday17 views

Open WebUI 'LDAP Empty Password' - Authentication Bypass

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the LDAP authentication endpoint does not validate that the submitted password is non-empty before performing a Simple Bind against the LDAP server. The LdapForm Pydantic model accep...

9.1CVSS7.2AI score0.01461EPSS
Exploits1References2
Rows per page
Query Builder