Lucene search
K
CvelistRecent

365125 matches found

Cvelist
Cvelist
added 38 minutes ago3 views

CVE-2026-62147 Tempo-operator: tempo operator: query rbac bypass

The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces...

6.5CVSS
Exploits0References2
Cvelist
Cvelist
added 52 minutes ago3 views

CVE-2026-15558 CodeAstro Simple Online Leave Management System deletemp.php sql injection

A security vulnerability has been detected in CodeAstro Simple Online Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /SimpleOnlineLeave/admin/deletemp.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed...

6.5CVSS
Exploits0References6
Cvelist
Cvelist
added 52 minutes ago3 views

CVE-2026-12257 Remote code execution in Mura Software’s CMS

Versions of Mura CMS prior to 10.0.712 contain a critical remote code execution RCE vulnerability. The flaw is located in the endpoint “/index.cfm/api/json/v1/default”, where the “method” parameter in POST requests is not properly validated or sanitised before being processed by the ColdFusion...

5.1CVSS
Exploits0References1
Cvelist
Cvelist
added 1 hour ago4 views

CVE-2026-6541 Unscoped updates to other playbooks' metric configuration

Mattermost versions 11.7.x = 11.7.1, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook metric settings via a crafted import or update request with a...

4.3CVSS
Exploits0References1
Cvelist
Cvelist
added 1 hour ago5 views

CVE-2026-9820 Mattermost schemes teams endpoint exposes private team invite IDs

Mattermost versions 11.7.x = 11.7.2, 10.11.x = 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API...

3.8CVSS
Exploits0References1
Cvelist
Cvelist
added 1 hour ago4 views

CVE-2026-9824 Remote cluster metadata enumeration via /share-channel autocomplete

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to check the managesharedchannels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash...

4.3CVSS
Exploits0References1
Cvelist
Cvelist
added 2 hours ago4 views

CVE-2026-14934 Cross-Tenant Repository Takeover via Improper Access Control in BigQuery, Dataform and Colab Enterprise

A Missing Authorization vulnerability in the repository creation functionality in Google Cloud BigQuery, Dataform and Colab Enterprise, in the versions between October 2025 and May 10th, 2026, on Google Cloud Platform, allows an authenticated attacker to escalate privileges and perform cross-tena...

9.4CVSS
Exploits0References1
Cvelist
Cvelist
added 2 hours ago3 views

CVE-2026-4765 Stored Cross-Site Scripting (XSS) in Tallos Chat by RD Station Conversas

Stored Cross-Site Scripting XSS vulnerability in the RD Station Conversas chat. The vulnerability resides in the ‘name’ parameter of the initialization process due to improper sanitization of user input. The vulnerability is not limited to self-exploitation: when a support agent joins the...

5.1CVSS
Exploits0References1
Cvelist
Cvelist
added 2 hours ago3 views

CVE-2026-13014 Remote Code Execution vulnerability in "Suspicious" application

A vulnerability in Thales CERT "Suspicious" application = 1.3.4 allows a remote and unauthenticated attacker to execute arbitrary code and arbitrarily overwrite writable application files—including Python modules, configuration files, cron inputs, and runtime artifacts—leading to a persistent...

9.2CVSS
Exploits0References1
Cvelist
Cvelist
added 2 hours ago2 views

CVE-2026-14846 Incorrect neutralisation in the PrestaShop firmware

In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the ‘Alias’ parameter in the ‘Update your address’ function. This flaw allows an attacker to inject malicious expressions that are executed when the...

4.5CVSS
Exploits0References1
Cvelist
Cvelist
added 2 hours ago5 views

CVE-2026-15557 waooAI waoowaoo Internal Task Header api-auth.ts requireProjectAuthLight improper authentication

A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This...

7.5CVSS
Exploits0References6
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-22103 Command injection in NPC start web endpoint

The NPC start endpoint on the web server at port 8090 is vulnerable to command injection...

9.3CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-22098 Sensitive information is written to logs

Various sensitive information such as passwords and charging card UIDs are written to log files...

9.2CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-22097 Missing firmware validation allows remote code execution

The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which can then lead to arbitrary code execution...

9.3CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-22099 Missing authentication for Bluetooth communication

The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL...

8.7CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-22102 Arbitrary file overwrite through certificate update functionality

A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations. The endpoint accepts the filename parameter in the Content-Disposition header without verification. This can be used to cause a denial of service by overwriting system files, or...

9.3CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-22096 Missing authentication for webserver endpoints

The webserver running on port 8090 does not require authentication. This allows for sensitive information leakage such as configured passwords, or uploading files through different endpoints...

9.3CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-22100 Comnand injection in OCPP ReserveLogin message

The OCPP DataTransfer message ReserveLogin is vulnerable to command injection. By manipulating the data value, arbitrary OS commands can be executed as root...

8.6CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-22095 Command injection in diagnosis web endpoint

The network diagnosis endpoint on the web server at port 8090 is vulnerable to command injection...

9.3CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-22093 Adversary-in-the-Middle (AitM) attack vulnerability in EVbee Service app

The EVbee Service Android app uses TLS encrypted communication HTTPS, but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is...

9.5CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-41041 Apache Gravitino: URL path injection via unencoded user-supplied identifiers in MCP REST client f-string URL construction, enabling path traversal to unintended API endpoints.

URL path injection via unencoded user-supplied identifiers vulnerability in Apache Gravitino. This issue affects Apache Gravitino: from 1.0.0 before 1.2.1. Users are recommended to upgrade to version 1.2.1, which fixes the issue...

Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-49876 Apache Gravitino: Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs

Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. A vulnerability in Apache Gravitino. This issue affects Apache Gravitino: from 1.0.0 through 1.2.1. Users are recommended to upgrade to...

Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-15548 Shibby Tomato DNS List Rendering httpd sub_407220 stack-based overflow

A security vulnerability has been detected in Shibby Tomato up to 1.28.0000. This vulnerability affects the function sub407220 of the file /usr/sbin/httpd of the component DNS List Rendering. The manipulation leads to stack-based buffer overflow. The attack is possible to be carried out remotely...

9CVSS
Exploits0References5
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-61955 WordPress گرویتی فرم فارسی plugin <= 3.0.2 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Hannan گرویتی فرم فارسی persian-gravity-forms allows Blind SQL Injection.This issue affects گرویتی فرم فارسی: from n/a through = 3.0.2...

7.6CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-59515 WordPress AIWU plugin <= 1.5.4 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Sergey AIWU ai-copilot-content-generator allows Blind SQL Injection.This issue affects AIWU: from n/a through = 1.5.4...

9.3CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-57810 WordPress APIExperts Square for WooCommerce plugin <= 4.7.4 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Saad Iqbal APIExperts Square for WooCommerce woosquare allows Blind SQL Injection.This issue affects APIExperts Square for WooCommerce: from n/a through = 4.7.4...

8.5CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-57803 WordPress Struktur Core plugin <= 2.5.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes Struktur Core struktur-core allows PHP Local File Inclusion.This issue affects Struktur Core: from n/a through = 2.5.1...

7.5CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-57782 WordPress Universal Clocks plugin <= 1.2.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in PressTigers Universal Clocks universal-clocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Universal Clocks: from n/a through = 1.2.0...

5.3CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-57774 WordPress VW Food Corner theme <= 1.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in vowelweb VW Food Corner vw-food-corner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Food Corner: from n/a through = 1.1.0...

5.3CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-57773 WordPress Advanced Shipment Tracking for WooCommerce plugin <= 4.0 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Zorem Advanced Shipment Tracking for WooCommerce woo-advanced-shipment-tracking allows Blind SQL Injection.This issue affects Advanced Shipment Tracking for WooCommerce: from n/a through = 4.0...

7.6CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago5 views

CVE-2026-57744 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Object Injection.This issue affects RT-Theme 18 | Extensions: from n/a through = 2.5...

9.8CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-57743 WordPress RT-Theme 18 | Extensions plugin <= 2.5 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows PHP Local File Inclusion.This issue affects RT-Theme 18 | Extensions: from n/a through = 2.5...

8.1CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-57741 WordPress AcyMailing SMTP Newsletter plugin <= 10.11.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Stored XSS.This issue affects AcyMailing SMTP Newsletter: from n/a through = 10.11.0...

7.1CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-59518 WordPress Directorist plugin <= 8.8.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in wpWax Directorist directorist allows Object Injection.This issue affects Directorist: from n/a through = 8.8.2...

9.8CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-59516 WordPress ICS Calendar plugin <= 12.1.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Reflected XSS.This issue affects ICS Calendar: from n/a through = 12.1.1...

7.1CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago4 views

CVE-2026-57813 WordPress MailOptin plugin <= 1.2.77.3 - Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in properfraction MailOptin mailoptin allows Privilege Escalation.This issue affects MailOptin: from n/a through = 1.2.77.3...

9.8CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-57811 WordPress Realtyna Organic IDX plugin plugin <= 5.2.0 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Realtyna Realtyna Organic IDX plugin real-estate-listing-realtyna-wpl allows Remote Code Inclusion.This issue affects Realtyna Organic IDX plugin: from n/a through = 5.2.0...

10CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-57804 WordPress TheGem theme Elements (for Elementor) plugin <= 5.11.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in CodexThemes TheGem Theme Elements for Elementor thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements for Elementor: from n/a through...

7.5CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-61956 WordPress ووسلام – همگام سازی ووکامرس و باسلام plugin <= 1.9.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in hamsalam ووسلام همگام سازی ووکامرس و باسلام sync-basalam allows Cross Site Request Forgery.This issue affects ووسلام همگام سازی ووکامرس و باسلام: from n/a through = 1.9.1...

7.1CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-61952 WordPress WooCommerce Bulk Edit Products – WP Sheet Editor plugin <= 1.8.21 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jose Vega WooCommerce Bulk Edit Products – WP Sheet Editor woo-bulk-edit-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Edit Products – WP Sheet Editor: from n/a through = 1.8.21...

4.9CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago4 views

CVE-2026-59521 WordPress Real Testimonials plugin <= 3.1.15 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC Real Testimonials testimonial-free allows Object Injection.This issue affects Real Testimonials: from n/a through = 3.1.15...

7.2CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-57816 WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in FunnelKit Funnel Builder by FunnelKit funnel-builder allows Reflected XSS.This issue affects Funnel Builder by FunnelKit: from n/a through = 3.15.0.8...

7.1CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-57812 WordPress Simply Schedule Appointments plugin <= 1.6.12.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through = 1.6.12.4...

6.5CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago4 views

CVE-2026-57802 WordPress Struktur theme <= 2.5.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through = 2.5.1...

7.5CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago4 views

CVE-2026-57801 WordPress SetSail theme <= 2.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes SetSail setsail allows PHP Local File Inclusion.This issue affects SetSail: from n/a through = 2.1...

7.5CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-57798 WordPress NewsPlus Shortcodes plugin <= 4.2.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in SaurabhSharma NewsPlus Shortcodes newsplus-shortcodes allows PHP Local File Inclusion.This issue affects NewsPlus Shortcodes: from n/a through = 4.2.0...

7.5CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago4 views

CVE-2026-57795 WordPress Kitchor theme <= 1.4.3 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in themelexus Kitchor kitchor allows PHP Local File Inclusion.This issue affects Kitchor: from n/a through = 1.4.3...

7.5CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-57781 WordPress MeetingHub plugin <= 1.25.10 - Broken Access Control vulnerability

Missing Authorization vulnerability in Sovlix MeetingHub meetinghub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MeetingHub: from n/a through = 1.25.10...

5.3CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-57780 WordPress Envision Page Builder plugin <= 0.22 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Plugin Envision Envision Page Builder envision-page-builder allows DOM-Based XSS.This issue affects Envision Page Builder: from n/a through = 0.22...

6.5CVSS
Exploits0References1
Cvelist
Cvelist
added 3 hours ago2 views

CVE-2026-57779 WordPress Fascinate theme <= 1.1.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in themebeez Fascinate fascinate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fascinate: from n/a through = 1.1.5...

5.3CVSS
Exploits0References1
Total number of security vulnerabilities365125