Lucene search
K

417564 matches found

EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40958

The payment integration pretix-oppwa provides support for the payment providers VR Payment, Hobex, and potentially others based on Oppwa's technology. The integration of Oppwa, following their official documentation, includes a step where the user is redirected from the payment provider back to o...

10CVSS5.8AI score0.00253EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40957

A vulnerability in allegroai/clearml versions up to and including 1.16.5 allows for relative path traversal when extracting .zip archives using the ZipFile.extractall method in StorageManager.extracttocache. This issue arises due to the lack of path traversal validation, enabling an attacker to...

2.4CVSS6.5AI score0.00357EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40956

A Race Condition vulnerability affecting BIOVIA Workbook from Release 2021 through Release 2026 could allow a user to access unauthorized data from another user...

8.1CVSS5.8AI score0.00179EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40955

MCO does not correctly validate types of uploaded files. File upload validation functionality relies only on client-side checks, which can be bypassed. An authorized, low-privileged attacker can upload files with arbitrary types to the server. Because vendor contact attempts were unsuccessful, th...

7.1CVSS5.9AI score0.00249EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40954

MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and...

7.1CVSS5.8AI score0.0032EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40953

MCO is vulnerable to Stored Cross‑Site Scripting XSS via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened. Because vendor...

7.1CVSS5.8AI score0.00256EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40952

MCO is vulnerable to Path Disclosure and Path Traversal in file handling functionality related to data export and upload. Improper validation of the filename parameter allows writing files to arbitrary locations as well as indirect disclosure of absolute server paths through error messages. Becau...

7.1CVSS5.9AI score0.00417EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40951

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40950

MCO is vulnerable to Account Denial of Service due to improper implementation of password reset functionality. Each password reset request invalidates previously set password as well as previously issued temporary passwords, furthermore, password resets are not limited in any way. An attacker who...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40949

MCO is vulnerable to an Insecure Direct Object Reference IDOR vulnerability in the /customer/servlet/mco/webapi/trading-document/fetchPdfStatement endpoint. The application does not properly validate whether an authenticated user is authorized to access a requested document, allowing direct...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40948

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrar...

7.1CVSS5.9AI score0.00247EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-40947

@fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone engine when incoming request paths contain malformed percent-encoded sequences. Inputs such as an incomplete percent escape or a truncated multibyte sequence cause the underlying decoder t...

7.5CVSS5.8AI score0.00291EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-40946

@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to...

9.1CVSS5.8AI score0.00299EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40945

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX...

4.1CVSS5.8AI score0.00169EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40943

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference IDOR in the createorupdate function of OsOrdersController, whi...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References7
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-40944

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'name' Array Parameter in all versions up to, and including, 9.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

7.2CVSS5.9AI score0.00304EPSS
Exploits0References14
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40942

The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References11
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40941

A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser ...

6.5CVSS5.7AI score0.00248EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40940

Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice: from n/a before 5.4.33...

5.3CVSS5.8AI score0.00242EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-40939

The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'layoutstyle' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

6.1CVSS5.9AI score0.00293EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40938

The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

6.5CVSS5.8AI score0.00361EPSS
Exploits0References6
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-40926

Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions 9.0.20.x and potentially earlier. This issue may allow an authenticated attacker ...

8.9CVSS5.8AI score0.00246EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40925

A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized commands on the affected server, potentially leading to compromise of the server. This...

9.5CVSS5.9AI score0.00235EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-40924

The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorrect nonce validation on the processrequest function. This makes it possible for unauthenticated...

8.8CVSS5.8AI score0.00205EPSS
Exploits0References6
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-40923

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'nodatamsg' Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00206EPSS
Exploits0References8
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40936

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'pageid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, t...

4.3CVSS5.9AI score0.00196EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago9 views

EUVD-2026-40937

The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the /wp-json/slim-seo/meta-tags/ai REST API endpoint. This is due to the endpoint's permissioncallback performin...

4.3CVSS5.9AI score0.00257EPSS
Exploits0References8
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-40922

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updati...

9.8CVSS5.9AI score0.0038EPSS
Exploits1References8
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40935

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS5.9AI score0.00232EPSS
Exploits0References8
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40934

The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classwrapperform' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections method at line 98, wher...

6.4CVSS5.9AI score0.00193EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40933

The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password recovery attacks if credential data is obtained by an attacker. This vulnerability affects Control-M/Enterprise Manager unsupported versions 9.0.20.x and potentiall...

5.6CVSS5.8AI score0.00078EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40932

DVP80ES3 with Improperly Implemented Security Check for Standard vulnerability...

8.7CVSS5.8AI score0.00263EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40931

DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability...

7.5CVSS5.8AI score0.00263EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40930

DVP80ES3 with Improper Resource Shutdown or Release vulnerability...

7.5CVSS5.8AI score0.00263EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40929

Improper neutralization of special elements used in an OS command 'OS Command Injection' issue exists in SkyBridge MB-A100/MB-A110. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who can log in to the product with an administrative privilege...

8.6CVSS5.9AI score0.01129EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40928

The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via updatecapabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the updatecapabilities REST handler accepting arbitrary capability strings from the request body and passing them directly to...

8.8CVSS5.7AI score0.00246EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40927

CGI::Session::ID::md5 versions before 4.49 for Perl generate predictable session ids from low-entropy sources. The generateid method builds the session id from a MD5 digest of the process id, the epoch time, and the built-in rand function. All three are predictable, low-entropy sources: the PID i...

5.9CVSS5.8AI score0.00322EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40920

The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a user's password to bypass the two-factor authentication requirement by submitting a malformed request...

7.2CVSS5.8AI score0.00365EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40918

The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the use...

8.1CVSS5.8AI score0.00236EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40919

The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users...

3.1CVSS5.8AI score0.00139EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40921

The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new...

4.3CVSS5.8AI score0.00178EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40916

The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data title, price, weight, stock status, and...

7.5CVSS5.8AI score0.00284EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-40917

The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a Stored Cross-Site Scripting that can be triggered by unauthenticated users when a non-default display option is enabled...

4.2CVSS5.7AI score0.00137EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-40914

The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify,...

8.1CVSS5.8AI score0.00267EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40915

The WS Form LITE WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level access and above to modify the WS Form LITE WordPress plugin before 1.11.8's settings...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago6 views

EUVD-2025-210394

A security vulnerability has been detected in Open Asset Import Library Assimp up to 5.4.3. Affected by this vulnerability is the function Assimp::SceneCombiner::Copy of the file code/Common/SceneCombiner.cpp of the component Model File Handler. Such manipulation of the argument width/height lead...

5.3CVSS5.7AI score0.00123EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40913

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for...

7.5CVSS5.8AI score0.0026EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40912

The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'storeservicedate' parameter of the bpaassignstaffmembertoslots function in versions up to and including 5.7.1. This is due to the explicit use of stripslashesdeep on user-supplied POST data befor...

7.5CVSS5.9AI score0.00285EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40911

DVP80ES300T with Improper Validation of Array Index Vulnerability...

7.5CVSS5.8AI score0.00263EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago6 views

EUVD-2026-40910

AS228T with Authentication Bypass Vulnerability...

7.4CVSS5.8AI score0.00273EPSS
Exploits0References1
Total number of security vulnerabilities417564