Lucene search
K
NucleiMost viewed

4139 matches found

Nuclei
Nuclei
•added yesterday•70 views

SourceBans <2.0 - Cross-Site Scripting

SourceBans before 2.0 contains a cross-site scripting vulnerability which allows remote attackers to inject arbitrary web script or HTML via the advSearch parameter to index.php. id: CVE-2015-8349 info: name: SourceBans 2.0 - Cross-Site Scripting author: pikpikcu severity: medium description:...

6.1CVSS6.5AI score0.03263EPSS
Exploits1References3
Nuclei
Nuclei
•added yesterday•70 views

Software Publico Brasileiro i3geo v7.0.5 - Cross-Site Scripting

Portal do Software Publico Brasileiro i3geo v7.0.5 was discovered to contain a cross-site scripting XSS vulnerability via accesstoken.php. id: CVE-2022-34093 info: name: Software Publico Brasileiro i3geo v7.0.5 - Cross-Site Scripting author: r3Y3r53 severity: medium description: | Portal do...

6.1CVSS6.3AI score0.0225EPSS
Exploits1References5
Nuclei
Nuclei
•added yesterday•70 views

SugarCRM - Unauthenticated Remote Code Execution via PHP Object Injection

A PHP object injection vulnerability exists in SugarCRM versions prior to 6.5.24, 6.7.13, 7.5.2.5, 7.6.2.2, and 7.7.1.0 due to improper validation of PHP serialized input in the SugarRestSerialize.php script. The vulnerable code fails to sanitize the restdata parameter before passing it to the...

9.3CVSS6.5AI score0.02971EPSS
Exploits0References5
Nuclei
Nuclei
•added yesterday•70 views

Adminer <=4.8.0 - Cross-Site Scripting

Adminer 4.6.1 to 4.8.0 contains a cross-site scripting vulnerability which affects users of MySQL, MariaDB, PgSQL, and SQLite in browsers without CSP when Adminer uses a pdo extension to communicate with the database it is used if the native extensions are not enabled. id: CVE-2021-29625 info:...

7.5CVSS6.7AI score0.09572EPSS
Exploits1References5
Nuclei
Nuclei
•added yesterday•70 views

PHPJabbers Availability Booking Calendar 5.0 - Cross-Site Scripting

A vulnerability has been found in PHP Jabbers Availability Booking Calendar 5.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument sessionid leads to cross site scripting. The attack can be launched...

6.1CVSS3.9AI score0.01766EPSS
Exploits2References4
Nuclei
Nuclei
•added yesterday•70 views

WordPress Pie Register <3.7.0.1 - Cross-Site Scripting

WordPress Pie Register plugin before 3.7.0.1 is susceptible to cross-site scripting. The plugin does not sanitize the invitaioncode GET parameter when outputting it in the Activation Code page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the...

6.1CVSS6AI score0.01602EPSS
Exploits2References3
Nuclei
Nuclei
•added yesterday•70 views

Linear eMerge E3-Series - Cross-Site Scripting

Linear eMerge E3-Series devices contain a cross-site scripting vulnerability via the type parameter, e.g., to the badging/badgetemplatev0.php component. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site and thus steal cookie-based...

6.1CVSS6.3AI score0.01739EPSS
Exploits1References5
Nuclei
Nuclei
•added yesterday•70 views

i-Panel Administration System 2.0 - Cross-Site Scripting

i-Panel Administration System 2.0 contains a cross-site scripting vulnerability that enables an attacker to execute arbitrary JavaScript code in the browser-based web console. id: CVE-2021-41878 info: name: i-Panel Administration System 2.0 - Cross-Site Scripting author: madrobot severity: medium...

6.1CVSS6.6AI score0.09912EPSS
Exploits4References5
Nuclei
Nuclei
•added 2 days ago•70 views

Adobe Coldfusion <=8.0.1 - Cross-Site Scripting

Adobe ColdFusion Server 8.0.1 and earlier contain multiple cross-site scripting vulnerabilities which allow remote attackers to inject arbitrary web script or HTML via 1 the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to 2 wizards/common/logintowizard.cfm, 3...

4.3CVSS6AI score0.1614EPSS
Exploits2References5
Nuclei
Nuclei
•added 2 days ago•70 views

F5 BIG-IP Appliance Mode - Command Injection

When running in Appliance mode, an authenticated user assigned the Administrator role may bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. id: CVE-2022-41800 info: name: F5 BIG-IP Appliance Mode - Command Injection author: dwisiswant0 severity: high description...

9.8CVSS7.3AI score0.99956EPSS
Exploits70References5
Nuclei
Nuclei
•added 2 days ago•70 views

LearnPress < 4.2.7.1 - SQL Injection

The LearnPress - WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'conlyfields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of...

10CVSS7.2AI score0.63134EPSS
Exploits6References2
Nuclei
Nuclei
•added 2 days ago•70 views

Oracle Fusion Middleware WebCenter Sites - Cross-Site Scripting

The Oracle WebCenter Sites component of Oracle Fusion Middleware is susceptible to multiple instances of cross-site scripting that could allow unauthenticated attackers with network access via HTTP to compromise Oracle WebCenter Sites. Impacted versions that are affected are 11.1.1.8.0, 12.2.1.2....

8.2CVSS7AI score0.3945EPSS
Exploits4References5
Nuclei
Nuclei
•added 6 days ago•70 views

Eclipse Jetty ConcatServlet - Information Disclosure

Eclipse Jetty through 9.4.40, through 10.0.2, and through 11.0.2 is susceptible to information disclosure. Requests to the ConcatServlet with a doubly encoded path can access protected resources within the WEB-INF directory, thus enabling an attacker to potentially obtain sensitive information,...

5.3CVSS6.8AI score0.7848EPSS
Exploits2References5
Nuclei
Nuclei
•added 2026/06/16 7:13 a.m.•70 views

Adobe ColdFusion - Access Control Bypass

An attacker is able to access every CFM and CFC endpoint within the ColdFusion Administrator path /CFIDE/, of which there are 437 CFM files and 96 CFC files in a ColdFusion 2021 Update 6 install. id: CVE-2023-29298 info: name: Adobe ColdFusion - Access Control Bypass author:...

7.5CVSS8.4AI score0.99754EPSS
Exploits0References5
Nuclei
Nuclei
•added yesterday•69 views

WPS Hide Login <= 1.9.15.2 - Login Page Disclosure

The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.15.2. This is due to a bypass that is created when the 'action=postpass' parameter is supplied. This makes it possible for attackers to easily discover any login page that may...

5.3CVSS5.9AI score0.01235EPSS
Exploits1References2
Nuclei
Nuclei
•added yesterday•69 views

WordPress WP Security Audit Log 3.1.1 - Information Disclosure

WordPress WP Security Audit Log 3.1.1 plugin is susceptible to information disclosure. Access to wp-content/uploads/wp-security-audit-log/ files is not restricted. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2018-8719 info: name:...

5.3CVSS6.2AI score0.15782EPSS
Exploits6References5
Nuclei
Nuclei
•added yesterday•69 views

Cacti 1.2.24 - SQL Injection

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graphview.php. Since guest users can access graphview.php without authentication by default, if guest users are being utilized in an enabled state, there...

9.8CVSS7.6AI score0.87575EPSS
Exploits2References5
Nuclei
Nuclei
•added yesterday•69 views

WP Google Maps < 7.10.43 - Cross-Site Scripting

The wp-google-maps plugin before 7.10.43 for WordPress has XSS via the wp-admin/admin.php PATHINFO. id: CVE-2019-9912 info: name: WP Google Maps 7.10.43 - Cross-Site Scripting author: ritikchaddha severity: medium description: | The wp-google-maps plugin before 7.10.43 for WordPress has XSS via t...

6.1CVSS6.4AI score0.03028EPSS
Exploits1References3
Nuclei
Nuclei
•added yesterday•69 views

Electrolink FM/DAB/TV Transmitter (controlloLogin.js) - Credentials Disclosure

Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the system. id: CVE-2024-3742 info: name: Electrolink FM/DAB/TV Transmitter controlloLogin.js - Credentials Disclosure author: Farish severity: high description: | Electrolink...

8.7CVSS5.9AI score0.0143EPSS
Exploits2References4
Nuclei
Nuclei
•added yesterday•69 views

XWiki >= 3.4-milestone-1 - Cross-Site Scripting

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as:...

9.6CVSS6.4AI score0.02182EPSS
Exploits0References2
Nuclei
Nuclei
•added yesterday•69 views

Online Security Guards Hiring System - Cross-Site Scripting

A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file search-request.php. id: CVE-2023-0527 info: name: Online Security Guards Hiring System - Cross-Site Scripting author:...

6.1CVSS5.2AI score0.06169EPSS
Exploits4References5
Nuclei
Nuclei
•added yesterday•69 views

JumpServer < 3.10.0 - Open Redirect

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to version 3.10.0, attackers can exploit this vulnerability to construct malicious links, leading users to click on them, thereby facilitating phishing attacks or cross-site scripting attacks...

6.1CVSS5.8AI score0.01057EPSS
Exploits0References2
Nuclei
Nuclei
•added yesterday•69 views

Joomla! Component SmartSite 1.0.0 - Local File Inclusion

A directory traversal vulnerability in the SmartSite comsmartsite component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. dot dot in the controller parameter to index.php. id: CVE-2010-1657 info: name: Joomla! Component SmartSite 1.0.0 - Local File Inclusion author:...

5CVSS6.1AI score0.19192EPSS
Exploits1References5
Nuclei
Nuclei
•added yesterday•69 views

Hoteldruid v3.0.5 - SQL Injection

Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the idutentelog parameter at /hoteldruid/personalizza.php. id: CVE-2023-43374 info: name: Hoteldruid v3.0.5 - SQL Injection author: ritikchaddha severity: critical description: | Hoteldruid v3.0.5 was discovered to...

9.8CVSS7.2AI score0.03272EPSS
Exploits1References2
Nuclei
Nuclei
•added yesterday•69 views

Hoteldruid v3.0.5 - SQL Injection

Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the nutenteagg parameter at /hoteldruid/interconnessioni.php. id: CVE-2023-43373 info: name: Hoteldruid v3.0.5 - SQL Injection author: ritikchaddha severity: critical description: | Hoteldruid v3.0.5 was discovered to...

9.8CVSS7.2AI score0.03753EPSS
Exploits1References2
Nuclei
Nuclei
•added yesterday•69 views

School Dormitory Management System 1.0 - Authenticated Cross-Site Scripting

School Dormitory Management System 1.0 contains an authenticated cross-site scripting vulnerability in admin/inc/navigation.php:126. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-base...

6.1CVSS6.4AI score0.03345EPSS
Exploits2References5
Nuclei
Nuclei
•added yesterday•69 views

WordPress White Label CMS <2.2.9 - Cross-Site Scripting

WordPress White Label CMS plugin before 2.2.9 contains a reflected cross-site scripting vulnerability. It does not sanitize and validate the wlcmslogincustomjs parameter before outputting it back in the response while previewing. id: CVE-2022-0422 info: name: WordPress White Label CMS 2.2.9 -...

6.1CVSS6.3AI score0.0812EPSS
Exploits2References5
Nuclei
Nuclei
•added yesterday•69 views

Rudloff alltube prior to 3.0.1 - Open Redirect

An open redirect vulnerability exists in Rudloff/alltube that could let an attacker construct a URL within the application that causes redirection to an arbitrary external domain via Packagist in versions prior to 3.0.1. id: CVE-2022-0692 info: name: Rudloff alltube prior to 3.0.1 - Open Redirect...

6.1CVSS6.1AI score0.03378EPSS
Exploits1References5
Nuclei
Nuclei
•added yesterday•69 views

WordPress WHMCS Bridge <6.4b - Cross-Site Scripting

WordPress WHMCS Bridge plugin before 6.4b contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the error parameter before outputting it back in the admin dashboard. id: CVE-2021-25112 info: name: WordPress WHMCS Bridge 6.4b - Cross-Site Scripting author:...

6.1CVSS6.3AI score0.02187EPSS
Exploits2References4
Nuclei
Nuclei
•added yesterday•69 views

TITool PrintMonitor - Blind SQL Injection

The username parameter of the TITool PrintMonitor solution during the login request is vulnerable to and/or time-based blind SQLi. id: CVE-2018-7282 info: name: TITool PrintMonitor - Blind SQL Injection author: theamanrawat severity: critical description: | The username parameter of the TITool...

9.8CVSS7.2AI score0.10095EPSS
Exploits1References4
Nuclei
Nuclei
•added yesterday•69 views

Puppet Server/PuppetDB - Sensitive Information Disclosure

Puppet Server and PuppetDB provide useful performance and debugging information via their metrics API endpoints, which may contain sensitive information when left exposed. id: CVE-2020-7943 info: name: Puppet Server/PuppetDB - Sensitive Information Disclosure author: c-sh0 severity: high...

7.5CVSS7AI score0.07884EPSS
Exploits0References5
Nuclei
Nuclei
•added yesterday•69 views

WordPress BadgeOS <=3.7.0 - SQL Injection

WordPress BadgeOS plugin through 3.7.0 contains a SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operatio...

9.8CVSS7.3AI score0.11725EPSS
Exploits2References5
Nuclei
Nuclei
•added yesterday•69 views

Gradio - Absolute Path Traversal

Gradio 6.7 on Windows with Python 3.13+ contains an absolute path traversal caused by incorrect path validation in path joining logic, letting unauthenticated attackers read arbitrary files from the server. id: CVE-2026-28414 info: name: Gradio - Absolute Path Traversal author: 0xAkoko severity:...

7.5CVSS7.3AI score0.03095EPSS
Exploits1References2
Nuclei
Nuclei
•added yesterday•69 views

Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting XSS vulnerability via Post content. id: CVE-2022-42096 info: name: Backdrop CMS version 1.23.0 - Cross Site Scripting Stored author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was...

4.8CVSS5.8AI score0.0196EPSS
Exploits1References5
Nuclei
Nuclei
•added yesterday•69 views

WAVLINK WN535 G3 - Information Disclosure

WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to information disclosure in livecheck.shtml. An attacker can obtain sensitive router information via execution of the exec cmd function and thereby possibly obtain additional sensitive information, modify data, and/or execute unauthorized...

7.5CVSS6.9AI score0.08364EPSS
Exploits2References3
Nuclei
Nuclei
•added yesterday•69 views

Nuovo Spreadsheet Reader 0.5.11 - Local File Inclusion

A Local File inclusion vulnerability in test.php in spreadsheet-reader 0.5.11 allows remote attackers to include arbitrary files via the File parameter. id: CVE-2023-29887 info: name: Nuovo Spreadsheet Reader 0.5.11 - Local File Inclusion author: ctflearner severity: high description: | A Local...

7.5CVSS7.2AI score0.04736EPSS
Exploits1References3
Nuclei
Nuclei
•added yesterday•69 views

MyCryptoCheckout < 2.124 - Cross-Site Scripting

The MyCryptoCheckout WordPress plugin before 2.124 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting. id: CVE-2023-1546 info: name: MyCryptoCheckout 2.124 - Cross-Site Scripting author: Harsh severity: medium description: | The...

6.1CVSS6.8AI score0.0085EPSS
Exploits1References2
Nuclei
Nuclei
•added yesterday•69 views

Clansphere CMS 2011.4 - Cross-Site Scripting

Clansphere CMS 2011.4 contains an unauthenticated reflected cross-site scripting vulnerability via the "module" parameter. id: CVE-2021-27309 info: name: Clansphere CMS 2011.4 - Cross-Site Scripting author: edoardottt severity: medium description: | Clansphere CMS 2011.4 contains an unauthenticat...

6.1CVSS6.3AI score0.01977EPSS
Exploits1References4
Nuclei
Nuclei
•added yesterday•69 views

kkFileView 4.0.0 - Cross-Site Scripting

kkFileView 4.0.0 contains multiple cross-site scripting vulnerabilities via the urls and currentUrl parameters at /controller/OnlinePreviewController.java. id: CVE-2022-29349 info: name: kkFileView 4.0.0 - Cross-Site Scripting author: arafatansari severity: medium description: | kkFileView 4.0.0...

6.1CVSS6.3AI score0.01681EPSS
Exploits1References4
Nuclei
Nuclei
•added 2 days ago•69 views

ArgoCD Project API Token Repository Credentials Exposure

Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials usernames, passwords through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability...

9.9CVSS7.3AI score0.04518EPSS
Exploits1References3
Nuclei
Nuclei
•added 2 days ago•69 views

Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 - Broken Access Control

Oracle Fusion Middleware WebCenter Sites 12.2.1.3.0 suffers from broken access control. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data. id: CVE-2019-2578 info: name: Oracle Fusion...

8.6CVSS7.2AI score0.71184EPSS
Exploits0References5
Nuclei
Nuclei
•added 2 days ago•69 views

Apache ActiveMQ <=5.15.5 - Cross-Site Scripting

Apache ActiveMQ versions 5.0.0 to 5.15.5 are vulnerable to cross-site scripting via the web based administration console on the queue.jsp page. The root cause of this issue is improper data filtering of the QueueFilter parameter. id: CVE-2018-8006 info: name: Apache ActiveMQ =5.15.5 - Cross-Site...

6.1CVSS6.6AI score0.55895EPSS
Exploits0References10
Nuclei
Nuclei
•added 2 days ago•69 views

Login as User or Customer < 3.3 - Privilege Escalation

The plugin lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session. id: CVE-2022-4305 info: name: Login as User or Customer 3.3 - Privilege Escalation author: r3Y3r53 severity: critical...

9.8CVSS7.2AI score0.38625EPSS
Exploits2References3
Nuclei
Nuclei
•added 2 days ago•69 views

SolarWinds Web Help Desk - Hardcoded Credential

The SolarWinds Web Help Desk WHD software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data. id: CVE-2024-28987 info: name: SolarWinds Web Help Desk - Hardcoded Credential author:...

9.1CVSS7.4AI score0.93299EPSS
Exploits5References3
Nuclei
Nuclei
•added 2 days ago•69 views

WordPress Contact Form 7 <1.3.3.3 - Remote Code Execution

WordPress Contact Form 7 before 1.3.3.3 allows unrestricted file upload and remote code execution by setting supportedtype to php% and uploading a .php% file. id: CVE-2020-12800 info: name: WordPress Contact Form 7 1.3.3.3 - Remote Code Execution author: dwisiswant0 severity: critical description...

9.8CVSS7.8AI score0.78751EPSS
Exploits7References4
Nuclei
Nuclei
•added 2 days ago•69 views

Apache APISIX - Insufficiently Protected Credentials

Apache APISIX 1.2, 1.3, 1.4, and 1.5 is susceptible to insufficiently protected credentials. An attacker can enable the Admin API and delete the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data. id: CVE-2020-13945 info: name: Apache...

6.5CVSS6.9AI score0.72976EPSS
Exploits5References5
Nuclei
Nuclei
•added 2 days ago•69 views

ChurchCRM 4.5.3 - Cross-Site Scripting

A stored Cross-site scripting XSS vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. id: CVE-2023-26843 info: name: ChurchCRM 4.5.3 - Cross-Site Scripting author: Harsh severity: medium description: | A stored Cross-site scripti...

5.4CVSS6.3AI score0.0142EPSS
Exploits1References5
Nuclei
Nuclei
•added 6 days ago•69 views

Wavlink Multiple AP - Remote Command Injection

Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the "key" parameter in a login request. It has been tested on Wavlink...

10CVSS7.4AI score0.68794EPSS
Exploits1References5
Nuclei
Nuclei
•added 6 days ago•69 views

D-Link Routers - Local File Inclusion

D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /...

7.5CVSS7.2AI score0.39268EPSS
Exploits8References5
Nuclei
Nuclei
•added 6 days ago•69 views

Zimbra Collaboration Suite < 8.8.15 Patch 7 - Server-Side Request Forgery

Zimbra Collaboration Suite ZCS before 8.8.15 Patch 7 is susceptible to server-side request forgery when WebEx zimlet is installed and zimlet JSP is enabled. id: CVE-2020-7796 info: name: Zimbra Collaboration Suite 8.8.15 Patch 7 - Server-Side Request Forgery author: gy741 severity: critical...

9.8CVSS7.4AI score0.85416EPSS
Exploits0References5
Total number of security vulnerabilities4139