Lucene search
K
NvdMost viewed

364282 matches found

NVD
NVD
added 2026/05/05 4:16 a.m.48 views

CVE-2026-4803

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a...

7.2CVSS0.00359EPSS
Exploits0References6
NVD
NVD
added 2026/05/04 9:16 p.m.48 views

CVE-2026-42238

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint POST /api/restore that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can...

9.8CVSS0.00764EPSS
Exploits1References2
NVD
NVD
added 2026/05/04 7:16 a.m.48 views

CVE-2026-43859

mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP authcram MD5 digest...

3.7CVSS0.00162EPSS
Exploits0References1
NVD
NVD
added 2026/05/02 6:16 a.m.48 views

CVE-2026-5112

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validat...

7.2CVSS0.00232EPSS
Exploits0References2
NVD
NVD
added 2026/04/16 11:16 p.m.48 views

CVE-2026-40253

openCryptoki is a PKCS11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common library asn1.c accept a raw pointer but no buffer length parameter, and trust attacker-controlled BER length fields without validating them...

6.8CVSS0.0016EPSS
Exploits1References2
NVD
NVD
added 2026/03/10 6:19 p.m.48 views

CVE-2026-3483

An exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges...

7.8CVSS0.00397EPSS
Exploits0References1
NVD
NVD
added 2026/02/06 5:16 p.m.48 views

CVE-2026-25556

MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fzfillpixmapfromdisplaylist when an exception occurs during display list rendering. The function accepts a caller-owned fzpixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the...

7.5CVSS0.00477EPSS
Exploits1References4
NVD
NVD
added 2026/01/05 5:15 p.m.48 views

CVE-2026-21635

An Improper Access Control could allow a malicious actor in Wi-Fi range to the EV Station Lite v1.5.2 and earlier to use WiFi AutoLink feature on a device that was only adopted via Ethernet...

6.5CVSS0.00132EPSS
Exploits0References1
NVD
NVD
added 2025/11/03 8:15 a.m.48 views

CVE-2025-12623

A vulnerability was identified in fushengqian fuint up to 41e26be8a2c609413a0feaa69bdad33a71ae8032. Affected by this issue is some unknown functionality of the file fuint-application/src/main/java/com/fuint/module/clientApi/controller/ClientSignController.java of the component Authentication Toke...

3.1CVSS0.00344EPSS
Exploits0References4
NVD
NVD
added 2025/10/06 10:15 p.m.48 views

CVE-2025-43824

The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...

5.4CVSS0.00217EPSS
Exploits0References1
NVD
NVD
added 2025/08/29 11:15 a.m.48 views

CVE-2024-13342

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'addfilestoorder' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double...

9.8CVSS0.00686EPSS
Exploits0References3
NVD
NVD
added 2025/08/04 5:15 p.m.48 views

CVE-2025-44957

Ruckus SmartZone SZ before 6.1.2p3 Refresh Build allows authentication bypass via a valid API key and crafted HTTP headers...

8.8CVSS0.00891EPSS
Exploits0References4
NVD
NVD
added 2025/08/02 12:15 a.m.48 views

CVE-2025-54781

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. When debugging is enabled for Himmelblau in version 1.0.0, the himmelblaudtasks service leaks an Intune service access token to the system journal. This short-lived token can be used to detect the host's Intune...

2.8CVSS0.00138EPSS
Exploits0References3
NVD
NVD
added 2025/07/30 3:15 p.m.48 views

CVE-2025-43018

Certain HP LaserJet Pro printers may be vulnerable to information disclosure when a non-authenticated user queries a device’s local address book...

6.9CVSS0.00274EPSS
Exploits0References1
NVD
NVD
added 2025/07/09 6:15 a.m.48 views

CVE-2025-6742

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of fileexists in the deleteentryfiles function without restriction on the path provided. This makes it possible for...

7.5CVSS0.00465EPSS
Exploits0References3
NVD
NVD
added 2025/07/07 7:15 a.m.48 views

CVE-2025-41672

A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices...

10CVSS0.00346EPSS
Exploits0References2
NVD
NVD
added 2025/05/12 6:15 a.m.48 views

CVE-2025-3597

The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. While this feature is meant to only be available to Pro version users, it can be activated in the free versi...

5.9CVSS0.0027EPSS
Exploits1References1
NVD
NVD
added 2025/04/20 7:15 a.m.48 views

CVE-2025-3822

A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file changepassword.php. The manipulation of the argument txtconfirmpassword/txtnewpassword/txtoldpassword leads to cro...

5.4CVSS0.0037EPSS
Exploits1References4
NVD
NVD
added 2025/04/15 6:15 p.m.48 views

CVE-2024-42189

HCL BigFix Web Reports might be subject to a Denial of Service DoS attack, due to a potentially weak validation of an API parameter...

6.5CVSS0.00262EPSS
Exploits0References1
NVD
NVD
added 2025/04/12 3:15 a.m.48 views

CVE-2025-2881

The Developer Toolbar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in th...

5.3CVSS0.00348EPSS
Exploits0References3
NVD
NVD
added 2025/04/12 3:15 a.m.48 views

CVE-2025-2841

The Cart66 Cloud plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.7 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the...

5.3CVSS0.00359EPSS
Exploits0References5
NVD
NVD
added 2025/04/11 4:15 p.m.48 views

CVE-2025-31354

Subnet Solutions PowerSYSTEM Center's SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters...

5.3CVSS0.00122EPSS
Exploits0References1
NVD
NVD
added 2025/04/09 4:15 p.m.48 views

CVE-2025-32375

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized...

9.8CVSS0.45773EPSS
Exploits5References1
NVD
NVD
added 2025/03/19 6:15 p.m.48 views

CVE-2025-29925

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/wikiName/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent...

8.7CVSS0.00906EPSS
Exploits1References5
NVD
NVD
added 2025/03/08 10:15 a.m.48 views

CVE-2025-1322

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 16.26.10 via the 'feed' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated...

4.3CVSS0.00417EPSS
Exploits0References2
NVD
NVD
added 2025/02/25 8:15 p.m.48 views

CVE-2025-27142

LocalSend is a free, open-source app that allows users to securely share files and messages with nearby devices over their local network without needing an internet connection. Prior to version 1.17.0, due to the missing sanitization of the path in the POST /api/localsend/v2/prepare-upload and th...

8.8CVSS0.00514EPSS
Exploits0References2
NVD
NVD
added 2025/02/12 5:15 p.m.48 views

CVE-2024-11629

In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 2025.1.205, using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF...

7.1CVSS0.00355EPSS
Exploits0References1
NVD
NVD
added 2025/01/16 11:15 p.m.48 views

CVE-2025-23199

librenms is a community-based GPL-licensed network monitoring system. Affected versions are subject to a stored XSS on the parameter: /ajaxform.php - param: descr. Librenms version up to 24.10.1 allow remote attackers to inject malicious scripts. When a user views or interacts with the page...

5.4CVSS0.01221EPSS
Exploits1References1
NVD
NVD
added 2025/01/16 6:15 p.m.48 views

CVE-2024-41746

IBM CICS TX Advanced 10.1, 11.1, and Standard 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

7.2CVSS0.00228EPSS
Exploits0References1
NVD
NVD
added 2025/01/11 4:15 a.m.48 views

CVE-2025-23109

Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address. This vulnerability was fixed in Firefox for iOS 134...

6.5CVSS0.00175EPSS
Exploits0References2
NVD
NVD
added 2025/01/06 6:15 p.m.48 views

CVE-2024-55628

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and lead to very large DNS log...

7.5CVSS0.00668EPSS
Exploits0References5
NVD
NVD
added 2025/01/03 5:15 p.m.48 views

CVE-2024-56409

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the Currency.php file. Using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php...

8.3CVSS0.00325EPSS
Exploits1References2
NVD
NVD
added 2024/12/30 10:15 a.m.48 views

CVE-2024-47918

Tiki Wiki CMS – CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS...

6.1CVSS0.003EPSS
Exploits0References1
NVD
NVD
added 2024/12/27 5:15 p.m.48 views

CVE-2024-12988

A vulnerability has been found in Netgear R6900P and R7000P 1.3.3.154 and classified as critical. Affected by this vulnerability is the function sub16C4C of the component HTTP Header Handler. The manipulation of the argument Host leads to buffer overflow. The attack can be launched remotely. The...

7.5CVSS0.00822EPSS
Exploits1References6
NVD
NVD
added 2024/12/26 6:15 a.m.48 views

CVE-2024-11223

The WPForms WordPress plugin before 1.9.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

4.7CVSS0.00492EPSS
Exploits1References1
NVD
NVD
added 2024/12/18 1:15 p.m.48 views

CVE-2024-48889

An Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability CWE-78 in FortiManager version 7.6.0, version 7.4.4 and below, version 7.2.7 and below, version 7.0.12 and below, version 6.4.14 and below and FortiManager Cloud version 7.4.4 and below,...

7.2CVSS0.01652EPSS
Exploits0References1
NVD
NVD
added 2024/12/13 4:15 p.m.48 views

CVE-2024-55887

Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts...

8.6CVSS0.0055EPSS
Exploits0References1
NVD
NVD
added 2024/12/06 7:15 p.m.48 views

CVE-2024-47791

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and from devices...

8.7CVSS0.00387EPSS
Exploits0References1
NVD
NVD
added 2024/12/03 6:15 p.m.48 views

CVE-2024-25020

IBM Cognos Controller 11.0.0 and 11.0.1 is vulnerable to malicious file upload by allowing unrestricted filetype attachments in the Journal entry page. Attackers can make use of this weakness and upload malicious executable files into the system and can be sent to victims for performing further...

9.8CVSS0.00275EPSS
Exploits0References1
NVD
NVD
added 2024/11/26 2:15 p.m.48 views

CVE-2024-53976

Under certain circumstances, navigating to a webpage would result in the address missing from the location URL bar, making it unclear what the URL was for the loaded webpage. This vulnerability affects Firefox for iOS 133...

5.4CVSS0.00294EPSS
Exploits0References2
NVD
NVD
added 2024/11/26 2:15 p.m.48 views

CVE-2024-11699

Memory safety bugs present in Firefox 132, Firefox ESR 128.4, and Thunderbird 128.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox 133, Firefox ESR...

8.8CVSS0.00681EPSS
Exploits0References6
NVD
NVD
added 2024/11/23 8:15 a.m.48 views

CVE-2024-9511

The FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.82 via deserialization of untrusted input in the 'formatResult' function. This makes it...

9.8CVSS0.01123EPSS
Exploits0References4
NVD
NVD
added 2024/11/20 4:15 p.m.48 views

CVE-2024-11487

A vulnerability has been found in Code4Berry Decoration Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /decoration/admin/btndatesreport.php of the component Between Dates Reports. The manipulation of the argument fromdate/todate leads to sql...

8.8CVSS0.004EPSS
Exploits0References3
NVD
NVD
added 2024/11/15 10:15 p.m.48 views

CVE-2024-38370

GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16...

7.5CVSS0.00351EPSS
Exploits0References1
NVD
NVD
added 2024/11/14 12:15 p.m.48 views

CVE-2022-31669

Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag immutability policies...

7.7CVSS0.00396EPSS
Exploits0References1
NVD
NVD
added 2024/11/11 7:15 a.m.48 views

CVE-2024-52354

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Cool Plugins Web Stories Widgets For Elementor shortcodes-for-amp-web-stories-and-elementor-widget allows Stored XSS.This issue affects Web Stories Widgets For Elementor: from n/a through = 1.1...

6.5CVSS0.00258EPSS
Exploits0References1
NVD
NVD
added 2024/11/10 11:15 p.m.48 views

CVE-2024-11058

A vulnerability was found in CodeAstro Real Estate Management System up to 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /aboutedit.php of the component About Us Page. The manipulation of the argument id leads to sql injection. The attack can be...

7.2CVSS0.00507EPSS
Exploits1References5
NVD
NVD
added 2024/10/31 7:15 p.m.48 views

CVE-2023-52044

Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution RCE as there is no restriction for uploading files with the .php8 extension...

9.8CVSS0.00768EPSS
Exploits1References1
NVD
NVD
added 2024/10/15 4:15 p.m.48 views

CVE-2024-48913

Hono, a web framework, prior to version 4.6.5 is vulnerable to bypass of cross-site request forgery CSRF middleware by a request without Content-Type header. Although the CSRF middleware verifies the Content-Type Header, Hono always considers a request without a Content-Type header to be safe. Th...

5.9CVSS0.00304EPSS
Exploits1References3
NVD
NVD
added 2024/10/08 6:15 p.m.48 views

CVE-2024-43609

Microsoft Office Spoofing Vulnerability...

6.5CVSS0.02035EPSS
Exploits0References1
Total number of security vulnerabilities5000