Lucene search
K

364584 matches found

NVD
NVD
added 2026/06/15 4:16 p.m.12 views

CVE-2026-5038

Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe call does not propagate the stream destroy signal to the...

7.5CVSS0.00278EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 4:16 p.m.12 views

CVE-2026-10634

Zephyr's native TCP stack iterates the global connection list in nettcpforeach subsys/net/ip/tcp.c using the SYSSLISTFOREACHCONTAINERSAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcplock while invoking the per-connection callback and re-acquired...

5.3CVSS0.00274EPSS
Exploits1References2
NVD
NVD
added 2026/06/15 4:16 p.m.13 views

CVE-2025-15659

Contributor Cross Site Scripting XSS in Elizaibots = 1.0.2 versions...

6.5CVSS0.0013EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 4:16 p.m.15 views

CVE-2025-15658

Administrator Cross Site Scripting XSS in WP Emmet = 0.3.4 versions...

5.9CVSS0.0014EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 2:16 p.m.17 views

CVE-2026-5233

Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250...

7.1CVSS0.00205EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 2:16 p.m.12 views

CVE-2026-5079

Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of...

7.5CVSS0.00278EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 2:16 p.m.14 views

CVE-2026-5230

Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250...

7.1CVSS0.00174EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 2:16 p.m.19 views

CVE-2026-5242

Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250...

8.8CVSS0.00304EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 2:16 p.m.11 views

CVE-2026-6517

Mattermost Desktop App versions =6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that...

7.7CVSS0.00187EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 2:16 p.m.15 views

CVE-2026-52704

Improper Control of Generation of Code 'Code Injection' vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8...

10CVSS0.00314EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 2:16 p.m.15 views

CVE-2026-49064

Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue affects GetPaid: from n/a through 2.8.49...

7.5CVSS0.00238EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 2:16 p.m.18 views

CVE-2026-49062

Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation. This issue affects Faust.Js: from n/a through 1.8.7...

8.8CVSS0.0029EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 2:16 p.m.13 views

CVE-2026-48969

Subscriber Broken Access Control in Really Simple SSL = 9.5.9 versions...

6.5CVSS0.00223EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 2:16 p.m.14 views

CVE-2026-49111

Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo - LMS allows Privilege Escalation. This issue affects Masteriyo - LMS: from n/a through 2.2.0...

8.8CVSS0.00238EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 2:16 p.m.17 views

CVE-2019-25746

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicatequoteinvoice and...

7.1CVSS0.00226EPSS
Exploits0References4
NVD
NVD
added 2026/06/15 2:16 p.m.19 views

CVE-2016-20084

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScrip...

7.2CVSS0.00245EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.14 views

CVE-2025-64215

Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16...

6.5CVSS0.00196EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 2:16 p.m.11 views

CVE-2018-25436

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the uplo...

9.8CVSS0.00661EPSS
Exploits0References4
NVD
NVD
added 2026/06/15 2:16 p.m.14 views

CVE-2018-25437

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the downloadbackup.php endpoint. Attackers can directly access the downloadbackup.php script in the admin/datamanagement...

8.7CVSS0.00287EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.18 views

CVE-2016-20079

WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gatewa...

6.9CVSS0.00778EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.12 views

CVE-2016-20082

WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Attackers can send GET requests to abtestadmin.php with malicious action values to include files from the admin directory an...

6.9CVSS0.00326EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.11 views

CVE-2016-20083

WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxe...

6.9CVSS0.00138EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.15 views

CVE-2016-20077

WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoin...

6.9CVSS0.00374EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.14 views

CVE-2016-20081

WordPress Plugin HB Audio Gallery Lite 1.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the filepath parameter. Attackers can send requests to the audio-download.php endpoint with directory traversal sequences to acces...

8.7CVSS0.00641EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.11 views

CVE-2016-20078

WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like...

6.9CVSS0.00688EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.13 views

CVE-2016-20080

WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wpabspath parameter. Attackers can supply path traversal sequences or remote URLs through the...

6.9CVSS0.0039EPSS
Exploits0References4
NVD
NVD
added 2026/06/15 2:16 p.m.16 views

CVE-2016-20075

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the...

8.8CVSS0.00327EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.14 views

CVE-2016-20070

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with...

6.4CVSS0.00231EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.13 views

CVE-2016-20072

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL...

8.8CVSS0.0027EPSS
Exploits0References4
NVD
NVD
added 2026/06/15 2:16 p.m.13 views

CVE-2016-20073

Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' POST parameter. Attackers can submit crafted SQL statements to the modal.php endpoint to extract...

8.8CVSS0.0027EPSS
Exploits0References4
NVD
NVD
added 2026/06/15 2:16 p.m.14 views

CVE-2016-20071

The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through unsanitized user input. Attackers can craft GET requests with SQL injection payloa...

8.8CVSS0.00302EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.13 views

CVE-2016-20074

WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Attackers can trick authenticated administrators into submitting POST requests to the plugin settings page via...

5.3CVSS0.00106EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 2:16 p.m.12 views

CVE-2016-20076

WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the deletebackupfile and downloadbackupfile parameters in tools.php. Attackers can exploit insufficient input validation usi...

8.7CVSS0.00601EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 2:16 p.m.9 views

CVE-2016-20069

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to...

8.8CVSS0.0024EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.12 views

CVE-2016-20068

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint wit...

8.8CVSS0.00302EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 2:16 p.m.14 views

CVE-2016-20067

WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page while logged in...

5.3CVSS0.00116EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 2:16 p.m.11 views

CVE-2016-20066

WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to execute arbitrary...

7.2CVSS0.00192EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 12:16 p.m.19 views

CVE-2026-5482

Responsive FileManager's allows an unauthenticated attacker to upload files of any type and extension without restriction using dialog.php endpoint, leading to Remote Code Execution. This project is unmaintained at the time of CVE assignment. The vulnerability was found in the latest release 9.14...

9.3CVSS0.00445EPSS
Exploits0References2
NVD
NVD
added 2026/06/15 12:16 p.m.14 views

CVE-2026-34026

Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation,...

7.1CVSS0.00394EPSS
Exploits1References2
NVD
NVD
added 2026/06/15 12:16 p.m.9 views

CVE-2026-49757

Authentication Bypass by Spoofing vulnerability in team-alembic AshAuthentication allows account takeover of local users via OAuth2/OIDC sign-in. AshAuthentication's OAuth2 and OIDC family strategies matched the local user by email address an upsert on the email field, or a user-defined sign-in...

9.2CVSS0.00563EPSS
Exploits1References5
NVD
NVD
added 2026/06/15 12:16 p.m.27 views

CVE-2026-34030

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, does not sufficiently validate the branch code when a new branch is created. The branch code is later used in multiple application functions, including filesystem path generation for uploaded files, profile pictures, and...

6.9CVSS0.00327EPSS
Exploits1References2
NVD
NVD
added 2026/06/15 12:16 p.m.16 views

CVE-2026-34028

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyIdID/Audio/ and...

6.9CVSS0.00397EPSS
Exploits1References2
NVD
NVD
added 2026/06/15 12:16 p.m.12 views

CVE-2026-34027

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains insufficient server-side file type validation in the /safe/contract/uploadcustomdocuments endpoint. The application validates uploaded files based on the user-controlled HTTP Content-Type value and accepts the upload ...

5.3CVSS0.00305EPSS
Exploits1References2
NVD
NVD
added 2026/06/15 12:16 p.m.13 views

CVE-2026-34029

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a hard-coded cryptographic key in the SafeSystem.Infrastructure.Security.dll component. An attacker with access to the application files can reverse engineer the DLL and recover the hard-coded cryptographic key. This...

6.8CVSS0.0012EPSS
Exploits1References2
NVD
NVD
added 2026/06/15 12:16 p.m.14 views

CVE-2026-34024

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allow...

8.6CVSS0.00304EPSS
Exploits1References2
NVD
NVD
added 2026/06/15 12:16 p.m.10 views

CVE-2026-34023

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket...

7.1CVSS0.00335EPSS
Exploits1References3
NVD
NVD
added 2026/06/15 12:16 p.m.14 views

CVE-2026-34021

The Wertheim SafeController 5400, Controller 5400 - AssemblyVersion 6.11.8130.22320, uses RS-485 communication between the server and the microcontroller without cryptographic protection. An attacker with access to the communication path between the server and the microcontroller can sniff RS-485...

8.6CVSS0.00196EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 12:16 p.m.14 views

CVE-2026-34022

The Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319, uses weak custom cryptographic algorithms with hard-coded cryptographic keys to protect communication. An attacker in an adversary-in-the-middle position can decrypt the data traffic. During reassessment...

7.1CVSS0.00116EPSS
Exploits0References3
NVD
NVD
added 2026/06/15 12:16 p.m.13 views

CVE-2026-34025

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an IP restriction bypass vulnerability in the login process. The application restricts user logins based on the IP address associated with a branch location, but the client IP address is derived from the HTTP...

5.3CVSS0.00283EPSS
Exploits1References2
NVD
NVD
added 2026/06/15 12:16 p.m.13 views

CVE-2026-12057

When the application executes the JavaScript script embedded in the PDF within the sandbox, it fails to intercept some dangerous interfaces, which allows remote scripts to be loaded, resulting in arbitrary code execution...

8.6CVSS0.00129EPSS
Exploits0References1
Total number of security vulnerabilities364584