Lucene search
K

370189 matches found

CVE
CVE
added 2026/07/01 11:58 a.m.22 views

CVE-2026-53902

The CVE-2026-53902 issue affects MCO’s web API, specifically the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. The root cause is improper authorization checks, enabling an authenticated user to modify their group membership and perform privilege escalation by adding the...

7.1CVSS5.9AI score0.00208EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/07/01 11:42 a.m.19 views

CVE-2026-14181

CVE-2026-14181 affects @fastify/middie versions 9.1.0 through 9.3.2, where the URL normalization step in the standalone engine fails to sanitize malformed percent‑encoded sequences. Inputs such as incomplete escapes or truncated multibyte sequences cause the underlying decoder to throw synchronou...

7.5CVSS5.8AI score0.00291EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/07/01 11:29 a.m.26 views

CVE-2026-14198

The CVE-2026-14198 entry concerns @fastify/middie versions 9.1.0–9.3.2, where encoded slashes (%2F) in path parameter values are decoded by middie but not by Fastify’s router during route lookup. This mismatch lets a crafted URL bypass middleware-based security (authentication/authorization/rate ...

9.1CVSS5.8AI score0.00299EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/07/01 11:28 a.m.26 views

CVE-2026-13323

Vulnerability CVE-2026-13323 affects Open VSX Registry before 1.0.2. The /vscode/unpkg/ endpoint serves user-supplied HTML without CSP or Content-Disposition headers, enabling a publisher to upload a crafted VSIX and lure authenticated users to visit the URL. This inline rendering in the open-vsx...

8.7CVSS5.8AI score0.0019EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/07/01 9:32 a.m.20 views

CVE-2026-13228

The vulnerability CVE-2026-13228 affects the LatePoint – Calendar Booking Plugin for Appointments and Events (WordPress). An Insecure Direct Object Reference (IDOR) in OsOrdersController.create_or_update enables an authenticated Agent (low privileges) to specify an arbitrary order[customer_id] an...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References7
CVE
CVE
added 2026/07/01 9:32 a.m.21 views

CVE-2026-12142

CVE-2026-12142 affects the NEX-Forms – Ultimate Forms Plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) via the internal parameter named '_name[]' , present in all versions up to and including 9.2.2 . Root cause: insufficient input sanitization and output escaping, co...

7.2CVSS5.9AI score0.00304EPSS
Exploits0References14
CVE
CVE
added 2026/07/01 9:32 a.m.12 views

CVE-2026-10095

CVE-2026-10095 affects the WP Photo Album Plus plugin for WordPress. The flaw is a Stored Cross-Site Scripting (XSS) via the subtext parameter in all versions up to and including 9.1.13.005, caused by insufficient input sanitization and output escaping. An authenticated attacker with contributor-...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References11
CVE
CVE
added 2026/07/01 9:24 a.m.19 views

CVE-2026-14258

CVE-2026-14258 affects dhcpcd’s IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement with a zero-length ND option bypasses validation during packet storage and is reparsed with inadequate validation, causing the parser to enter a non-advancing loo...

6.5CVSS5.7AI score0.00248EPSS
Exploits0References4
CVE
CVE
added 2026/07/01 8:50 a.m.20 views

CVE-2026-27435

WordPress Woffice theme versions before 5.4.33 are affected by a Missing Authorization vulnerability due to incorrectly configured access control. CVSSv3.1: 5.3 (Network, Low privileges, No user interaction). Impact: Integrity impact (LOW); others None. Affected: Woffice theme (WordPress)

5.3CVSS5.8AI score0.00242EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 8:30 a.m.15 views

CVE-2026-12754

The CVE concerns the VikBooking Hotel Booking Engine & PMS plugin for WordPress, vulnerable to Reflected Cross-Site Scripting via the layoutstyle parameter in all versions up to and including 1.8.12. The root cause is insufficient input sanitization and output escaping, allowing unauthenticated a...

6.1CVSS5.9AI score0.00293EPSS
Exploits0References5
CVE
CVE
added 2026/07/01 8:30 a.m.15 views

CVE-2026-13454

CVE-2026-13454 affects MotoPress Appointment Booking for WordPress (

6.5CVSS5.8AI score0.00361EPSS
Exploits0References6
CVE
CVE
added 2026/07/01 7:56 a.m.17 views

CVE-2026-10538

This CVE affects Control-M components (Control-M/Server and Control-M/Enterprise Manager) with a deserialization vulnerability in the messaging consumer. The issue arises from deserializing user-controlled data without strict control of allowed object types in versions 9.0.20.x and potentially ea...

8.9CVSS5.8AI score0.00246EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 7:55 a.m.25 views

CVE-2026-10539

The vulnerability CVE-2026-10539 affects Control-M/Server versions 9.0.20.x through 9.0.21.200 (and potentially earlier unsupported versions). It is caused by insufficient filtering/sanitization of user-supplied input in a Control-M/Server communication command, which could allow an unauthenticat...

9.5CVSS5.9AI score0.00235EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 7:53 a.m.29 views

CVE-2026-12158

The CVE pertains to the WordPress plugin RegistrationMagic – User Registration Forms Plugin, vulnerable to Cross-Site Request Forgery up to version 6.0.9.1 due to missing/incorrect nonce validation in process_request. This allows unauthenticated attackers to escalate a form submitter’s privileges...

8.8CVSS5.8AI score0.00205EPSS
Exploits0References6
CVE
CVE
added 2026/07/01 7:53 a.m.18 views

CVE-2026-13733

The CVE-2026-13733 entry affects the WordPress Download Manager plugin (versions up to 3.3.60). A Stored Cross-Site Scripting flaw exists in the no_data_msg shortcode attribute due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level a...

6.4CVSS5.9AI score0.00206EPSS
Exploits0References8
CVE
CVE
added 2026/07/01 7:53 a.m.14 views

CVE-2026-10096

The Qi Blocks WordPress plugin is vulnerable to Insecure Direct Object Reference in all versions up to and including 1.4.9 via the page_id parameter. Authenticated users with author-level access can modify stored Qi Blocks styles on arbitrary posts, templates, or widgets, including site-wide surf...

4.3CVSS5.9AI score0.00196EPSS
Exploits0References5
CVE
CVE
added 2026/07/01 7:53 a.m.15 views

CVE-2026-12408

The CVE-2026-12408 entry concerns the WordPress plugin Slim SEO (versions up to and including 4.9.8). The vulnerability arises from the REST endpoint /wp-json/slim-seo/meta-tags/ai: the permission_callback only checks a top-level edit_posts capability and does not verify that the requester can re...

4.3CVSS5.9AI score0.00257EPSS
Exploits0References8
CVE
CVE
added 2026/07/01 7:53 a.m.20 views

CVE-2026-11387

The CVE concerns the WordPress plugin SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery (versions up to 3.9.5). The vulnerability allows unauthenticated privilege escalation via account takeover by exploiting flawed identity validation before updating user detai...

9.8CVSS5.9AI score0.0038EPSS
Exploits1References8
CVE
CVE
added 2026/07/01 7:53 a.m.15 views

CVE-2026-12435

The Motors – Car Dealership & Classified Listings Plugin for WordPress is affected up to version 1.4.111 by an authorization bypass. An authenticated user with subscriber-level access can mark or unmark another user’s car listing as Sold by replaying a valid nonce from their own listing against a...

4.3CVSS5.9AI score0.00232EPSS
Exploits0References8
CVE
CVE
added 2026/07/01 7:53 a.m.17 views

CVE-2026-12732

CVE-2026-12732 concerns the LearnPress WordPress plugin (versions <= 4.4.0). The vulnerability is a Stored Cross-Site Scripting (XSS) via the short code attribute class_wrapper_form . Root cause: insufficient input sanitization and output escaping in FilterCourseTemplate::sections(), where att...

6.4CVSS5.9AI score0.00193EPSS
Exploits0References4
Rows per page
Query Builder