CVE-2026-42289 ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation

ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an...

EUVD-2026-29877

ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an...

CVE-2021-46398

A Cross-Site Request Forgery vulnerability exists in Filebrowser 2.18.0 that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim. An admin can run commands using the FileBrowser and hence it leads...

大汉Jvideo两处漏洞小合集（可能导致管理后台权限劫持）

简要描述： 两处。 详细说明： 一个是任意文件下载，一个是sql注入。 先看任意文件下载吧，任意文件下载可以下载到setup的相关安装信息，从而可以登录setup目录的管理后台 http://222.66.10.88:8081/jvideo/down.jsp?pathfile=WEB-INF/web.xml 来点好东西 http://222.66.10.88:8081/jvideo/down.jsp?pathfile=WEB-INF/ini/merpserver.ini 可以看见setup下Admin的密码（屏蔽了），登录成功 另外一个网站...