356 matches found
CVE-2026-4259
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
CVE-2026-41935
Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init repeatedly invokes permission on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained requests to forbidden admin...
CVE-2026-5231
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utmsource' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utmsource value into the...
CVE-2025-71318
NetMan 204 fails to enforce authentication on its administrative pages and command endpoints. A remote, unauthenticated attacker can directly request administrative pages such as administration.html, administration-commands.html, and configuration.html to disclose sensitive information including...
EUVD-2025-210079
NetMan 204 fails to enforce authentication on its administrative pages and command endpoints. A remote, unauthenticated attacker can directly request administrative pages such as administration.html, administration-commands.html, and configuration.html to disclose sensitive information including...
CVE-2025-71318 NetMan 204 Missing Authentication for Administrative Functions
NetMan 204 fails to enforce authentication on its administrative pages and command endpoints. A remote, unauthenticated attacker can directly request administrative pages such as administration.html, administration-commands.html, and configuration.html to disclose sensitive information including...
CVE-2025-71318
NetMan 204 fails to enforce authentication on its administrative pages and command endpoints. A remote, unauthenticated attacker can directly request administrative pages such as administration.html, administration-commands.html, and configuration.html to disclose sensitive information including...
CVE-2025-71318
CVE-2025-71318 concerns NetMan 204, where authentication is not enforced on administrative pages and command endpoints. A remote, unauthenticated attacker can directly access pages (e.g., administration.html, administration-commands.html, configuration.html) to disclose sensitive details such as ...
WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin
Unauthenticated Stored DOM XSS via pagetitle Broadcast in AVideo YPTSocket Plugin Summary A stored DOM Cross-Site Scripting vulnerability CWE-79 in the AVideo YPTSocket plugin lets any unauthenticated remote attacker execute arbitrary JavaScript in the authenticated origin of every administrator...
CVE-2026-9141
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages without any session management or server-side authentication checks. Attacker...
CVE-2026-46362
phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated...
Duplicate Advisory: phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hpgw-ww76-c68r. This link is maintained to preserve external references. Original Description phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in...
GHSA-W9MJ-GFRM-HJ5X Duplicate Advisory: phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hpgw-ww76-c68r. This link is maintained to preserve external references. Original Description phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in...
CVE-2026-46362
phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated...
CVE-2026-46362 phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check
phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated...
CVE-2026-46362
CVE-2026-46362 affects phpMyFAQ prior to 4.1.2, where a flaw in AbstractAdministrationController::userHasPermission() allows an authenticated user to bypass authorization and access any permission-protected admin page. The root cause is failure to terminate execution after sending a forbidden res...
CVE-2026-46362 phpMyFAQ - Authorization Bypass in Admin Pages via Non-Terminating Permission Check
phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated...
phpMyFAQ 安全漏洞
phpMyFAQ is a multilingual, fully database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ prior to 4.1.2 contained security vulnerabilities. These vulnerabilities stemmed from the AbstractAdministrationController::userHasPermission function, which did not terminate execution...
CVE-2026-41935
Vvveb
EUVD-2026-30293
Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init repeatedly invokes permission on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained requests to forbidden admin...