Lucene search
K

4958 matches found

NVD
NVD
added 3 hours ago5 views

CVE-2026-61501

Rejetto HFS 3.0.0 through 3.2.0 renders log entries in the administration panel as HTML without sanitization. A remote unauthenticated attacker can submit a failed login with a crafted username that is written to the error log and executes JavaScript in an administrator's browser when the logs ar...

6.1CVSS
Exploits0References2
Nuclei
Nuclei
added 17 hours ago55 views

Sidekiq < 7.0.8 - Cross-Site Scripting

An XSS vulnerability on a Sidekiq admin panel can pose serious risks to the security and functionality of the system. id: CVE-2023-1892 info: name: Sidekiq 7.0.8 - Cross-Site Scripting author: ritikchaddha,princechaddha severity: critical description: | An XSS vulnerability on a Sidekiq admin pan...

9.6CVSS7AI score0.02742EPSS
Exploits1References3
Nuclei
Nuclei
added 17 hours ago56 views

Tieline IP Audio Gateway <=2.6.4.8 - Unauthorized Remote Admin Panel Access

Tieline IP Audio Gateway 2.6.4.8 and below is affected by a vulnerability in the web administrative interface that could allow an unauthenticated user to access a sensitive part of the system with a high privileged account. id: CVE-2021-35336 info: name: Tieline IP Audio Gateway =2.6.4.8 -...

9.8CVSS7AI score0.11587EPSS
Exploits1References4
Nuclei
Nuclei
added 17 hours ago35 views

Etherpad Lite <1.6.4 - Admin Authentication Bypass

Etherpad Lite before 1.6.4 is exploitable for admin access. id: CVE-2018-9845 info: name: Etherpad Lite 1.6.4 - Admin Authentication Bypass author: philippedelteil severity: critical description: Etherpad Lite before 1.6.4 is exploitable for admin access. impact: | An attacker can bypass the admi...

9.8CVSS7AI score0.13132EPSS
Exploits0References5
Nuclei
Nuclei
added 17 hours ago18 views

KevinLAB BEMS (Building Energy Management System) - Backdoor Account

KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highes...

9CVSS6.9AI score0.06719EPSS
Exploits2References2
Nuclei
Nuclei
added 2 days ago35 views

Triofox - Improper Access Control

The Gladinet Triofox solution before 12.91.1126.65588 and CentreStack before 12.10.595.65696 allow unauthenticated access to the /management/admindatabase.aspx endpoint, exposing sensitive database management functionality to anyone with network access. An unauthenticated attacker can remotely...

9.1CVSS7.1AI score0.90532EPSS
Exploits1References3
NVD
NVD
added 3 days ago6 views

CVE-2026-53448

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly into SQL queries via snprintf string interpolation without sanitization. The issecurestring filter that protects the STUN protocol path is not...

7.2CVSS0.00677EPSS
Exploits0References4
CVE
CVE
added 3 days ago13 views

CVE-2026-53448

Coturn’s CVE-2026-53448 concerns the HTTPS admin panel, where prior to 4.12.0 HTTP query parameters were interpolated into SQL queries without sanitization. The is_secure_string filter guarding the STUN path is not applied to admin panel operations delete-user, delete-secret, and delete-IP, allow...

7.2CVSS6.2AI score0.00677EPSS
Exploits0References4
EUVD
EUVD
added 3 days ago9 views

EUVD-2026-42969

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly into SQL queries via snprintf string interpolation without sanitization. The issecurestring filter that protects the STUN protocol path is not...

7.2CVSS6.2AI score0.00677EPSS
Exploits0References4
Snyk
Snyk
added 6 days ago4 views

Improper Restriction of Rendered UI Layers or Frames

Overview ajenti is a Linux & BSD web admin panel. Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames through the lack of anti-framing protections in the HTTP response process. An attacker can trick users into interacting with a maliciously...

5.4CVSS6AI score0.00159EPSS
Exploits0References2
NVD
NVD
added 2026/07/05 6:16 a.m.9 views

CVE-2026-14713

A security flaw has been discovered in SourceCodester Pizzafy E-Commerce System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=confirmorder. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been...

7.5CVSS0.00263EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/03 12:31 a.m.8 views

EUVD-2026-41466

The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks...

5.4CVSS5.6AI score0.00238EPSS
Exploits0References4
NVD
NVD
added 2026/07/03 12:16 a.m.8 views

CVE-2026-54477

The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks...

5.4CVSS0.00238EPSS
Exploits0References3
CVE
CVE
added 2026/07/02 11:52 p.m.21 views

CVE-2026-54477

CVE-2026-54477 affects the Gardyn IoT Hub admin panel, where the absence of standard security headers allows clickjacking and cross-site scripting. The available data show an impact with low confidentiality and integrity impact (CVSS scores: 5.1/4.0 base metrics, MEDIUM), but no explicit details ...

5.4CVSS5.6AI score0.00238EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/02 11:52 p.m.52 views

CVE-2026-54477 Gardyn IoT Hub Improper Neutralization of HTTP Headers for Scripting Syntax

The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks...

5.4CVSS0.00238EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/02 11:52 p.m.7 views

CVE-2026-54477

The admin panel lacks standard security headers, enabling clickjacking and cross-site scripting attacks...

5.4CVSS5.8AI score0.00238EPSS
Exploits0References4
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.195 views

strapi CMS <3.0.0-beta.17.5 - Admin Password Reset

strapi CMS before 3.0.0-beta.17.5 allows admin password resets because it mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js. id: CVE-2019-18818 info: name: strapi CMS 3.0.0-beta.17.5 - Admin Password Reset...

9.8CVSS8.2AI score0.97639EPSS
Exploits13References5
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.47 views

Ivanti vTM - Authentication Bypass

Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel. id: CVE-2024-7593 info: name: Ivanti vTM - Authentication Bypass author: gy741 severity: critical...

9.8CVSS8.8AI score0.99987EPSS
Exploits4References3
NVD
NVD
added 2026/06/15 10:16 a.m.13 views

CVE-2026-11860

Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class...

7.5CVSS0.00235EPSS
Exploits0References2
CVE
CVE
added 2026/06/15 9:57 a.m.32 views

CVE-2026-11860

CVE-2026-11860 affects Quick.CMS. The issue is insecure deserialization of user-controlled data over plaintext HTTP, allowing an attacker to tamper serialized payloads and trigger gadget chains that enable arbitrary code execution when an administrator accesses the admin panel. The root cause is ...

7.5CVSS6.3AI score0.00235EPSS
Exploits0References2
Rows per page
Query Builder