31 matches found
EUVD-2026-38679
The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the pravelchangepassword AJAX handler — registered via wpajaxnoprivpravelchangepassword and...
F5 BIG-IP 安全漏洞
F5 BIG-IP is an application delivery platform developed by F5 Technologies in the United States. It integrates functions such as network traffic management, application security management, and load balancing. F5 BIG-IP has a security vulnerability. This vulnerability arises from attackers with...
CI4MS: Blogs Posts (Categories) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Summary Vulnerability: Blogs Posts Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS - Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management Categories Description The application fails to properly sanitize user-controlled input wh...
Craft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege Escalation
Summary A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. Proof of Concept Requirments -...
CVE-2025-67147
CVE-2025-67147 affects Gym-Management-System-PHP 1.0. Multiple SQL injection flaws exist in submit_contact.php (name, email, comment), secure_login.php (username, pass_key), and change_s_pwd.php (login_id, pwfield, login_key). Attackers can bypass authentication, run arbitrary SQL commands, modif...
CVE-2025-59467
A Cross-Site Scripting XSS vulnerability in the UCRM Argentina AFIP invoices Plugin v1.2.0 and earlier could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. This plugin is disabled by default. Affected Products: UCRM Argentina AFIP invoices Plugin...
EUVD-2025-202701
A Cross-Site Request Forgery CSRF in the /admin/admin.inc.php component of EasyImages 2.0 v2.8.6 and below allows attackers to escalate privileges to Administrator via user interaction with a malicious web page...
CVE-2025-65472
A Cross-Site Request Forgery CSRF in the /admin/admin.inc.php component of EasyImages 2.0 v2.8.6 and below allows attackers to escalate privileges to Administrator via user interaction with a malicious web page...
CVE-2025-65472
A Cross-Site Request Forgery CSRF in the /admin/admin.inc.php component of EasyImages 2.0 v2.8.6 and below allows attackers to escalate privileges to Administrator via user interaction with a malicious web page...
PT-2025-50634
Name of the Vulnerable Software and Affected Versions EasyImages versions 2.8.6 and below Description A Cross-Site Request Forgery CSRF exists in the /admin/admin.inc.php component. This allows attackers to escalate privileges to Administrator by tricking a user into interacting with a malicious...
EUVD-2024-3563
Malicious code in bioql PyPI...
EUVD-2023-28093
Malicious code in bioql PyPI...
EUVD-2025-20446
Malicious code in bioql PyPI...
CVE-2025-23365
A vulnerability has been identified in TIA Administrator All versions V3.0.6. The affected application allows low-privileged users to trigger installations by overwriting cache files and modifying the downloads path. This would allow an attacker to escalate privilege and exceute arbitrary code...
Security update for slurm_22_05
This update for slurm2205 fixes the following issues: CVE-2025-43904: an issue with permission handling for Coordinators within the accounting system allowed Coordinators to promote a user to Administrator bsc1243666. Patch Instructions: To install this SUSE update use the SUSE recommended...
BIT-GHOST-2022-47195
An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this...
The vulnerability of the MySQL software component used for managing power supply sources in Voltronic Power View. This allows a hacker to elevate their privileges to the level of an administrator.
The vulnerability of the MySQL component in the software for managing power sources in Voltronic Power ViewPower Pro lies in the use of rigidly encoded credentials. Exploiting this vulnerability could allow an attacker to elevate their privileges to the level of an administrator...
The vulnerability of the kubelet utility in the Kubernetes cluster management software allows a hacker to elevate their privileges to the level of an administrator.
The vulnerability of the kubelet utility in the Kubernetes cluster management software is related to insufficient validation of input data. Exploiting this vulnerability allows a remote attacker to elevate their privileges to the level of an administrator...
Design/Logic Flaw
An administrator is able to execute commands as root via the alerts management dialog...
Contact Form Builder by vcita < 4.10.2 - Contributor+ Stored Cross-Site Scripting
The plugin does not sanitize and escape the email parameter in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts targeting higher privileged users, such as administrators, into the plugin settings. PoC...