CVE-2026-0548 Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the deleteexistinguserphoto function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, wi...

CVE-2025-66292 DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface

DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. When a user logs into the administrative...

CVE-2023-45902

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/attachment/delete...

CVE-2023-45902

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/attachment/delete...

CVE-2023-45902

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/attachment/delete...

Cross site request forgery (csrf)

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/attachment/delete...

Dreamer CMS Cross-Site Request Forgery Vulnerability

Dreamer CMS is a dreamer content management system by Junnan Wang, an individual developer in China. A security vulnerability exists in Dreamer CMS version v4.1.3. An attacker can exploit this vulnerability to conduct cross-site request forgery CSRF attacks via the component...

CVE-2023-45902

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/attachment/delete...

PT-2023-29756 · Unknown · Dreamer Cms

Name of the Vulnerable Software and Affected Versions: Dreamer CMS version 4.1.3 Description: A Cross-Site Request Forgery CSRF issue was discovered in the component "/admin/attachment/delete". This issue allows for unauthorized requests to be made on behalf of a user. Recommendations: For Dreame...

users without "delete attachment permission" can delete attachment

go to space tools permissions and remove the permission of user X to delete attachments go to a page of that space which contains an attachment go to attachments no "delete" link available / expand an attachment to see older versionns including current version for each version there is the...

mantis -- multiple vulnerabilities

Mantis reports: Roland Becker and Damien Regad MantisBT developers found that any user able to report issues via the SOAP interface could also modify any bugnotes comments created by other users. In a default/typical MantisBT installation, SOAP API is enabled and any user can sign up to report ne...