CVE-2026-27169 OpenSift: Persistent XSS Chat Tool Rendering

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below render untrusted user/model content in chat tool UI surfaces using unsafe HTML interpolation patterns, leading to XSS. Stored content can execute JavaScript when...

CVE-2019-25356

CVE-2019-25356 affects Bematech MP-4200 TH printer (formerly Logic Controls, now Elgin). The admin configuration page is vulnerable to cross-site scripting via crafted POST requests with malformed 'admin' and 'person' parameters, allowing execution of arbitrary JavaScript in an authenticated user...

CVE-2019-25356 Bematech Printer MP-4200 TH Cross-Site Scripting

Bematech formerly Logic Controls, now Elgin MP-4200 TH printer contains a cross-site scripting vulnerability in the admin configuration page. Attackers can inject malicious scripts via crafted POST requests with malformed 'admin' and 'person' parameters, allowing execution of arbitrary JavaScript...

PT-2026-20531

Bematech formerly Logic Controls, now Elgin MP-4200 TH printer contains a cross-site scripting vulnerability in the admin configuration page. Attackers can inject malicious scripts via crafted POST requests with malformed 'admin' and 'person' parameters, allowing execution of arbitrary JavaScript...

SQL Injection

Overview devcode-it/openstamanager is a management software for technical assistance and electronic invoicing Affected versions of this package are vulnerable to SQL Injection via the idanagrafica parameter in the init.php file. An attacker can extract sensitive database information, including...

EUVD-2026-5555

Improper access control in the TeamViewer Full and Host clients Windows, macOS, Linux prior version 15.74.5 allows an authenticated user to bypass additional access controls with “Allow after confirmation” configuration in a remote session. An exploit could result in unauthorized access prior to...

EUVD-2025-206499

Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting XSS vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user...

CVE-2026-1181 Altium 365 Over-Permissive CORS Configuration Allows Credentialed Cross-Origin Workspace Access

Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing CORS policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the serviceLfsLocksDelete function in the gitlfs.go file. An attacker can delete locks owned by other users by sending a request with the force flag set to true, bypassing ownership validation. Note: This is...

CVE-2025-14266 CSRF in Ercom Cryptobox administration console

CSRF in Ercom Cryptobox administration console allows attacker to trigger some actions on behalf of a Cryptobox administrator. The attack requires the administrator to browse a malicious web site or to click a link while he has an open session on the administration console...

1Panel contains a cross-site request forgery (CSRF) vulnerability in the Change Username functionality

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery CSRF vulnerability in the Change Username functionality available from the settings panel /settings/panel. The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can...

CVE-2025-34430

CVE-2025-34430 concerns a CSRF in 1Panel (versions 1.10.33 through 2.0.15) affecting the panel name management functionality. The affected endpoint reportedly lacks CSRF defenses such as anti-CSRF tokens and Origin/Referer validation. An attacker can lure an authenticated user to a malicious page...

CVE-2025-34410

1Panel versions 1.10.33 - 2.0.15 contain a cross-site request forgery CSRF vulnerability in the Change Username functionality available from the settings panel /settings/panel. The endpoint does not implement CSRF protections such as anti-CSRF tokens or Origin/Referer validation. An attacker can...

PT-2025-50369

Name of the Vulnerable Software and Affected Versions 1Panel versions 1.10.33 through 2.0.15 Description 1Panel is affected by a cross-site request forgery CSRF issue in the panel name management functionality. The affected functionality lacks CSRF protections, such as anti-CSRF tokens or...

CVE-2025-65023

i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/funcionariovinculocad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands...

CVE-2025-65022 i-Educar Authenticated Time-based SQL Injection in `agenda.php`

i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/agenda.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands against the...

CVE-2025-65023 i-Educar Authenticated Time-based SQL Injection in `funcionario_vinculo_cad.php`

i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/funcionariovinculocad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands...

CVE-2025-65023 i-Educar Authenticated Time-based SQL Injection in `funcionario_vinculo_cad.php`

i-Educar is free, fully online school management software. In versions 2.10.0 and prior, an authenticated time-based SQL injection vulnerability exists in the ieducar/intranet/funcionariovinculocad.php script. An attacker with access to an authenticated session can execute arbitrary SQL commands...

PT-2025-47473

Name of the Vulnerable Software and Affected Versions i-Educar versions prior to 2.10.0 Description i-Educar is school management software with a flaw that allows an authenticated attacker to execute arbitrary SQL commands against the application's database. This is due to improper handling of th...

PT-2025-47474

Name of the Vulnerable Software and Affected Versions i-Educar versions prior to 2.10.0 Description i-Educar is school management software. A time-based SQL injection exists in the ieducar/intranet/funcionario vinculo cad.php script for authenticated users. An attacker with an authenticated sessi...