Lucene search
K

21 matches found

NVD
NVD
added 4 days ago6 views

CVE-2025-30008

HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars encoding ...

5.1CVSS0.00181EPSS
Exploits0References4
NVD
NVD
added 6 days ago8 views

CVE-2026-8472

GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to...

4.3CVSS0.00243EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.18 views

PT-2026-48788

Name of the Vulnerable Software and Affected Versions Idira Privileged Session Manager for SSH PSMP versions prior to 15.0.2 Idira Privileged Session Manager for SSH PSMP versions prior to 14.6.3 Idira Privileged Session Manager for SSH PSMP versions prior to 14.2.5 Idira Privileged Session Manag...

8.8CVSS5.7AI score0.0055EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/06/08 6:26 p.m.10 views

CVE-2026-10787

Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : Devolutions Server 2026.2.4.0 Devolutions Server 2026.1.20.0 and earlier...

5.5AI score0.00155EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/18 4:34 p.m.5 views

GHSA-F946-9QP6-VGCH shopper/framework: Authorization bypass in multiple Livewire admin components

Impact Multiple Livewire components in the admin panel allowed an authenticated low-privilege user to mutate data without the required permission: - Order detail Filament actions cancel, mark paid, mark complete, capture payment, archive, start processing were callable with readorders only and di...

8.1CVSS5.8AI score0.00258EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/13 2:12 p.m.8 views

CVE-2026-20916

An authenticated iControl REST user with low privileges can create or modify arbitrary files through an undisclosed iControl REST endpoint on the BIG-IQ system. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

8.1CVSS6AI score0.00366EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/05/06 5:16 p.m.9 views

CVE-2026-20167

A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to cause a DoS condition on a remotely managed router. This vulnerability is due to improper error handling. An attacker could exploit this...

7.7CVSS0.00272EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/06 4:15 p.m.48 views

CVE-2026-20167 Cisco IoT Field Network Director Remote Device Denial of Service Vulnerability

A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to cause a DoS condition on a remotely managed router. This vulnerability is due to improper error handling. An attacker could exploit this...

7.7CVSS0.00272EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/01 12:0 a.m.5 views

Dell iDRAC10 < 1.30.10.50 Insufficiently Protected Credentials (DSA-2026-187)

The version of Dell iDRAC10 installed on the remote host is affected by an insufficiently protected credentials vulnerability as referenced in the DSA-2026-187 advisory. - Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race...

7.1CVSS5.8AI score0.0022EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/24 8:52 p.m.4 views

CVE-2026-41478 Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId)

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync routes allows any authenticated low-privilege user with read access to at least one table to inject arbitrary SQL through...

9.9CVSS5.8AI score0.00264EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.5 views

PT-2026-30971

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifier...

5.3CVSS5.9AI score0.00165EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/13 4:45 p.m.25 views

CVE-2025-1790

Local privilege escalation in Genetec Sipelia Plugin. An authenticated low-privileged Windows user could exploit this vulnerability to gain elevated privileges on the affected system...

8.8CVSS0.00099EPSS
Exploits0References1
OSV
OSV
added 2025/12/09 12:0 a.m.5 views

CVE-2025-65594

OpenSIS 9.2 and below is vulnerable to Incorrect Access Control in Student.php, which allows an authenticated low-privilege user to perform unauthorized database write operations relating to the data of other users...

8.1CVSS6.8AI score0.00252EPSS
Exploits1References3
Cvelist
Cvelist
added 2025/12/09 12:0 a.m.24 views

CVE-2025-61075

Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls...

0.00472EPSS
Exploits1References2
NVD
NVD
added 2025/11/06 8:15 p.m.3 views

CVE-2025-34240

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information...

8.6CVSS0.00284EPSS
Exploits0References3
Packet Storm
Packet Storm
added 2025/08/28 12:0 a.m.341 views

📄 Coolify 4.0.0-beta.420.6 Command Injection

Coolify versions prior to and including v4.0.0-beta.420.6 are vulnerable to a critical remote code execution flaw in the project deployment workflow. The platform allows authenticated users, with low-level privileges, to inject arbitrary shell commands via the Git Repository URL field during...

9.4CVSS8.9AI score0.03691EPSS
Exploits3
NVD
NVD
added 2025/08/27 5:15 p.m.5 views

CVE-2025-34161

Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creatio...

9.4CVSS0.03691EPSS
Exploits3References3
NVD
NVD
added 2025/08/27 5:15 p.m.4 views

CVE-2025-20348

A vulnerability in the REST API endpoints of Cisco Nexus Dashboard and Cisco Nexus Dashboard Fabric Controller NDFC could allow an authenticated, low-privileged, remote attacker to view sensitive information or upload and modify files on an affected device. This vulnerability exists because of...

5CVSS0.00273EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/08/16 5:25 p.m.16 views

CVE-2025-20301

A vulnerability in the web-based management interface of Cisco Secure FMC Software could allow an authenticated, low-privileged, remote attacker to access troubleshoot files for a different domain. This vulnerability is due to missing authorization checks. An attacker could exploit this...

6.5CVSS6.8AI score0.00334EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/08/14 9:6 a.m.3 views

CVE-2025-48860

A vulnerability in the web application of the ctrlX OS setup mechanism facilitated an authenticated low privileged attacker to gain remote access to backup archives created by a user with elevated permissions. Depending on the content of the backup archive, the attacker may have been able to acce...

8CVSS7.2AI score0.00305EPSS
Exploits0References1
Rows per page
Query Builder