Lucene search
K

240 matches found

Vulnrichment
Vulnrichment
added 2026/04/13 12:0 a.m.5 views

CVE-2025-70936

Vtiger CRM 8.4.0 contains a reflected cross-site scripting XSS vulnerability in the MailManager module. Improper handling of user-controlled input in the folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s...

5.7AI score0.00138EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.6 views

PT-2026-32520

Name of the Vulnerable Software and Affected Versions Vtiger CRM version 8.4.0 Description A reflected cross-site scripting XSS issue exists in the MailManager module, where XSS is a type of attack that injects malicious scripts into a trusted website. Improper handling of user-controlled input i...

5.4CVSS5.5AI score0.00138EPSS
Exploits0References5
CVE
CVE
added 2026/04/13 12:0 a.m.15 views

CVE-2025-70936

Vtiger CRM 8.4.0 is affected by a reflected XSS in the MailManager module, caused by improper handling of user-controlled input in the _folder parameter. The payload is reflected and executed in an authenticated user session, using a double URL-encoded input. The available connected sources confi...

5.4CVSS5.7AI score0.00138EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/13 12:0 a.m.21 views

CVE-2025-70936

Vtiger CRM 8.4.0 contains a reflected cross-site scripting XSS vulnerability in the MailManager module. Improper handling of user-controlled input in the folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s...

0.00138EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:40 p.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the function parameter, which is concatenated into an API error message and rendered without HTML escaping. An attacker can execute arbitrary JavaScript code in the context of a backend user's session by...

4.1CVSS5.8AI score
Exploits0References2
NVD
NVD
added 2026/04/07 6:16 p.m.16 views

CVE-2026-39332

ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting XSS vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocu...

8.7CVSS0.00203EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/03 4:59 p.m.3 views

CVE-2026-2737

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.5CVSS5.9AI score0.00196EPSS
Exploits0References1
NVD
NVD
added 2026/04/02 2:16 p.m.6 views

CVE-2026-2737

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.5CVSS0.00196EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/02 1:28 p.m.4 views

CVE-2026-2737

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.5CVSS5.9AI score0.00196EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/02 1:28 p.m.20 views

CVE-2026-2737 Possibility of unintended actions when an administrator clicks a malicious link in the Progress Flowmon web application

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.5CVSS0.00196EPSS
Exploits0References1
CVE
CVE
added 2026/04/02 1:28 p.m.11 views

CVE-2026-2737

CVE-2026-2737 affects Progress Flowmon before versions 12.5.8 and 13.0.6. An administrator who clicks a malicious link within an authenticated Flowmon web session may trigger unintended actions. The available sources describe the affected product versions and the login-session impact but do not s...

8.5CVSS5.9AI score0.00196EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.6 views

PT-2026-29737

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.5CVSS5.9AI score0.00196EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/01 9:41 p.m.2 views

Directory Traversal

Overview sillytavern is a LLM Frontend for Power Users Affected versions of this package are vulnerable to Directory Traversal via the avatarurl parameter in the chat export and delete endpoints. An attacker can read or delete arbitrary files within the user data root by supplying directory...

8.8CVSS6.5AI score0.0057EPSS
Exploits1References2
NVD
NVD
added 2026/04/01 4:23 p.m.8 views

CVE-2026-4924

Improper authentication in the two-factor authentication 2FA feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session...

8.2CVSS0.00326EPSS
Exploits0References1
CVE
CVE
added 2026/03/25 11:40 p.m.14 views

CVE-2026-33933

OpenEMR CVE-2026-33933 affects versions 7.0.2.1 through 8.0.0.2 (up to but not including 8.0.0.3). A reflected XSS in the custom template editor arises from an unescaped contextName parameter, allowing an attacker to execute arbitrary JavaScript in an authenticated staff member’s browser session ...

6.1CVSS5.9AI score0.00271EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/23 7:56 p.m.4 views

GHSA-5353-F8FQ-65VC New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure

Summary A logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. Affected versions = v0.10.0 Description The POST /api/verify endpoint supports multiple secure verification...

4.9CVSS5.7AI score0.00289EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/23 7:56 p.m.19 views

New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure

Summary A logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. Affected versions = v0.10.0 Description The POST /api/verify endpoint supports multiple secure verification...

4.9CVSS5.7AI score0.00289EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/03/19 5:12 p.m.4 views

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the save.json.php file when user-supplied thumbnail URLs are fetched without proper validation. An attacker can access internal...

6CVSS5.8AI score0.00271EPSS
Exploits1References2
OSV
OSV
added 2026/03/12 2:22 p.m.5 views

GHSA-RCP6-88MM-9VGF Copyparty has unexpected JavaScript execution via crafted URL to folder with `.prologue.html`

If an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename .prologue.html and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would...

3.7CVSS5.9AI score0.00162EPSS
Exploits0References4
NVD
NVD
added 2026/03/12 1:16 p.m.4 views

CVE-2026-2513

A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

8.6CVSS0.00286EPSS
Exploits0References1
Rows per page
Query Builder