2410 matches found
CVE-2026-23837 MyTube has an Authorization Bypass vulnerability
MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication...
CVE-2026-23851
SiYuan Note (v3.5.3–pre-3.5.4) contains a logic flaw in /api/file/globalCopyFiles that lets authenticated users copy files from arbitrary locations on the server filesystem into the app workspace due to missing validation of source paths against the workspace boundary. The vulnerability exists in...
CVE-2025-14450
The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'changewalletfundrequeststatuscallback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with...
PT-2026-3357
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp shortcode taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
PT-2026-7855
Name of the Vulnerable Software and Affected Versions Crawl4AI versions prior to 0.8.0 Description Crawl4AI is affected by a remote code execution issue in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec. The inclusion of...
Phpwcms security vulnerabilities
Phpwcms is an open-source content management system developed by Phpwcms. Version 1.9.30 of Phpwcms contains a security vulnerability. This vulnerability stems from allowing authenticated attackers to upload malicious SVG files, which could lead to cross-site scripting attacks...
GHSA-VH2X-FW87-4FXQ DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface
Summary DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. Details When a user logs into the administrative backend, this interface can be used to delete files. The...
DPanel has an arbitrary file deletion vulnerability in /api/common/attach/delete interface
Summary DPanel has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. Authenticated users can delete arbitrary files on the server via path traversal. Details When a user logs into the administrative backend, this interface can be used to delete files. The...
CVE-2025-66292
DPanel (Go) has an arbitrary file deletion vulnerability in the /api/common/attach/delete interface. The Delete function passes the user-supplied path to storage.Local{}.GetSaveRealPath and then os.Remove without sanitizing path traversal (../), with filepath.Join in local.go resolving traversal ...
Exploit for Unrestricted Upload of File with Dangerous Type in Greenshiftwp Greenshift_-_Animation_And_Page_Builder_Blocks
Metasploit Module: Greenshift WordPress Plugin Arbitrary File...
PT-2026-2982
Name of the Vulnerable Software and Affected Versions WP-Members Membership Plugin versions up to and including 3.5.4.3 Description The WP-Members Membership Plugin for WordPress is susceptible to Stored Cross-Site Scripting through the Multiple Checkbox and Multiple Select user profile fields...
CVE-2025-67835
Paessler PRTG Network Monitor before 25.4.114 allows Denial-of-Service DoS by an authenticated attacker via the Notification Contacts functionality...
CVE-2026-0543
Improper Input Validation CWE-20 in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation CAPEC-130 through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector...
CVE-2026-0501 SQL Injection Vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials � General Ledger)
Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise Financials General Ledger, an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of...
CVE-2025-69992
phpgurukul News Portal Project V4.1 has File Upload Vulnerability via upload.php, which enables the upload of files of any format to the server without identity authentication...
PT-2026-2410
Name of the Vulnerable Software and Affected Versions Wing FTP Server versions 4.3.8 and below Description The software contains a remote code execution issue that allows attackers to execute arbitrary PowerShell commands. An attacker can leverage a crafted Lua script payload, base64-encoded with...
PT-2026-2341
Name of the Vulnerable Software and Affected Versions SAP Application Server for ABAP and SAP NetWeaver RFCSDK affected versions not specified Description An authenticated attacker with administrative access and adjacent network access could potentially execute arbitrary operating system commands...
EUVD-2026-1995
Emlog is an open source website building system. emlog v2.6.1 and earlier exposes a REST API endpoint /index.php?rest-api=upload for media file uploads. The endpoint fails to implement proper validation of file types, extensions, and content, allowing authenticated attackers with a valid API key ...
EUVD-2026-1845
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the 'tag' and ‘titletag’ parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes it...
GHSA-78H3-63C4-5FQC WeKnora has Command Injection in MCP stdio test
Vulnerability Description --- Vulnerability Overview This issue is a command injection vulnerability CWE-78 that allows authenticated users to inject stdioconfig.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. The root causes are as...