148 matches found
CVE-2026-34428
Vvveb prior to 1.0.8.1 contains a server-side request forgery vulnerability in the oEmbedProxy action of the editor/editor module where the url parameter is passed directly to getUrl via curl without scheme or destination validation. Authenticated backend users can supply file:// URLs to read...
GHSA-FC4P-P49V-R948 CI4MS: Stored Cross‑Site Scripting (Stored XSS) in Backend User Management Allows Session Hijacking and Full Administrative Account Compromise
Summary A critical Stored Cross-Site Scripting Stored XSS vulnerability exists in the backend user management functionality. The application fails to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript cod...
CVE-2026-27591
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...
CVE-2026-27591
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...
CVE-2026-27591 Winter: Privilege escalation by authenticated backend users
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...
CVE-2026-27591
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...
CVE-2026-27591
CVE-2026-27591 pertains to Winter CMS (Laravel-based). The issue allows authenticated backend users to escalate their own access by mutating roles/permissions via specially crafted backend requests while logged in. Root cause is an authorization weakness in the backend account management flow. Im...
PT-2026-24850
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...
Umbraco Forms path traversal vulnerability
Umbraco Forms is a form-building tool developed by the Umbraco company. Versions 16 and 17 of Umbraco Forms contain a path traversal vulnerability. This vulnerability allows authenticated backend users to enumerate and traverse system file paths, potentially leading to the reading of file content...
CVE-2025-59022
Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website...
CVE-2025-59022 TYPO3 CMS Allows Broken Access Control in Recycler Module
Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website...
PT-2026-2476
Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website...
Contao is vulnerable to remote code execution in template closures
Impact Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required parameters. Patches Update to Contao 4.13.57, 5.3.42 or 5.6.5 Workarounds Manually patch the Contao\Template::once method. Resources...
CVE-2025-41343
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'email' in '/backend/api/users/searchUserByEmail.php'...
EUVD-2021-1488
Malware in sbrugna...
EUVD-2023-51556
Malicious code in bioql PyPI...
EUVD-2025-27226
Malicious code in bioql PyPI...
EUVD-2025-27229
Malicious code in bioql PyPI...
EUVD-2025-27228
Malicious code in bioql PyPI...
EUVD-2025-27227
Malicious code in bioql PyPI...