Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS through the filename field in the backup management module. An attacker can gain unauthorized access to user accounts and escalate privileges by...

CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS

An attacker can achieve Full Account Takeover and Privilege Escalation via Stored DOM XSS in the backup module's filename field, which is manipulated through an SQL file that tampers with the filename field to contain a hidden XSS payload...

GHSA-85M8-G393-JCXF CI4MS: Backup Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM Blind XSS

Summary Vulnerability: Stored DOM Blind XSS via Backup Management Filename Persistent Payload Injection - Stored Cross-Site Scripting Blind XSS via Unsanitized Backup Filename in Backup Management Description The application fails to properly sanitize user-controlled input when handling backup...

CVE-2026-34563

CVE-2026-34563 (CI4MS) is a vulnerability in the CodeIgniter 4–based CMS skeleton where, before version 0.31.0.0, user input is not properly sanitized during backup uploads and backup metadata processing. An attacker can inject a malicious JavaScript payload into the backup filename via an xss.sq...

EUVD-2019-6000

Malware in sbrugna...

EUVD-2020-7832

Malware in sbrugna...

EUVD-2025-19754

Malicious code in bioql PyPI...

EUVD-2024-20846

Malicious code in bioql PyPI...

EUVD-2023-12232

Malicious code in bioql PyPI...

CVE-2025-34076

An authenticated local file inclusion vulnerability exists in Microweber CMS versions = 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By...

Local File Inclusion (LFI)

microweber/microweber is vulnerable to Local File Inclusion LFI. The vulnerability is due to insufficient path validation and inadequate restrictions in the backup management API, allowing authenticated users to read arbitrary files via crafted requests to the upload and download endpoints...

GHSA-J64V-XH5W-8HQJ Microweber CMS API has authenticated local file inclusion vulnerability

An authenticated local file inclusion vulnerability exists in Microweber CMS versions 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifyi...

CVE-2025-34076

An authenticated local file inclusion vulnerability exists in Microweber CMS versions = 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By...

CVE-2025-34076

An authenticated local file inclusion vulnerability exists in Microweber CMS versions = 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By...

CVE-2025-34076 Microweber CMS Authenticated Local File Inclusion via Backup API

An authenticated local file inclusion vulnerability exists in Microweber CMS versions = 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By...

CVE-2025-34076 Microweber CMS Authenticated Local File Inclusion via Backup API

An authenticated local file inclusion vulnerability exists in Microweber CMS versions = 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By...

PT-2025-27668 · Unknown · Microweber Cms

Name of the Vulnerable Software and Affected Versions: Microweber CMS versions = 1.2.11 Description: An authenticated local file inclusion issue exists due to the misuse of the backup management API. Authenticated users can exploit the /api/BackupV2/upload and /api/BackupV2/download endpoints to...

CVE-2023-0142

Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager DSM before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated users with administrator privileges to read or write arbitrary files via unspecified vectors...

CVE-2024-23335

MyBB is a free and open source forum software. The backup management module of the Admin CP may accept .htaccess as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There...

CVE-2024-23335 Backups directory .htaccess deletion in. MyBB

MyBB is a free and open source forum software. The backup management module of the Admin CP may accept .htaccess as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There...