Lucene search
K

1335 matches found

NVD
NVD
added 2026/03/20 12:16 a.m.7 views

CVE-2026-32756

Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an...

8.8CVSS0.00982EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/19 11:8 p.m.4 views

CVE-2026-32756

Admidio is an open-source user management solution. Versions 5.0.6 and below contain a critical unrestricted file upload vulnerability in the Documents & Files module. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an...

8.8CVSS6AI score0.00982EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2026/03/18 4:17 a.m.7 views

CVE-2026-32265

The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The BucketsController-actionLoadBucketData endpoint allows unauthenticated users with a valid CSRF token ...

6.9CVSS0.00344EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/18 3:46 a.m.2 views

CVE-2026-32266 Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability

The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the DefaultController-actionLoadBucketData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin...

6.9CVSS5.8AI score0.00344EPSS
Exploits0References2
CVE
CVE
added 2026/03/18 3:46 a.m.8 views

CVE-2026-32266

The CVE concerns the Google Cloud Storage for Craft CMS plugin (Craft CMS). On the 2.x branch, versions prior to 2.2.1 expose information via DefaultController->actionLoadBucketData() such that unauthenticated users with a valid CSRF token can view the list of buckets the plugin can access. Th...

6.9CVSS5.8AI score0.00344EPSS
Exploits0References2
OSV
OSV
added 2026/03/18 3:46 a.m.5 views

CVE-2026-32266 Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability

The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the DefaultController-actionLoadBucketData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin...

6.9CVSS5.9AI score0.00344EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/16 9:18 p.m.9 views

Admidio is Missing Authorization on Forum Topic and Post Deletion

Summary The forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topicdelete and postdelete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete. Any authenticated user with...

6.5CVSS5.9AI score0.00226EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 9:16 p.m.9 views

File Upload(RCE) Vulnerability in admidio

Summary A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file...

8.8CVSS6.2AI score0.00982EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/03/16 6:44 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the actionLoadContainerData endpoint. An attacker can access sensitive bucket information by sending unauthenticated requests with a valid CSRF token. Because error messages may also reveal sensitive data,...

8.7CVSS5.8AI score0.00348EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/16 6:13 p.m.8 views

Amazon S3 for Craft CMS has an Information Disclosure vulnerability

Unauthenticated users can view a list of buckets the plugin has access to. The BucketsController-actionLoadBucketData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to...

6.9CVSS5.8AI score0.00344EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.5 views

PT-2026-25818

The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The DefaultController-actionLoadContainerData endpoint allows...

8.7CVSS5.8AI score0.00348EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.11 views

PT-2026-25854

Summary A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file...

8.8CVSS6.2AI score0.00982EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.3 views

PT-2026-26173

Summary The forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic delete and post delete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete. Any authenticated user wit...

6.5CVSS6AI score0.00226EPSS
Exploits1References6
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/16 12:0 a.m.9 views

File Upload(RCE) Vulnerability in admidio

A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension...

8.8CVSS6AI score0.00982EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/02/25 6:59 p.m.5 views

GHSA-3534-XP88-25RC Parse Dashboard is Missing CSRF Protection for its Agent Endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session. Patches The fix adds CSRF middleware to the agent endpoi...

8.3CVSS5.5AI score0.00143EPSS
Exploits0References4
NVD
NVD
added 2026/02/25 3:16 a.m.11 views

CVE-2026-27609

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint POST /apps/:appId/agent lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submit...

8.3CVSS0.00143EPSS
Exploits0References2
OSV
OSV
added 2026/02/25 2:18 a.m.5 views

CVE-2026-27609 Parse Dashboard Missing CSRF Protection on Agent Endpoint

Parse Dashboard is a standalone dashboard for managing Parse Server apps. In versions 7.3.0-alpha.42 through 9.0.0-alpha.7, the AI Agent API endpoint POST /apps/:appId/agent lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submit...

8.3CVSS5.6AI score0.00143EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/02/25 12:0 a.m.8 views

PT-2026-21826

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the OpenEMR application is vulnerable to an access control flaw that allows low-privileged users, such as receptionists, to export the entire message list containing...

6.5CVSS5.5AI score0.00264EPSS
Exploits1References3
NVD
NVD
added 2026/02/24 5:29 p.m.6 views

CVE-2024-48928

Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secretkey configuration parameter is set to MD5RAND in MySQL. However, RAND only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is...

7.5CVSS0.0026EPSS
Exploits0References2
OSV
OSV
added 2026/02/24 4:39 p.m.7 views

CVE-2024-48928 Piwigo's secret key can be brute forced

Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secretkey configuration parameter is set to MD5RAND in MySQL. However, RAND only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token is...

6.9CVSS5.6AI score0.0026EPSS
Exploits0References4
Rows per page
Query Builder