22 matches found
CVE-2026-41471 Easy PayPal Events & Tickets < 1.4 Information Disclosure via QR Code Endpoint
The Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress po...
CVE-2026-41471 Easy PayPal Events & Tickets < 1.4 Information Disclosure via QR Code Endpoint
The Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress po...
CVE-2026-6487
A flaw has been found in Qihui jtbc5 CMS 5.0.3.6. Affected is an unknown function of the file /dev/code/common/diplomat/manage.php of the component Code Endpoint. This manipulation of the argument path causes path traversal. The attack is possible to be carried out remotely. The exploit has been...
CVE-2026-6487 Qihui jtbc5 CMS Code Endpoint manage.php path traversal
A flaw has been found in Qihui jtbc5 CMS 5.0.3.6. Affected is an unknown function of the file /dev/code/common/diplomat/manage.php of the component Code Endpoint. This manipulation of the argument path causes path traversal. The attack is possible to be carried out remotely. The exploit has been...
CVE-2026-6487
CVE-2026-6487 affects Qihui jtbc5 CMS 5.0.3.6. A flaw in an unknown function within /dev/code/common/diplomat/manage.php allows path traversal via the Code Endpoint component. The vulnerability is remotely exploitable; exploitation appears to be published. Vendor response to disclosure is not pro...
PT-2026-33447
A flaw has been found in Qihui jtbc5 CMS 5.0.3.6. Affected is an unknown function of the file /dev/code/common/diplomat/manage.php of the component Code Endpoint. This manipulation of the argument path causes path traversal. The attack is possible to be carried out remotely. The exploit has been...
QiHui JBTC CMS 安全漏洞
QiHui JBTC CMS is an open-source content management system developed by QiHui. Version 5.0.3.6 of QiHui JBTC CMS contains a security vulnerability. This vulnerability stems from an unknown function in the component Code Endpoint, which improperly handles parameters with the path parameter in the...
OneUptime 安全漏洞
OneUptime is a comprehensive open-source solution developed by OneUptime. It is used to monitor and manage your online services. OneUptime has a security vulnerability, which stems from insufficient ownership verification for the resend-verification-code endpoint. This vulnerability may lead to t...
CVE-2025-70222
Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formLogin,goform/getAuthCode...
CVE-2025-12175
The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tecqrcodemodal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to vi...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the api/v1/validate/code endpoint. A low-privileged user can gain administrative privileges by executing the /app/.venv/bin/langflow superuser command. Remediation Upgrade langflow-base to version 0.5.1 or...
CVE-2025-8927 mtons mblog Verification Code send_code excessive authentication
A vulnerability was determined in mtons mblog up to 3.5.0. Affected by this issue is some unknown functionality of the file /email/sendcode of the component Verification Code Handler. The manipulation of the argument email leads to improper restriction of excessive authentication attempts. The...
mblog 安全漏洞
mblog is a blogging system by langhsu individual developer. A security vulnerability exists in mblog 3.5.0 and earlier versions, which stems from an improper restriction of authentication attempts due to misuse of the parameter email in the file /email/sendcode...
📄 Langflow 1.2.x Remote Code Execution
Langflow exposes a vulnerable endpoint /api/v1/validate/code that improperly evaluates arbitrary Python code via the exec function. An unauthenticated remote attacker can execute arbitrary system commands. Versions 1.2.x and below are affected. !/usr/bin/env python3 Exploit Title: Langflow 1.2.x ...
Langflow Code Injection
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code...
VulnCheck KEV: CVE-2025-3248
Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests...
PYSEC-2025-36
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrarycode...
Improper Privilege Management
Overview mobsf is a Mobile Security Framework MobSF is an automated, all-in-one mobile application Android/iOS/Windows pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. Affected versions of this package are vulnerable to Improper...
CVE-2024-2359
The CVE concerns parisneo/lollms-webui v9.3. An OS command injection stems from improper neutralization, enabling remote code execution. Affected component: the host/config handling in the runtime; attacker-controlled host via the /update_setting endpoint bypasses the intended protection on /exec...
PT-2024-19951 · Unknown · Parisneo/Lollms-Webui
Name of the Vulnerable Software and Affected Versions: parisneo/lollms-webui version 9.3 Description: The issue arises from the application's handling of the "/execute code" endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the "/update...