CVE-2026-55477 Authenticated Arbitrary File Write via Database Import and Xray Log Path Manipulation

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code...

EUVD-2026-39432

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code...

PT-2026-51234

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.0-beta.1 Craft CMS versions 5.0.0-RC1 through 5.9.0-beta.1 Description Stored cross-site scripting occurs when settings names and field option labels are rendered without sanitization, specifically...

CVE-2026-49288

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources...

CVE-2026-49288 Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources...

CVE-2026-49288

Statamic CMS patch for CVE-2026-49288 fixes a missing authorization on Control Panel fieldtype endpoints that allowed an authenticated CP user to view restricted metadata and content (entries, assets, users, roles, groups, etc.). The issue could disclose titles, custom field values, entry content...

CVE-2026-54222

UBB.threads is vulnerable to Blind SQL Injection, allowing attackers with access to the Members in Control Panel to interact with the underlying database. Due to insufficient input sanitization, an attacker can extract sensitive information, such as user credentials, by manipulating SQL queries...

EUVD-2026-37885

UBB.threads is vulnerable to Blind SQL Injection, allowing attackers with access to the Members in Control Panel to interact with the underlying database. Due to insufficient input sanitization, an attacker can extract sensitive information, such as user credentials, by manipulating SQL queries...

CVE-2026-54222

UBB.threads is vulnerable to Blind SQL Injection, allowing attackers with access to the Members in Control Panel to interact with the underlying database. Due to insufficient input sanitization, an attacker can extract sensitive information, such as user credentials, by manipulating SQL queries...

CVE-2026-54222

UBB.threads is vulnerable to a Blind SQL Injection due to insufficient input sanitization. The vulnerability has been confirmed in version 7.7.5 and may affect other versions. Attack requires access to the Members in Control Panel and can extract data through time-based or boolean-based queries v...

EUVD-2026-36748

A Time-Based Blind SQL Injection vulnerability in the aliasmanagement module of OpenSIPS Control Panel opensips-cp prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the 'table' GET parameter in aliasmanagement.php...

PT-2026-49288

Name of the Vulnerable Software and Affected Versions OpenSIPS Control Panel versions prior to 9.3.3 Description A Time-Based Blind SQL Injection in the alias management module allows authenticated attackers to execute arbitrary SQL commands. This occurs via the 'table' GET parameter in the 'alia...

CVE-2026-36670

A Time-Based Blind SQL Injection vulnerability in the aliasmanagement module of OpenSIPS Control Panel opensips-cp prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the 'table' GET parameter in aliasmanagement.php...

CVE-2026-36670

CVE-2026-36670: Time-based blind SQL injection in the OpenSIPS Control Panel (opensips-cp) alias_management module before version 9.3.3. Authenticated attackers can leverage the table parameter in alias_management.php to execute arbitrary SQL. Connected sources confirm the affected component is O...

LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability

LiteSpeed cPanel plugin contains a UNIX symbolic link Symlink following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS...

EUVD-2026-36657

LiteSpeed cPanel plugin before 2.4.8 as distributed in LiteSpeed WHM PlugIn before 5.3.2.0 mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026...

CVE-2026-47366

Improper verification of access permissions when modifying permissions through the Administration Control Panel ACP allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface...

CVE-2026-47366

Improper verification of access permissions when modifying permissions through the Administration Control Panel ACP allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface...

EUVD-2026-36377

Improper verification of access permissions when modifying permissions through the Administration Control Panel ACP allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface...

CVE-2026-47366

Improper verification of access permissions when modifying permissions through the Administration Control Panel ACP allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface...