2125 matches found
CVE-2021-28379
web/upload/UploadHandler.php in Vesta Control Panel aka VestaCP through 0.9.8-27 and myVesta through 0.9.8-26-39 allows uploads from a different origin...
CVE-2019-18419
A cross-site scripting XSS vulnerability in index.php in ClonOS WEB control panel 19.09 allows remote attackers to inject arbitrary web script or HTML via the lang parameter...
CVE-2019-18418
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no session management...
CVE-2020-10808
Vesta Control Panel VestaCP through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bashlogout to a .bashlogout' substring followed by shell...
CVE-2020-10786
A remote command execution in Vesta Control Panel through 0.9.8-26 allows any authenticated user to execute arbitrary commands on the system via cron jobs...
CVE-2020-10966
In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name...
CVE-2020-24061
Cross Site Scripting XSS Vulnerability in Firewall menu in Control Panel in KASDA KW5515 version 4.3.1.0, allows attackers to execute arbitrary code and steal cookies via a crafted script...
CVE-2021-41083
Dada Mail is a web-based e-mail list management system. In affected versions a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, allows them control of the list control panel as if the bad actor was logged in themselves. This includes changing any...
CVE-2019-12792
A command injection vulnerability in UploadHandler.php in Vesta Control Panel 0.9.8-24 allows remote attackers to escalate from regular registered users to root...
EUVD-2026-0824
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for...
EUVD-2026-0844
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and...
iiCMS 代码注入漏洞
iCMS is a software application. It is an efficient and simple content management system built with PHP and MySQL. A code injection vulnerability exists in iCMS 8.0.0 and earlier versions, which stems from an incorrect operation of the parameter config by the Save function in the POST Parameter...
CVE-2025-64400
Control Panel provides an API for pre-registering into an enrollment and organization prior to a user's first login. The API for creating users checks that the account requesting a user creation has edit on the enrollment-level user directory, but is missing a separate check that the enrollment...
Yet another DCOM object for lateral movement
Introduction If you're a penetration tester, you know that lateral movement is becoming increasingly difficult, especially in well-defended environments. One common technique for remote command execution has been the use of DCOM objects. Over the years, many different DCOM objects have been...
Palantir Control Panel 安全漏洞
Palantir Control Panel is a centralized management console from Palantir USA. A security vulnerability exists in Palantir Control Panel that stems from a lack of organizational access checks that could lead to unauthorized user creation...
PT-2025-51353
Name of the Vulnerable Software and Affected Versions FreePBX tts module versions prior to 16.0.5 FreePBX tts module versions prior to 17.0.5 Description The Text to Speech tts module for FreePBX, a web-based graphical user interface for Asterisk, contains a SQL injection flaw. Authenticated user...
📄 Hestia Control Panel 1.9.3 Code Execution
Hestia Control Panel version 1.9.3 code injection proof of concept exploit written in PHP that leverages cronjobs. ============================================================================================================================================= | Title : Hestia Control Panel 1.9.3 PHP...
CVE-2025-66507
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA...
PT-2025-50237
Name of the Vulnerable Software and Affected Versions COMMAX CVD-Axx DVR version 5.1.4 Description The COMMAX CVD-Axx DVR contains weak default administrative credentials, enabling remote password attacks and disclosure of RTSP streams. An attacker can exploit this by sending a POST request to an...
OpenCode USSD Gateway 安全漏洞
OpenCode USSD Gateway is an OpenCode open source gateway software for processing and managing USSD messages. A security vulnerability exists in OpenCode USSD Gateway that originates from an SQL injection in the Session ID parameter in /occontrolpanel/index.php...