CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/05/25 2:15 p.m.•10 views

CVE-2018-25372

CVE-2018-25372 : MedDream PACS Server Premium 6.7.1.1 contains an unauthenticated SQL injection in the email parameter of the userSignup.php endpoint. Crafting POST requests with SQL payloads can extract sensitive information from the backend MySQL database. The description explicitly states the ...

8.8CVSS6.1AI score0.00081EPSS

Positive Technologies•added 2026/05/25 12:0 a.m.•6 views

PT-2026-43224

8.8CVSS6.1AI score0.00081EPSS

Exploits0References3

Github Security Blog•added 2026/05/20 3:44 p.m.•4 views

Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification

Summary A Mass Assignment vulnerability in the PUT /api/v1/user endpoint allows authenticated users to directly modify restricted user fields, including the credential password hash, bypassing the intended password change workflow. Because the endpoint forwards the entire request body to the...

5.8AI score

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/16 3:25 p.m.•5 views

CVE-2020-37240 Queue Management System 4.0.0 Stored XSS via Add User

Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which...

Cvelist•added 2026/05/16 3:25 p.m.•26 views

CVE-2020-37240 Queue Management System 4.0.0 Stored XSS via Add User

6.4CVSS0.00034EPSS

CVE•added 2026/05/16 3:25 p.m.•7 views

CVE-2020-37240

CVE-2020-37240 affects Queue Management System 4.0.0 with a stored XSS flaw in the Add User workflow. Authenticated administrators can inject JavaScript via First Name, Last Name, or Email during user creation, with payloads executing on the User List page. CVSS-4.0 vector yields 5.1 (MEDIUM), an...

ATTACKERKB•added 2026/05/16 3:25 p.m.•4 views

CVE-2020-37240

Exploits0References4Affected Software1

RedhatCVE•added 2026/05/16 1:56 a.m.•4 views

CVE-2025-64526

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field...

6.9CVSS6AI score0.0001EPSS

Exploits0References1

Positive Technologies•added 2026/05/16 12:0 a.m.•9 views

PT-2026-41440

EUVD•added 2026/05/14 6:32 p.m.•4 views

Exploits0References5

EUVD-2025-209860

6.9CVSS6AI score0.0001EPSS

Snyk•added 2026/05/13 8:2 p.m.•5 views

Brute Force

Overview @strapi/plugin-users-permissions is a headless CMS Affected versions of this package are vulnerable to Brute Force via the rate-limiting middleware. An attacker can bypass intended request throttling by manipulating the email field in the request body to generate unique rate-limit keys f...

6.9CVSS5.8AI score0.0001EPSS

Positive Technologies•added 2026/05/13 12:0 a.m.•5 views

PT-2026-40833

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 5.45.0 Description The rate-limit middleware in the users-permissions plugin incorrectly derives its rate-limit key using ctx.request.body.email, even on routes where the body schema does not require an email field, su...

6.9CVSS6AI score0.0001EPSS

Exploits0References8

OSV•added 2026/05/07 9:16 p.m.•3 views

GHSA-RJ4G-RQGH-RX9H Ech0 comment model's Email field returned on public /api/comments endpoints

Summary The Comment model serializes its Email field through the public comment-listing API. internal/model/comment/comment.go:33 uses json:"email", while adjacent PII fields IPHash, UserAgent correctly use json:"-". The public endpoints GET /api/comments?echoid=X and GET...

5.3CVSS5.8AI score

Exploits0References3

Snyk•added 2026/05/07 9:16 p.m.•5 views

Exposure of Private Personal Information to an Unauthorized Actor

Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor via the Email field in the Comment model exposed through unauthenticated public API endpoints. An attacker can obtain the email addresses of all guest commenters by makin...

6.9CVSS5.8AI score

NVD•added 2026/04/27 3:16 p.m.•1 views

CVE-2026-7131

A vulnerability has been found in code-projects Online Lot Reservation System up to 1.0. The impacted element is an unknown function of the file /loginuser.php. The manipulation of the argument email/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has...

7.5CVSS0.00043EPSS

Exploits0References5

NVD•added 2026/04/26 10:17 p.m.•1 views

CVE-2018-25294

CEWE Photoshow 6.3.4 contains a buffer overflow vulnerability in the login dialog that allows attackers to crash the application by submitting oversized input. Attackers can inject 4000 bytes of data into the email address and password fields to trigger a denial of service condition...

8.7CVSS0.00059EPSS

CVE•added 2026/04/26 1:19 p.m.•8 views

CVE-2018-25294

CEWE Photoshow 6.3.4 is affected by a buffer overflow in the login dialog. The vulnerability can be triggered by submitting oversized input (up to ~4000 bytes in the email address and password fields), leading to denial of service (crash). Connected documents confirm the existence of this buffer ...

8.7CVSS5.8AI score0.00059EPSS