610 matches found
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the form validation method. An attacker can connect to an arbitrary URL by leveraging Overall/Read permission. Remediation Upgrade com.rapid7:jenkinsci-appspider-plugin to version 1.0.18 or higher. References -...
CVE-2026-48923
Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL...
CVE-2026-48923
Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL...
EUVD-2026-32514
Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL...
CVE-2026-48923
Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL...
CVE-2026-48923
Jenkins AppSpider Plugin 1.0.17 and earlier is affected by a permission-check bypass in a form-validation method. The issue allows attackers with Overall/Read permissions to connect to an attacker-specified URL, enabling potential external requests from the plugin context. The affected component ...
PT-2026-44016
Name of the Vulnerable Software and Affected Versions Jenkins AppSpider Plugin versions prior to 1.0.18 Description A missing permission check in a method implementing form validation allows users with Overall/Read permissions to trigger a connection to an attacker-specified URL. Recommendations...
Jenkins AppSpider Plugin 安全漏洞
The Jenkins AppSpider Plugin is an open-source Jenkins application security scanning integration plugin. The Jenkins AppSpider Plugin versions 1.0.17 and earlier contain security vulnerabilities. These vulnerabilities stem from the lack of permission checks in the method responsible for form...
PT-2026-42552
Name of the Vulnerable Software and Affected Versions BookingPress Pro versions prior to 5.7 Description The BookingPress Pro plugin for WordPress allows unauthenticated attackers to upload arbitrary files to the server, which may lead to remote code execution. This occurs due to missing file typ...
Astra Linux - уязвимость в firefox
Form validation popups may capture escape key presses. Therefore, spamming form validation messages can be used to prevent users from exiting full-screen mode. This vulnerability affects Firefox 128 and Thunderbird 128...
Admidio has Path Traversal in ECard Preview that Allows Reading Arbitrary Server Files Including Database Credentials
Summary The ecardpreview.php endpoint does not validate that the ecardtemplate POST parameter is a safe filename before passing it to ECard::getEcardTemplate. An authenticated user can supply a path traversal payload e.g., ../config.php to read arbitrary files accessible to the web server process...
CVE-2026-6609 liangliangyy DjangoBlog views.py form_valid improper authorization
A flaw has been found in liangliangyy DjangoBlog up to 2.1.0.0. The affected element is the function formvalid of the file oauth/views.py. This manipulation of the argument oauthid causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used...
CVE-2026-6609
A flaw has been found in liangliangyy DjangoBlog up to 2.1.0.0. The affected element is the function formvalid of the file oauth/views.py. This manipulation of the argument oauthid causes improper authorization. The attack may be initiated remotely. The exploit has been published and may be used...
PYSEC-2026-61
GeoNode versions 4.4.5 and 5.0.2 and prior within their respective releases contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL durin...
PT-2026-32034
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation...
Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter
Summary The inventory module's itemsave endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data...
EUVD-2026-17626
Admidio has CSRF and Form Validation Bypass in Inventory Item Save via imported Parameter...
GHSA-4RWM-C5MJ-WH7X Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter
Summary The inventory module's itemsave endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data...
CVE-2026-34383
Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's itemsave endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user ca...
CVE-2026-34383 Admidio: CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter
Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's itemsave endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user ca...