CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2026/04/01 9:23 p.m.•19 views

CVE-2026-34561 CI4MS: System Settings (Social Media Management) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input within System Settings – Social Media Management. Multiple...

4.7CVSS0.00229EPSS

CVE•added 2026/03/30 8:24 p.m.•9 views

CVE-2026-27599

CI4MS (CodeIgniter 4-based CMS skeleton) is affected by a stored DOM XSS in System Settings – Mail Settings. Prior to version 0.31.0.0, fields such as Mail Server, Mail Port, Email Address, Email Password, Mail Protocol and TLS settings accept attacker-controlled input that is stored server-side ...

7.2CVSS5.8AI score0.00358EPSS

Exploits1References1Affected Software1

Vulnrichment•added 2026/03/30 8:24 p.m.•0 views

CVE-2026-27599 CI4MS: System Settings (Mail Settings) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

4.7CVSS5.8AI score0.00358EPSS

Exploits1References1

EUVD•added 2026/03/30 4:19 p.m.•2 views

EUVD-2026-17199

ci4-cms-erp/ci4ms: System Settings Mail Settings Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS...

4.7CVSS5.8AI score0.00358EPSS

CNNVD•added 2026/02/26 12:0 a.m.•6 views

osctrl 跨站脚本漏洞

OsCtrl is an open-source management software for OsQuery by JMP Security. Versions of OsCtrl prior to 0.5.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the osctrl-admin feature, which queries lists on demand, allowing for stored cross-site scripting. This could...

8.7CVSS6.8AI score0.00227EPSS

Exploits0References3

NVD•added 2026/01/14 3:16 p.m.•6 views

CVE-2026-22240

The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the...

10CVSS0.03001EPSS

CVE•added 2026/01/14 2:34 p.m.•11 views

CVE-2026-22236

Technical details about CVE-2026-22236 are not publicly available in the provided documents. The descriptions summarize improper backend API authentication but do not specify affected components, versions, impact specifics, or fixes. Monitor for updates from vendors and security feeds.

10CVSS7AI score0.00469EPSS

Exploits0References1Affected Software1

ATTACKERKB•added 2026/01/14 2:34 p.m.•3 views

CVE-2026-22236

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the...

10CVSS5.7AI score0.00469EPSS

Cvelist•added 2026/01/14 2:34 p.m.•26 views

CVE-2026-22236 Improper Authentication Vulnerability in BLUVOYIX

10CVSS0.00469EPSS

Vulnrichment•added 2026/01/14 2:34 p.m.•4 views

CVE-2026-22236 Improper Authentication Vulnerability in BLUVOYIX

10CVSS7AI score0.00469EPSS

CNNVD•added 2026/01/14 12:0 a.m.•5 views

Bluspark BLUVOYIX 安全漏洞

Bluspark BLUVOYIX is a digital supply chain management platform from US-based Bluspark, Inc. A security vulnerability exists in Bluspark BLUVOYIX that stems from the exposure of sensitive internal API documentation, which could lead to an attacker abusing internal functionality to compromise the...

10CVSS6.6AI score0.00422EPSS

Positive Technologies•added 2026/01/14 12:0 a.m.•4 views

PT-2026-2859

10CVSS7.3AI score0.00469EPSS

CNNVD•added 2026/01/14 12:0 a.m.•5 views

Bluspark BLUVOYIX 安全漏洞

Bluspark BLUVOYIX is a digital supply chain management platform from US-based Bluspark, Inc. Bluspark BLUVOYIX suffers from a security vulnerability that stems from improper back-end API authentication, which could lead to an attacker gaining full access to customer data and completely compromisi...

10CVSS6.7AI score0.00469EPSS

Positive Technologies•added 2026/01/14 12:0 a.m.•5 views

PT-2026-2906

10CVSS7.3AI score0.03001EPSS

EUVD•added 2025/10/07 12:30 a.m.•1 views

EUVD-2020-21055

Malware in sbrugna...

9.8CVSS9.2AI score0.01668EPSS

RedhatCVE•added 2025/05/22 3:56 p.m.•3 views

CVE-2020-28657

In bPanel 2.0, the administrative ajax endpoints aka ajax/aj.php are accessible without authentication and allow SQL injections, which could lead to platform compromise...

9.8CVSS7.8AI score0.01668EPSS

Exploits0

Cvelist•added 2024/02/02 12:0 a.m.•16 views

CVE-2024-22107

An issue was discovered in GTB Central Console 15.17.1-30814.NG. The method systemSettingsDnsDataAction at /opt/webapp/src/AppBundle/Controller/React/SystemSettingsController.php is vulnerable to command injection via the /old/react/v1/api/system/dns/data endpoint. An authenticated attacker can...

7.4AI score0.02525EPSS

OSV•added 2023/12/18 8:15 a.m.•1 views

CVE-2023-6483

The vulnerability exists in ADiTaaS Allied Digital Integrated Tool-as-a-Service version 5.1 due to an improper authentication vulnerability in the ADiTaaS backend API. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable...

9.8CVSS5.8AI score0.01219EPSS