Lucene search
K

703 matches found

OSV
OSV
added 2026/03/31 11:11 p.m.6 views

GHSA-4RWM-C5MJ-WH7X Admidio has CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter

Summary The inventory module's itemsave endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save arbitrary inventory item data...

4.3CVSS6AI score0.00133EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/03/26 3:10 p.m.6 views

CVE-2026-32757

Admidio is an open-source user management solution. In versions 5.0.6 and below, the eCard send handler uses a raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject...

5.4CVSS5.8AI score0.00227EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:4 p.m.20 views

CVE-2026-3584

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'formprocess' function. This is due to the 'preparepostdata' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of...

9.8CVSS6.1AI score0.07239EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:1 p.m.6 views

CVE-2026-33483

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the aVideoEncoderChunk.json.php endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data...

7.5CVSS6AI score0.00605EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/25 9:56 p.m.4 views

EUVD-2026-14508

AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized userid Parameter...

7.1CVSS5.9AI score0.00224EPSS
Exploits1References3
OSV
OSV
added 2026/03/25 9:56 p.m.6 views

GHSA-FFR8-FXHV-FV8H AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter

Summary The Subscribe::save method in objects/subscribe.php concatenates the $this-usersid property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from $POST'userid' in both subscribe.json.php and subscribeNotify.json.php. An authenticate...

7.1CVSS6.1AI score0.00224EPSS
Exploits1References4
EUVD
EUVD
added 2026/03/23 9:30 p.m.5 views

EUVD-2024-55496

A Reflected Cross-Site Scripting XSS vulnerability exists in the POST request data zipPath of tiki-adminsystem.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or...

6.2AI score0.00195EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/03/23 2:12 p.m.4 views

CVE-2026-33483 AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the aVideoEncoderChunk.json.php endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data...

7.5CVSS6AI score0.00605EPSS
Exploits1References2
CVE
CVE
added 2026/03/23 2:12 p.m.18 views

CVE-2026-33483

CVE-2026-33483 affects WWBN AVideo up to version 26.0. The endpoint aVideoEncoderChunk.json.php is unauthenticated, outside the framework, and writes POST data to permanent files in /tmp with no size limits or cleanup, enabling disk-space exhaustion and potential denial of service. Public documen...

7.5CVSS6AI score0.00605EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/23 12:0 a.m.5 views

CVE-2024-46879

A Reflected Cross-Site Scripting XSS vulnerability exists in the POST request data zipPath of tiki-adminsystem.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or...

6.2AI score0.00195EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/03/23 12:0 a.m.12 views

PT-2026-27193

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description AVideo is an open source video platform susceptible to a SQL injection flaw. The Subscribe::save method within objects/subscribe.php directly incorporates the this-users id property into an...

7.1CVSS5.9AI score0.00224EPSS
Exploits1References8
Vulnrichment
Vulnrichment
added 2026/03/21 3:26 a.m.5 views

CVE-2026-1935 Company Posts for LinkedIn <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary LinkedIn Post Data Deletion

The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the linkedincompanypostresethandler function hooked to adminpostresetlinkedincompanypost. This makes it possible for...

4.3CVSS5.8AI score0.00238EPSS
Exploits0References3
NVD
NVD
added 2026/03/20 10:16 p.m.15 views

CVE-2026-3584

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'formprocess' function. This is due to the 'preparepostdata' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of...

9.8CVSS0.07239EPSS
Exploits2References3
ATTACKERKB
ATTACKERKB
added 2026/03/20 9:25 p.m.27 views

CVE-2026-3584

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'formprocess' function. This is due to the 'preparepostdata' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of...

9.8CVSS6.1AI score0.07239EPSS
Exploits2References4
Cvelist
Cvelist
added 2026/03/20 9:25 p.m.30 views

CVE-2026-3584 Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'formprocess' function. This is due to the 'preparepostdata' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of...

9.8CVSS0.07239EPSS
Exploits2References3
OSV
OSV
added 2026/03/20 2:59 a.m.3 views

CVE-2026-30889 Discourse has Unauthorized Post Data Exposure in discourse-user-notes

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a moderator could exploit insufficient authorization checks to access metadata of posts they should not have permission to view. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain...

5.3CVSS5.9AI score0.00278EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.9 views

PT-2026-26770

Summary The aVideoEncoderChunk.json.php endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in /tmp/ with no size cap, no rat...

7.5CVSS6.1AI score0.00605EPSS
Exploits1References5
CNNVD
CNNVD
added 2026/03/20 12:0 a.m.8 views

Admidio 跨站脚本漏洞

Admidio is a set of open-source member management systems developed by the Admidio team. This system supports features such as member lists, event management, message boards, photo albums, and downloads. Versions of Admidio 5.0.6 and earlier had a cross-site scripting vulnerability. This...

5.4CVSS5.8AI score0.00227EPSS
Exploits1References2
CVE
CVE
added 2026/03/19 11:12 p.m.16 views

CVE-2026-32757

CVE-2026-32757 (Admidio) : Multiple sources detail an HTMLPurifier bypass in the eCard feature for Admidio

5.4CVSS5.8AI score0.00227EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/03/18 9:30 a.m.3 views

EUVD-2026-12788

A stack-based buffer overflow in the device's file installation workflow allows a high-privileged attacker to send oversized POST parameters that overflow a fixed-size stack buffer within an internal process, resulting in a DoS attack...

4.9CVSS6.2AI score0.00339EPSS
Exploits0References2
Rows per page
Query Builder