159 matches found
CVE-2026-47124
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users...
Mercusys AC12G 安全漏洞
The Mercusys AC12G is a Gigabit wireless router produced by the Chinese company Mercusys. The Mercusys AC12G EU V1 AC12G EU V1 version has a security vulnerability. This vulnerability arises from returning uninitialized internal buffer contents when HTTP POST requests are sent to an undefined pat...
CVE-2026-22678 Webmin < 2.641 Stored XSS via System and Server Status
Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting...
CVE-2026-22678
Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting...
CVE-2026-35185
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...
CVE-2026-35450 WWBN AVideo has Unauthenticated FFmpeg Remote Server Status Disclosure via check.ffmpeg.json.php
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints kill.ffmpeg.json.php,...
CVE-2026-35450
CVE-2026-35450 affects WWBN AVideo (versions 26.0 and earlier). The plugin/API/check.ffmpeg.json.php endpoint exposes FFmpeg remote server configuration and connectivity status without authentication, while sibling endpoints (kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php) require admin a...
CVE-2026-35185
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...
CVE-2026-35185 HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...
CVE-2026-35185 HAX CMS's public /server-status endpoint exposes authentication tokens, user activity, and client IP addresses
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...
CVE-2026-35185
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...
CVE-2026-35185
Summary: CVE-2026-35185 affects HAX CMS prior to version 25.0.0, where the /server-status endpoint is publicly accessible and can disclose sensitive information without authentication. What is affected: HAX CMS with PHP or Node.js backends. Impact (as stated): Exposure of authentication tokens (u...
EUVD-2026-19469
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens usertoken, user activity, client IP addresses, and server configuration details. This allows a...
HAX 日志信息泄露漏洞
HAX is an open-source microsite managed using HAX+CMS with a PHP backend. Versions prior to HAX25.0.0 contained a vulnerability related to log information leakage. This vulnerability stemmed from the /server-status endpoint being publicly accessible, which could allow unverified users to access...
PT-2026-30720
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to 25.0.0, the /server-status endpoint is publicly accessible and exposes sensitive information including authentication tokens user token, user activity, client IP addresses, and server configuration details. This allows...
CVE-2026-22989
In the Linux kernel, the following vulnerability has been resolved: nfsd: check that server is running in unlockfilesystem If we are trying to unlock the filesystem via an administrative interface and nfsd isn't running, it crashes the server. This happens currently because nfsd4revokestates acce...
PT-2026-4489
Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel’s Network File System daemon nfsd is susceptible to a server crash when attempting to unlock the filesystem through an administrative interface while nfsd is not running...
CVE-2025-12721
The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /serverstatus REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the serv...
EUVD-2025-201533
The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /serverstatus REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the serv...
CVE-2025-12721
The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /serverstatus REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the serv...