885 matches found
CVE-2026-24318 Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform
Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued toke...
CVE-2026-24318 Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform
Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued toke...
CVE-2026-40043 Pachno 1.0.6 Authentication Bypass via runSwitchUser()
Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser action that allows authenticated low-privilege users to escalate privileges by manipulating the originalusername cookie. Attackers can set the client-controlled originalusername cookie to any value and request a...
CVE-2026-40043
Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser action that allows authenticated low-privilege users to escalate privileges by manipulating the originalusername cookie. Attackers can set the client-controlled originalusername cookie to any value and request a...
EUVD-2023-60559
Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, typeid, distance, facilities, categories, prices, location, and Itemid. Attackers can...
EUVD-2023-60549
WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at...
EUVD-2023-60557
Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants...
CVE-2023-54363
Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, typeid, distance, facilities, categories, prices, location, and Itemid. Attackers can...
CVE-2023-54362
Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants...
CVE-2023-54364
Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the fromoption, fromctrl,...
CVE-2023-54364
Joomla HikaShop 4.7.4 is affected by a reflected XSS vulnerability in the product filter endpoint. The issue allows unauthenticated attackers to inject scripts via GET parameters (from_option, from_ctrl, from_task, from_itemid). Victims visiting a crafted link can have scripts executed, with pote...
CVE-2023-54362 Joomla VirtueMart Shopping-Cart 4.0.12 Reflected XSS via keyword
Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants...
CVE-2023-54361 Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword
Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filterkeyword parameter. Attackers can craft URLs containing JavaScript payloads in the filterkeyword GET parameter of the...
CVE-2023-54362
Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants...
CVE-2023-54361
Joomla iProperty Real Estate 4.1.1 is affected by a reflected XSS in the filter_keyword parameter of the all-properties-with-map endpoint. The vulnerability allows an attacker to inject JavaScript payloads via a crafted URL, potentially executing code in a victim’s browser and compromising sessio...
PT-2026-31731
Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from option, from ctrl,...
PT-2026-31728
Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter keyword GET parameter of the...
parisneo/lollms has an insufficient session expiration vulnerability
An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...
Devolutions Server 安全漏洞
Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server prior to 2026.1.11 contained a security vulnerability. This vulnerability stemmed from...
CVE-2026-33755
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.158, 25.0.92, and 26.0.17, an authenticated SQL Injection vulnerability in the JMAP Contact/query endpoint allows any authenticated user with basic addressbook access to extract arbitrary data...