EUVD-2026-34275

T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 were discovered to contain a hardcoded password for root access under the "superadmin" account...

CVE-2026-35905

T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 were discovered to contain a hardcoded password for root access under the "superadmin" account...

PT-2026-46241

T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 were discovered to contain a hardcoded password for root access under the "superadmin" account...

CVE-2026-35905

T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 were discovered to contain a hardcoded password for root access under the "superadmin" account...

CVE-2026-35905

CVE-2026-35905 affects T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03, where a hardcoded root password exists for the superadmin account. The CIRCL sighting notes a published proof-of-concept, indicating exploitability evidence in the wild; no patch or remediation det...

CVE-2026-35905

T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 were discovered to contain a hardcoded password for root access under the "superadmin" account...

CVE-2026-35671

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to...

CVE-2026-35671

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to...

PT-2026-43465

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 16.10.17 XWiki versions prior to 17.4.9 XWiki versions prior to 17.10.3 XWiki versions prior to 18.0.0RC1 Description A path traversal issue allows an attacker to write arbitrary files, which could lead to overriding...

phpMyFAQ: IDOR Account Takeover

Summary An Insecure Direct Object Reference IDOR vulnerability in phpMyFAQ's Admin API allows any authenticated administrator to change the password of any user account, including SuperAdmin accounts userId=1, without authorization verification. An attacker with a low-privilege admin account can...

Exploit for CVE-2025-15602

CVE-2025-15602-PoC CVE-2025-15602-PoC is a proof of concept f...

EUVD-2026-21384

CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the fklevelslist parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request body to bypass...

CVE-2026-29002

CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the fklevelslist parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request body to bypass...

CVE-2026-29002

CouchCMS has a privilege escalation flaw where authenticated Admin users can create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. The issue is triggered when the parameter value is changed from 4 to 10 in the HTTP request body, bypassing authorizat...

CVE-2026-29002 CouchCMS Privilege Escalation via f_k_levels_list Parameter

CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the fklevelslist parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request body to bypass...

PT-2026-31926

CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f k levels list parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request body to bypass...

CVE-2026-23480

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...

CVE-2026-23487

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4...

CVE-2026-31836

Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows any...

CVE-2026-27602

Modoboa contains an OS command injection vulnerability (CWE-like) due to exec_cmd paths using subprocess with shell=True and unsanitized domain/input values. In modoboa/lib/sysutils.py and related sinks (DKIM domain handling, mailbox rename, sa-learn, doveadm, rrdtool, webmail operations), domain...