PT-2026-40894

Name of the Vulnerable Software and Affected Versions User Registration & Membership plugin for WordPress versions prior to 5.1.6 Description An issue exists where the is admin creation process function relies exclusively on the presence of the action=createuser parameter within the $ REQUEST...

chartbrew 访问控制错误漏洞

Chartbrew is an open-source data visualization and dashboard-building tool developed by Chartbrew. Version 4.9.0 of Chartbrew contains a security vulnerability related to access control. This vulnerability arises from the endpoint POST /user/invited, which does not validate any invitation tokens,...

EUVD-2026-25415

P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing users, authenticate to accounts with no password set, and access depot contents via the...

CVE-2018-25190 Easyndexer 1.0 Cross-Site Request Forgery via createuser.php

Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative accounts by submitting forged POST requests. Attackers can craft malicious web pages that submit POST requests to createuser.php with parameters including username,...

CVE-2026-27836

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint /api/webauthn/prepare creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited us...

CVE-2026-27707

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in POST /api/v1/auth/jellyfin allows an unauthenticated attacker to register a new Seerr account on any Plex-configure...

Missing Authorization

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Missing Authorization via the WebAuthnController::prepare endpoint in the Frontend WebAuthn API component. An unauthenticated attacker can create...

CVE-2026-27836

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint /api/webauthn/prepare creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited us...

CVE-2026-27836

phpMyFAQ prior to v4.0.18 is vulnerable due to the WebAuthn prepare endpoint (/api/webauthn/prepare), which creates new active user accounts without authentication, CSRF protection, captcha, or config checks. This allows unauthenticated attackers to create unlimited user accounts even when regist...

EUVD-2026-9055

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the GET /api/v1/user/:id endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of...

CVE-2025-40758

A vulnerability has been identified in Mendix SAML Mendix 10.12 compatible All versions V4.0.3, Mendix SAML Mendix 10.21 compatible All versions V4.1.2, Mendix SAML Mendix 9.24 compatible All versions V3.6.21. Affected versions of the module insufficiently enforce signature validation and binding...

EUVD-2025-199617

Primakon Pi Portal 1.0.18 REST /api/v2/user/register endpoint suffers from a Broken Access Control vulnerability. The endpoint fails to implement any authorization checks, allowing unauthenticated attackers to perform POST requests to register new user accounts in the application's local database...

CVE-2025-62642

The Restaurant Brands International RBI assistant platform through 2025-09-06 has an "Anyone Can Join This Party" signup API that does not verify user account creation, allowing a remote unauthenticated attacker to create a user account...

CVE-2025-62642

The Restaurant Brands International RBI assistant platform through 2025-09-06 has an "Anyone Can Join This Party" signup API that does not verify user account creation, allowing a remote unauthenticated attacker to create a user account...

CVE-2025-62642

The RBI assistant platform (Restaurant Brands International) through 2025-09-06 exposes an unauthenticated account-creation API labeled “Anyone Can Join This Party,” which does not verify user account creation. This allows a remote, unauthenticated attacker to create user accounts. Connected sour...

Restaurant Brands International assistant platform 安全漏洞

Restaurant Brands International assistant platform is a restaurant back office platform from Restaurant Brands International. A security vulnerability exists in Restaurant Brands International assistant platform version 2025-09-06 and earlier, which stems from unauthenticated user account creatio...

EUVD-2025-34920

The Restaurant Brands International RBI assistant platform through 2025-09-06 has an "Anyone Can Join This Party" signup API that does not verify user account creation, allowing a remote unauthenticated attacker to create a user account...

EUVD-2005-0704

Malware in sbrugna...

EUVD-2021-34170

Malicious code in bioql PyPI...

EUVD-2025-24824

Malicious code in bioql PyPI...