Lucene search
+L

236 matches found

CNNVD
CNNVD
added 2026/04/14 12:0 a.m.15 views

Chamilo LMS 安全漏洞

Chamilo LMS is an open-source online learning and collaboration system developed by Chamilo. This system supports the creation of teaching content, remote training, and online quizzes. Versions of Chamilo LMS prior to 2.0.0-RC.3 contained security vulnerabilities. These vulnerabilities stemmed fr...

8.8CVSS5.9AI score0.00316EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/10 6:51 p.m.19 views

CVE-2026-33706 Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher)

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the updateuserfromusername endpoint. A student status=5 can change their status to Teacher/CourseManager status=1, gaining course creation and management...

7.1CVSS0.00168EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/10 6:51 p.m.5 views

EUVD-2026-21559

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the updateuserfromusername endpoint. A student status=5 can change their status to Teacher/CourseManager status=1, gaining course creation and management...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References2
CVE
CVE
added 2026/04/10 6:51 p.m.15 views

CVE-2026-33706

Chamilo LMS prior to 1.11.38 contains a privilege escalation via the REST API. An authenticated user with a REST API key can modify their own status through the update_user_from_username endpoint, allowing a student (status=5) to elevate to Teacher/CourseManager (status=1) and obtain course creat...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/08 7:26 p.m.21 views

CVE-2026-35476 InvenTree Affected by Privilege Escalation via API

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...

7.2CVSS0.00145EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/08 7:26 p.m.4 views

CVE-2026-35476 InvenTree Affected by Privilege Escalation via API

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...

7.2CVSS6AI score0.00145EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/02 3:31 p.m.5 views

EUVD-2026-18215

A vulnerability was found in SourceCodester/mayurik Best Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=deleteuser of the component User Delete Handler. Performing a manipulation of the argument ID results in improper access...

6.9CVSS6.3AI score0.00314EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/02 12:45 p.m.28 views

CVE-2026-5330 SourceCodester/mayuri_k Best Courier Management System User Delete ajax.php access control

A vulnerability was found in SourceCodester/mayurik Best Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=deleteuser of the component User Delete Handler. Performing a manipulation of the argument ID results in improper access...

6.9CVSS0.00314EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/04/01 11:0 p.m.10 views

CVE-2026-34406

APTRS Automated Penetration Testing Reporting System is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edituser endpoint POST /api/auth/edituser/ allows Any user who can reach that endpoint and submit...

9.4CVSS5.8AI score0.00505EPSS
Exploits1References1
CVE
CVE
added 2026/04/01 12:0 a.m.28 views

CVE-2026-29598

CVE-2026-29598 affects DDSN Interactive Acora CMS v10.7.1, with multiple stored XSS vulnerabilities in the submit_add_user.asp endpoint. The First Name and Last Name fields are injectable, allowing an attacker to have scripts/HTML executed in the context of the victim’s browser. The CVE entry spe...

5.4CVSS6AI score0.0016EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/01 12:0 a.m.11 views

DDSN Interactive Acora CMS 安全漏洞

DDSN Interactive Acora CMS is an enterprise network and mobile CMS provided by DDSN Interactive. Version 10.7.1 of DDSN Interactive Acora CMS contains a security vulnerability. This vulnerability stems from multiple stored-xss vulnerabilities present in the submitadduser.asp endpoint. It could...

5.4CVSS6.1AI score0.0016EPSS
Exploits0References3
NVD
NVD
added 2026/03/31 10:16 p.m.3 views

CVE-2026-34406

APTRS Automated Penetration Testing Reporting System is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edituser endpoint POST /api/auth/edituser/ allows Any user who can reach that endpoint and submit...

9.4CVSS0.00505EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/31 9:18 p.m.24 views

CVE-2026-34406 APTRS: Privilege Escalation via Mass Assignment of is_superuser in User Edit Endpoint

APTRS Automated Penetration Testing Reporting System is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edituser endpoint POST /api/auth/edituser/ allows Any user who can reach that endpoint and submit...

9.4CVSS0.00505EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/31 9:18 p.m.4 views

CVE-2026-34406

APTRS Automated Penetration Testing Reporting System is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edituser endpoint POST /api/auth/edituser/ allows Any user who can reach that endpoint and submit...

9.4CVSS5.8AI score0.00505EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/03/31 9:18 p.m.13 views

EUVD-2026-17671

APTRS Automated Penetration Testing Reporting System is a Python and Django-based automated reporting tool designed for penetration testers and security organizations. Prior to version 2.0.1, the edituser endpoint POST /api/auth/edituser/ allows Any user who can reach that endpoint and submit...

9.4CVSS5.8AI score0.00505EPSS
Exploits1References3
CVE
CVE
added 2026/03/31 9:18 p.m.13 views

CVE-2026-34406

APTRS (Automated Penetration Testing Reporting System) is a Python/Django-based tool. Before v2.0.1, the edit_user endpoint (POST /api/auth/edituser/) lets any reachable user grant themselves or another account superuser by sending is_superuser: true. Root cause: CustomUserSerializer includes is_...

9.4CVSS5.8AI score0.00505EPSS
Exploits1References3Affected Software1
CNNVD
CNNVD
added 2026/03/31 12:0 a.m.9 views

APTRS 安全漏洞

APTRS Automated Penetration Testing Reporting System is an open-source automated reporting tool based on Python and Django. It is designed specifically for penetration testers and security organizations. Versions of APTRS prior to 2.0.1 contained a security vulnerability. This vulnerability stemm...

9.4CVSS5.8AI score0.00505EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.7 views

PT-2026-29372

Name of the Vulnerable Software and Affected Versions APTRS versions prior to 2.0.1 Description APTRS Automated Penetration Testing Reporting System is a Python and Django-based automated reporting tool. A flaw exists in the edit user API endpoint '/api/auth/edituser/' where a user can elevate...

9.4CVSS5.9AI score0.00505EPSS
Exploits1References6
EUVD
EUVD
added 2026/03/27 3:30 p.m.5 views

EUVD-2026-16660

A reflected Cross-Site Scripting XSS vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim’s browser by sending them a malicious URL using the endpoint “/user.php/”. This vulnerability can be exploited to steal sensitive user...

5.1CVSS5.9AI score0.00272EPSS
Exploits0References2
NVD
NVD
added 2026/03/27 3:17 p.m.7 views

CVE-2026-5010

A reflected Cross-Site Scripting XSS vulnerability has been discovered in Clickedu. This vulnerability allows an attacker to execute JavaScript code in the victim’s browser by sending them a malicious URL using the endpoint “/user.php/”. This vulnerability can be exploited to steal sensitive user...

5.1CVSS0.00272EPSS
Exploits0References1
Rows per page
Query Builder