Lucene search
+L

1324 matches found

NVD
NVD
added 2026/02/27 8:21 p.m.9 views

CVE-2026-27836

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.18, the WebAuthn prepare endpoint /api/webauthn/prepare creates new active user accounts without any authentication, CSRF protection, captcha, or configuration checks. This allows unauthenticated attackers to create unlimited us...

7.5CVSS0.0041EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/02/27 12:0 a.m.13 views

phpMyFAQ 安全漏洞

phpMyFAQ is a multilingual, fully database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ prior to 4.0.18 contained security vulnerabilities. These vulnerabilities stemmed from the WebAuthn prepare endpoint, which lacked authentication and CSRF protection, allowing unverified...

7.5CVSS5.8AI score0.0041EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/02/24 7:40 a.m.26 views

CVE-2025-40538 SolarWinds Serv-U Broken Access Control Remote Code Execution Vulnerability

A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative privileges to abuse. On...

9.1CVSS0.00496EPSS
Exploits0References2
CVE
CVE
added 2026/02/21 5:11 a.m.27 views

CVE-2026-27198

CVE-2026-27198 refers to Formwork (CMS) where versions 2.0.0–2.3.3 fail to enforce proper authorization during account creation. The issue allows an authenticated editor to create new accounts with administrative privileges by issuing roles without validating the caller’s privilege to assign such...

8.8CVSS5.6AI score0.00415EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/21 5:11 a.m.9 views

CVE-2026-27198 Formwork Improperly Manages Privileges During User Creation

Formwork is a flat file-based Content Management System CMS. In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has...

8.8CVSS5.6AI score0.00415EPSS
Exploits0References5
OSV
OSV
added 2026/02/20 11:16 p.m.6 views

CVE-2019-25448

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to...

6.4CVSS6AI score0.00251EPSS
Exploits1References3
NVD
NVD
added 2026/02/20 11:16 p.m.13 views

CVE-2019-25448

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to...

6.4CVSS0.00251EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/02/20 10:56 p.m.6 views

CVE-2019-25448 OrientDB 3.0.17 Stored Cross-Site Scripting via User Creation

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to...

6.4CVSS5.5AI score0.00251EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/02/20 10:56 p.m.28 views

CVE-2019-25448 OrientDB 3.0.17 Stored Cross-Site Scripting via User Creation

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to...

6.4CVSS0.00251EPSS
Exploits1References3
CVE
CVE
added 2026/02/20 10:56 p.m.21 views

CVE-2019-25448

OrientDB 3.0.17 is affected by a stored cross-site scripting (XSS) vulnerability. An authenticated attacker can create users with a script payload in the name parameter and post to the document endpoint to inject JavaScript that executes when other users view the application. The published data i...

6.4CVSS5.7AI score0.00251EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/20 12:0 a.m.17 views

PT-2026-21318

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to...

6.4CVSS5.7AI score0.00251EPSS
Exploits1References4
NVD
NVD
added 2026/02/07 12:15 a.m.7 views

CVE-2020-37106

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with...

5.3CVSS0.00181EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/06 11:14 p.m.4 views

CVE-2020-37160 SprintWork 2.3.1 - Local Privilege Escalation

SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. Local unprivileged users can exploit missing executable files and weak service configurations to create a new administrative user and gain...

8.5CVSS5.5AI score0.00145EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/02/06 11:14 p.m.4 views

CVE-2020-37106

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with...

5.3CVSS5.2AI score0.00181EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/02/06 11:14 p.m.35 views

CVE-2020-37106 Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)

Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with...

5.3CVSS0.00181EPSS
Exploits0References3
CVE
CVE
added 2026/02/06 11:14 p.m.16 views

CVE-2020-37106

The CVE-2020-37106 issue affects Business Live Chat Software 1.0 and is described as a cross-site request forgery (CSRF) vulnerability. A remote attacker can craft a malicious HTML form that sends a POST to the user creation endpoint with administrative access parameters to change user account ro...

5.3CVSS5.2AI score0.00181EPSS
Exploits0References3
EUVD
EUVD
added 2026/02/06 7:32 a.m.10 views

EUVD-2026-5691

A flaw has been found in SourceCodester Gas Agency Management System 1.0. This issue affects some unknown processing of the file /gasmark/phpaction/createUser.php. Executing a manipulation can lead to improper access controls. It is possible to launch the attack remotely. The exploit has been...

6.5CVSS6.2AI score0.00254EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/02/06 12:0 a.m.10 views

PT-2026-6814

Name of the Vulnerable Software and Affected Versions Business Live Chat Software version 1.0 Description The software contains a cross-site request forgery condition that permits attackers to alter user account roles without needing to authenticate. An attacker can create a malicious HTML form t...

5.3CVSS5.3AI score0.00181EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/02/03 12:0 a.m.9 views

Maian Media Maian Support 跨站请求伪造漏洞

Maian Media Maian Support is a ticket support system provided by Maian Media Limited in the UK. Version 4.3 of Maian Media Maian Support contains a cross-site request forgeing vulnerability. This vulnerability stems from cross-site request forgeing techniques, allowing attackers to create malicio...

5.3CVSS5.7AI score0.0015EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/30 12:0 a.m.21 views

PT-2026-5485

Name of the Vulnerable Software and Affected Versions Sistem Informasi Pengumuman Kelulusan Online version 1.0 Description The application contains a cross-site request forgery condition that permits attackers to add unauthorized admin users. This is achieved by exploiting the tambahuser.php...

5.3CVSS5.1AI score0.00179EPSS
Exploits0References6
Rows per page
Query Builder