CVE-2026-28732

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash...

CVE-2026-40973

A local attacker on the same host as the application may be able to take control of the directory used by ApplicationTemp. When server.servlet.session.persistent is set to true and the attack persists across application restarts, this may allow the attacker to read session information and hijack...

CVE-2026-3614

The CVE-2026-3614 entry concerns the AcyMailing plugin for WordPress, affected versions 9.11.0 through 10.8.1. The root cause is a missing capability check on the wp_ajax_acymailing_router AJAX handler, enabling privilege escalation from Subscriber-level (and above) to admin-level controllers, in...

curl: CVE-2026-5545: wrong reuse of HTTP Negotiate connection

Summary: An attacker sharing a libcurl multi-handle connection pool can hijack another user's Negotiate/Kerberos-authenticated connection. When User A authenticates via Negotiate SPNEGO and the connection returns to the pool, User B using CURLAUTHANY with different credentials gets that connectio...

CVE-2026-34245 AVideo's Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/PlayLists/View/Playlistsschedules/add.json.php endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless...

CVE-2025-11702

GitLab has remediated an issue in EE affecting all versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker with specific permissions to hijack project runners from other projects...

EUVD-2014-2265

Malware in sbrugna...

EUVD-2008-3247

Malware in sbrugna...

EUVD-2020-11781

Malware in sbrugna...

CVE-2020-19880

DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function form 'Name' in dbhcms\types.php, A remote unauthenticated attacker can exploit this vulnerability to hijack other users...

CVE-2023-41326 Account takeover via Kanban feature in GLPI

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with...

CVE-2023-41326 Account takeover via Kanban feature in GLPI

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with...

[SECURITY] [DLA 2661-1] jetty9 security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-2661-1 [email protected] https://www.debian.org/lts/security/ Sylvain Beucler May 14, 2021 https://wiki.debian.org/LTS -...

Anchor CMS Stored Cross-Site Scripting Vulnerability

Anchor CMS is a content management system. Anchor CMS stored cross-site scripting vulnerability. An attacker can insert malicious js code into a page to obtain user cookies and other information, leading to user hijacking...

CVE-2020-19885

DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecialchars function for '$POST'pageparaminsertname'' variable in dbhcms\mod\mod.page.edit.php line 227, A remote authenticated with admin user can exploit this vulnerability to hijack other users...

Cross site scripting

DBHcms v1.2.0 has a stored XSS vulnerability as there is no htmlspecialchars function for '$POST'pageparaminsertdescription'' variable in dbhcms\mod\mod.page.edit.php line 227, A remote authenticated with admin user can exploit this vulnerability to hijack other users...

Victor CMS 'comment_author' Cross-Site Scripting Vulnerability

Victor CMS is a PHP-based content management system CMS. Victor CMS 'commentauthor' cross-site scripting vulnerability. An attacker can insert malicious js code into a page to obtain user cookies and other information, leading to user hijacking...

XSS Vulnerability in WisdomTooth's Manual Online Customer Service Chat Service

Beijing Wisdom Tooth Bochuang Technology Co., Ltd. is a provider of intelligent full customer service platform. A cross-site scripting vulnerability exists in WisdomTooth's manual online customer service chat. An attacker can insert malicious js code into the page to obtain user cookies and other...

Stored Cross-Site Scripting Vulnerability in HFish Honeypots

HFish honeypot is an extended enterprise security testing active induction open source honeypot framework system. HFish honeypot has a stored cross-site scripting vulnerability. Attackers can insert malicious js code in the page to obtain user cookies and other information , resulting in user...

XSS Vulnerability in FoosunCMS

FoosunCMS content management system FoosunCMS is a content management software based on ASP + ACCESS/MSSQ framework, a domestic open source, integrated web2.0 elements, modular CMS station-building system. FoosunCMS has a stored cross-site scripting vulnerability. Attackers can insert malicious j...