CVE-2026-9175

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the getsingleaccount REST API callback being registered with a permissioncallback that unconditionally returns tru...

EUVD-2026-38677

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the deletesingleaccount function in versions up to, and including, 1.2.0. The REST route...

EUVD-2026-38659

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the getsingleaccount REST API callback being registered with a permissioncallback that unconditionally returns tru...

CVE-2026-9175 Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'id' Parameter

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the getsingleaccount REST API callback being registered with a permissioncallback that unconditionally returns tru...

CVE-2021-47953

OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and...

CVE-2021-47953

OpenCart 3.0.3.7 is affected by a cross-site request forgery (CSRF) vulnerability in the account/password endpoint. An attacker can lure an authenticated user into submitting a hidden form with new password values (password and confirm), enabling account takeover. The vulnerability is documented ...

CVE-2026-7500

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled gate...

CVE-2026-35476

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...

PT-2026-31433

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...

CVE-2026-22604 OpenProject is vulnerable to user enumeration via the change password function

OpenProject is an open-source, web-based project management software. For OpenProject versions from 11.2.1 to before 16.6.2, when sending a POST request to the /account/changepassword endpoint with an arbitrary User ID as the passwordchangeuserid parameter, the resulting error page would show the...

CVE-2025-69414

Plex Media Server PMS through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token...

Plex media server 安全漏洞

Plex media server is a media player from Plex. A security vulnerability exists in Plex Media Server version 1.42.2.10156 and earlier, which stems from a permanent access token that can be retrieved via a transient access token call to /myplex/account, which could lead to an access token disclosur...

Code-Projects Simple Grading System 安全漏洞

Simple Grading System is a simple grading system. Simple Grading System suffers from a SQL injection vulnerability that stems from a lack of validation of externally entered SQL statements in the parameter ID in the file /deleteaccount.php. An attacker can exploit this vulnerability to execute...

CVE-2025-43712

JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLEUSER. By manipulating the authorities...

CVE-2024-7749

A vulnerability, which was classified as problematic, was found in SourceCodester Accounts Manager App 1.0. Affected is an unknown function of the file /endpoint/add-account.php. The manipulation of the argument accountname leads to cross site scripting. It is possible to launch the attack...

CodeAstro Hospital Management System 安全漏洞

CodeAstro Hospital Management System is a hospital management system from CodeAstro, Inc. A security vulnerability exists in CodeAstro Hospital Management System version 1.0, which originates from an unrestricted file upload issue contained in the docdpic parameter of the...

CVE-2024-7749

A vulnerability, which was classified as problematic, was found in SourceCodester Accounts Manager App 1.0. Affected is an unknown function of the file /endpoint/add-account.php. The manipulation of the argument accountname leads to cross site scripting. It is possible to launch the attack...

SourceCodester Accounts Manager App SQL注入漏洞

SourceCodester Accounts Manager App is a web-based application from SourceCodester, Inc. It is designed to manage online accounts efficiently and securely. A SQL injection vulnerability exists in SourceCodester Accounts Manager App version 1.0, which stems from the parameter account in the file...

PT-2024-38556 · Sourcecodester · Sourcecodester Accounts Manager App

Name of the Vulnerable Software and Affected Versions: SourceCodester Accounts Manager App version 1.0 Description: A critical issue has been found in the processing of the file "/endpoint/delete-account.php". The manipulation of the account argument leads to SQL injection. The attack may be...

PT-2024-38557 · Sourcecodester · Sourcecodester Accounts Manager App

Name of the Vulnerable Software and Affected Versions: SourceCodester Accounts Manager App version 1.0 Description: A problematic issue was found in the SourceCodester Accounts Manager App, affecting an unknown function of the file /endpoint/add-account.php. The manipulation of the account name...