CVE-2026-8255

CVE-2026-8255 affects Devs Palace ERP Online up to version 4.0.0, impacting an unknown portion of the file /inventory/add_new_customer. The vulnerability enables cross-site scripting (XSS) through a manipulation of that endpoint, with remote attack capability. The exploitation possibility is supp...

Devs Palace ERP Online 跨站脚本漏洞

Devs Palace ERP Online is a cloud-based enterprise resource planning and business management system developed by Devs Palace. Versions of Devs Palace ERP Online 4.0.0 and earlier contained a cross-site scripting vulnerability. This vulnerability originated from an unknown portion of the...

CVE-2026-40926 WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script)

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check Category::canCreateCategory / User::isAdmin and...

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the handling of certain admin JSON endpoints, specifically categoryAddNew.json.php, categoryDelete.json.php, and...

📄 WordPress Real Estate 7 3.5.2 Privilege Escalation

This Metasploit auxiliary scanner module targets a privilege escalation vulnerability in WordPress Real Estate 7 plugin version 3.5.2. The flaw allows unauthenticated attackers to register a new user account with administrator privileges by abusing the ctaddnewmember AJAX action...

Exploit for CVE-2025-39459

📄 Nuclei Template for CVE-2025-39459 🚀 Overview This repo...

CVE-2025-69564

code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirmpassword, Role, Branch, and Activate parameters...

CVE-2025-69564

code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirmpassword, Role, Branch, and Activate parameters...

CVE-2025-69564

code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirmpassword, Role, Branch, and Activate parameters...

CVE-2025-69564

The CVE-2025-69564 entry affects code-projects Mobile Shop Management System 1.0, with a SQL Injection vulnerability in /ExAddNewUser.php. The issue stems from unsafely handling input parameters Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate, enabling poten...

CVE-2019-16334

In Bludit v3.9.2, there is a persistent XSS vulnerability in the Categories - Add New Category - Name field. NOTE: this may overlap CVE-2017-16636...

CVE-2023-54185

In the Linux kernel, the following vulnerability has been resolved: btrfs: remove BUGON's in addnewfreespace At addnewfreespace we have these BUGON's that are there to deal with any failure to add free space to the in memory free space cache. Such failures are mostly -ENOMEM that should be very...

PT-2025-53664

Name of the Vulnerable Software and Affected Versions rawchen ecms affected versions not specified Description A cross site scripting issue exists in rawchen ecms. The updateProductServlet function within the src/servlet/product/updateProductServlet.java file, specifically related to the Add New...

CVE-2018-25149 Microhard Systems IPn4G 1.1.0 Cross-Site Request Forgery via Web Interface

Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated...

CVE-2018-25149 Microhard Systems IPn4G 1.1.0 Cross-Site Request Forgery via Web Interface

Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated...

EUVD-2025-201338

The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the 'ntzcrmaddnewtag' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to create arbitrary membership tags an...

CVE-2025-13312 CRM Memberships <= 2.5 - Missing Authorization to Unauthenticated 'ntzcrm_add_new_tag' AJAX Action

The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the 'ntzcrmaddnewtag' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to create arbitrary membership tags an...

PT-2025-49191

The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the 'ntzcrm add new tag' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to create arbitrary membership tags...

SourceCodester Student Grades Management System 安全漏洞

SourceCodester Student Grades Management System is a SourceCodester open source student grades management system. A security vulnerability exists in Sourcecodester Student Grades Management System v1.0, which originates from a cross-site scripting attack on the Add New Subject Description field...

CVE-2025-64070

CVE-2025-64070 affects Sourcecodester Student Grades Management System v1.0. It describes a Cross Site Scripting (XSS) vulnerability in the Add New Subject Description field. The CVSSv3.1 base score is 5.4 (MEDIUM) with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Exploitation details in public re...