Lucene search
K

25 matches found

RedhatCVE
RedhatCVE
added 2026/05/28 8:13 p.m.14 views

CVE-2026-46363

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQADD permission to inject malicious script tags via question or answer...

5.4CVSS5.7AI score0.00153EPSS
Exploits0References1
OSV
OSV
added 2026/05/15 9:31 p.m.10 views

GHSA-H36G-93QX-RXGR Duplicate Advisory: phpMyFAQ: Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f5p7-2c9q-8896. This link is maintained to preserve external references. Original Description phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that...

5.4CVSS5.2AI score0.00153EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/15 9:31 p.m.16 views

Duplicate Advisory: phpMyFAQ: Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f5p7-2c9q-8896. This link is maintained to preserve external references. Original Description phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that...

5.4CVSS5.2AI score0.00153EPSS
Exploits0References4Affected Software2
NVD
NVD
added 2026/05/15 7:17 p.m.16 views

CVE-2026-46363

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQADD permission to inject malicious script tags via question or answer...

5.4CVSS0.00153EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/15 6:36 p.m.34 views

CVE-2026-46363 phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQADD permission to inject malicious script tags via question or answer...

5.4CVSS0.00153EPSS
Exploits0References2
CVE
CVE
added 2026/05/15 6:36 p.m.22 views

CVE-2026-46363

CVE-2026-46363 affects phpMyFAQ prior to 4.1.2. It is a stored XSS in FAQ creation and update endpoints where sanitization is bypassed through encode–decode cycles. Exploitation requires authenticated access with the FAQ_ADD permission; an attacker can inject malicious script tags via question or...

5.4CVSS5.7AI score0.00153EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/15 6:36 p.m.9 views

CVE-2026-46363 phpMyFAQ - Stored XSS in FAQ Question/Answer via Encode-Decode Bypass

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQADD permission to inject malicious script tags via question or answer...

5.4CVSS5.7AI score0.00153EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/15 6:36 p.m.10 views

EUVD-2026-30598

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles. The vulnerability allows authenticated attackers with FAQADD permission to inject malicious script tags via question or answer...

5.4CVSS5.7AI score0.00153EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.14 views

PT-2026-41365

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.2 Description A stored cross-site scripting issue exists in the FAQ creation and update endpoints. Authenticated attackers with FAQ ADD permission can bypass sanitization through encode-decode cycles to inject...

5.4CVSS5.7AI score0.00153EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/05/08 8:21 p.m.11 views

CVE-2026-41654

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

8.1CVSS5.7AI score0.00371EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/05/08 2:21 a.m.9 views

SUSE CVE-2026-41654

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

8.1CVSS5.7AI score0.00371EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/07 1:40 p.m.34 views

CVE-2026-41654 Weblate is Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

5.3CVSS0.00371EPSS
Exploits0References6
Snyk
Snyk
added 2026/05/05 9:13 p.m.7 views

Directory Traversal

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Directory Traversal via the addpackage function. An attacker can write files outside the intended download directory by submitting specially crafted folder...

8.1CVSS6.3AI score0.00342EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/05 5:58 p.m.19 views

Incorrect Authorization

Overview codechecker is an analyzer tooling, defect database and viewer extension Affected versions of this package are vulnerable to Incorrect Authorization via the Authentication endpoint functions, including getAuthorisedNames, getPermissionsForUser, hasPermission, addPermission, and...

10CVSS5.8AI score0.00447EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.3 views

CVE-2026-35459

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery SSRF vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download that checks the hostname of the initial download URL. However,...

9.3CVSS5.9AI score0.00279EPSS
Exploits1References1
NVD
NVD
added 2026/04/06 8:16 p.m.6 views

CVE-2026-35459

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery SSRF vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download that checks the hostname of the initial download URL. However,...

9.3CVSS0.00279EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/04 6:43 a.m.4 views

Incorrect Authorization

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Incorrect Authorization via the storagefolder configuration option, which allows a user with SETTINGS and ADD permissions to redirect downloads to the Flask...

8.8CVSS6.3AI score0.00529EPSS
Exploits2References3
Github Security Blog
Github Security Blog
added 2026/04/04 6:43 a.m.14 views

pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)

Summary The fix for CVE-2026-33509 GHSA-r7mc-x6x7-cqxx added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the Flask session directory is outside both...

8.8CVSS6.6AI score0.00529EPSS
Exploits2References7Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.6 views

PT-2026-30341

Name of the Vulnerable Software and Affected Versions pyLoad affected versions not specified Description pyLoad, a Python-based download manager, has a flaw where a user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store. This allows planting a maliciou...

8.8CVSS6.5AI score0.00529EPSS
Exploits2References14
NVD
NVD
added 2026/02/07 8:15 a.m.9 views

CVE-2026-2078

A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\PermissionController.java of the component...

8.8CVSS0.00262EPSS
Exploits1References6
Rows per page
Query Builder