CVE-2026-40174

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged request that adds,...

Sensitive Information Disclosure

openmage/magento-lts is vulnerable to Sensitive Information Disclosure. The vulnerability is due to improper handling of the X-Original-Url header in certain configurations, which allows an attacker to discover the admin URL without prior knowledge of its location...

CVE-2026-25523

Magento-lts is a long-term support alternative to Magento Community Edition CE. Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1...

EUVD-2026-5330

Magento-lts is a long-term support alternative to Magento Community Edition CE. Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1...

StudentManage 安全漏洞

StudentManage is a student management system by DayCloud Individual Developer in China. A security vulnerability exists in StudentManage version 1.0, which stems from improper handling of the component /admin/adminStudentUrl, which could lead to an SQL injection attack...

NetentSec NS-ASG 安全漏洞

NetentSec NS-ASG is an application security gateway from China NetentSec. A security vulnerability exists in NetentSec NS-ASG version 6.3, which originates from an SQL injection vulnerability in the /admin/addressinterpret.php file...

PT-2024-23648 · Netentsec · Netentsec Ns-Asg

Name of the Vulnerable Software and Affected Versions: netentsec NS-ASG version 6.3 Description: The issue is related to SQL Injection, which can be exploited via the "/admin/address interpret.php" API endpoint. There is no information provided about the estimated number of potentially affected...

sendProRataTreasury() in NounsDAOV3Fork.sol can cause reverts in functions where it is called.

Lines of code Vulnerability details Impact sendProRataTreasury calls timelock.sendEth to send eth, timelock is a NounsDAOExecutorV2 contract. In NounsDAOExecutorV2.sendEth, it only allows calls from the address set to be admin in the NounsDAOExecutorV2 contract. NounsDAOV3Fork library is used in...

Admin user has an absolute power to withdraw all contract balance, which may raise red flags for investors

Lines of code Vulnerability details Impact Having rug-pull related code is always considered as a red flag for new investors. An admin, who's a single point of failure has access to withdraw function, which allows to withdraw the whole contract balance. Even if the owner is genuine the rug pull...

The admin address used in initialize function, can behave maliciously

Lines of code Vulnerability details N.B : This bug is different that the other one titled "Risk of losing admin access if updateAdmin set with same current admin address". Both issues are related to access control, but the impact, root cause and bug fix are different, so DO NOT mark it as dupliat...

Access Control Vulnerability in Admin Address Book

Description An Access Control Vulnerability allows a low level user in the web application to view and edit information for all other users in the Admin Address Book. Proof of Concept Step 1. Login to the openemr web application as a low level user Ex: Receptionist in openemr demo \ Step 2. Trave...

HuCart Cross-Site Request Forgery Vulnerability

HuCart HuCart is an open source enterprise building system. A cross-site request forgery vulnerability exists in HuCart version 5.7.4. Remote attackers can use /adminsys/index.php?load=admins&act=editinfo&acttype=add URL to add any administrator account to exploit the vulnerability...

DEBIAN-CVE-2013-4249

Cross-site scripting XSS vulnerability in the AdminURLFieldWidget widget in contrib/admin/widgets.py in Django 1.5.x before 1.5.2 and 1.6.x before 1.6 beta 2 allows remote attackers to inject arbitrary web script or HTML via a URLField...

Ants classified information systems injection vulnerability-vulnerability warning-the black bar safety net

BY: madmen Ants classified information systems injection vulnerability Keywords: inurl:info. php? catid=1 5 4 Injection point: info. php? catid=1 5 4&areaid=&posttime=0 Background address:/admin! !...