Lucene search
K

169 matches found

CVE
CVE
added 2026/05/06 7:40 p.m.12 views

CVE-2026-40174

Masa CMS CSRF in user address management (cUsers.updateAddress) affects versions 7.5.2 and earlier. An attacker can lure a logged-in administrator into submitting forged requests to add, modify, or delete user address records (including emails and phone numbers), potentially altering contact info...

7.1CVSS5.7AI score0.00165EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.10 views

PT-2026-38227

Name of the Vulnerable Software and Affected Versions Masa CMS versions prior to 7.2.10 Masa CMS versions prior to 7.3.15 Masa CMS versions prior to 7.4.10 Masa CMS versions prior to 7.5.3 Description The cTrash.empty function fails to validate anti-CSRF Cross-Site Request Forgery tokens for tras...

7.2CVSS5.8AI score0.00165EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/10 9:32 p.m.4 views

EUVD-2025-208519

A Stored Cross-Site Scripting XSS vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using...

5.4CVSS5.9AI score0.00753EPSS
Exploits2References3
CVE
CVE
added 2026/03/10 12:0 a.m.10 views

CVE-2025-70128

Summary: CVE-2025-70128 describes a Stored XSS in PluXml, affecting versions up to 5.8.22, in the article comments feature. Affected component: PluXml core/admin/comments.php. Root cause: User-supplied input in the comment’s link field is not properly sanitized/validated, allowing malicious [remo...

6.1CVSS5.9AI score0.00225EPSS
Exploits1References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/20 1:22 a.m.10 views

CVE-2026-2663

A security vulnerability has been detected in Alixhan xh-admin-backend up to 1.7.0. This issue affects some unknown processing of the file /frontend-api/system-service/api/system/role/query of the component Database Query Handler. Such manipulation of the argument prop leads to sql injection. It ...

6.5CVSS5.4AI score0.00233EPSS
Exploits0References1
NVD
NVD
added 2026/02/18 8:18 p.m.5 views

CVE-2026-2663

A security vulnerability has been detected in Alixhan xh-admin-backend up to 1.7.0. This issue affects some unknown processing of the file /frontend-api/system-service/api/system/role/query of the component Database Query Handler. Such manipulation of the argument prop leads to sql injection. It ...

6.5CVSS0.00233EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/18 7:32 p.m.27 views

CVE-2026-2663 Alixhan xh-admin-backend Database Query query sql injection

A security vulnerability has been detected in Alixhan xh-admin-backend up to 1.7.0. This issue affects some unknown processing of the file /frontend-api/system-service/api/system/role/query of the component Database Query Handler. Such manipulation of the argument prop leads to sql injection. It ...

6.5CVSS0.00233EPSS
Exploits0References3
CVE
CVE
added 2026/02/18 7:32 p.m.11 views

CVE-2026-2663

Summary: CVE-2026-2663 affects Alixhan xh-admin-backend v1.0–1.7.0 (unknown exact initial versions) due to vulnerable handling in the Database Query Handler for the endpoint /frontend-api/system-service/api/system/role/query, where argument manipulation enables SQL injection. This reportedly allo...

6.5CVSS5.4AI score0.00233EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/02/14 1:28 a.m.8 views

CVE-2025-70866

LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges User role can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider...

8.8CVSS5.5AI score0.00446EPSS
Exploits1References1
Snyk
Snyk
added 2026/02/13 11:2 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the admin/login process. An attacker can gain unauthorized access to administrative backend functionality by leveraging insufficient role-based access control checks during authentication. This is only...

8.8CVSS5.6AI score0.00446EPSS
Exploits1References2
NVD
NVD
added 2026/02/13 10:16 p.m.4 views

CVE-2025-70866

LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges User role can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider...

8.8CVSS0.00446EPSS
Exploits1References2
OSV
OSV
added 2026/02/13 12:0 a.m.6 views

CVE-2025-70866

LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges User role can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider...

8.8CVSS5.6AI score0.00446EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/02/13 12:0 a.m.5 views

CVE-2025-70866

LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges User role can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider...

5.5AI score0.00446EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/02/13 12:0 a.m.9 views

PT-2026-8034

Name of the Vulnerable Software and Affected Versions LavaLite CMS version 10.1.0 Description An authenticated user with low-level privileges User role can access the admin backend by logging in through the /admin/login endpoint. This occurs because the admin and user authentication guards share...

5.4AI score0.00446EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/02/13 12:0 a.m.4 views

CVE-2025-70866

LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges User role can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider...

5.6AI score0.00446EPSS
Exploits1References2
CVE
CVE
added 2026/02/13 12:0 a.m.10 views

CVE-2025-70866

CVE-2025-70866 — LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low privileges (User role) can directly access the admin backend via /admin/login because the admin and user authentication guards share the same user provider without role-based access cont...

8.8CVSS5.5AI score0.00446EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/02/07 9:15 a.m.8 views

CVE-2025-15476

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlisterdoadminajax function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and...

4.3CVSS0.00158EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/01/16 12:0 a.m.5 views

MiracleLinux 7 : gvfs-1.36.2-3.el7 (AXSA:2019-4036:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2019-4036:01 advisory. gvfs: Incorrect authorization in admin backend allows privileged users to read and modify arbitrary files without prompting for password CVE-2019-3827 Tenabl...

7CVSS7AI score0.00368EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/06 12:7 p.m.11 views

CVE-2026-0589

A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be us...

7.5CVSS6.3AI score0.00505EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/01/05 12:2 p.m.32 views

CVE-2026-0589 code-projects Online Product Reservation System Administration Backend improper authentication

A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be us...

7.5CVSS0.00505EPSS
Exploits1References6
Rows per page
Query Builder