169 matches found
CVE-2026-40174
Masa CMS CSRF in user address management (cUsers.updateAddress) affects versions 7.5.2 and earlier. An attacker can lure a logged-in administrator into submitting forged requests to add, modify, or delete user address records (including emails and phone numbers), potentially altering contact info...
PT-2026-38227
Name of the Vulnerable Software and Affected Versions Masa CMS versions prior to 7.2.10 Masa CMS versions prior to 7.3.15 Masa CMS versions prior to 7.4.10 Masa CMS versions prior to 7.5.3 Description The cTrash.empty function fails to validate anti-CSRF Cross-Site Request Forgery tokens for tras...
EUVD-2025-208519
A Stored Cross-Site Scripting XSS vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using...
CVE-2025-70128
Summary: CVE-2025-70128 describes a Stored XSS in PluXml, affecting versions up to 5.8.22, in the article comments feature. Affected component: PluXml core/admin/comments.php. Root cause: User-supplied input in the comment’s link field is not properly sanitized/validated, allowing malicious [remo...
CVE-2026-2663
A security vulnerability has been detected in Alixhan xh-admin-backend up to 1.7.0. This issue affects some unknown processing of the file /frontend-api/system-service/api/system/role/query of the component Database Query Handler. Such manipulation of the argument prop leads to sql injection. It ...
CVE-2026-2663
A security vulnerability has been detected in Alixhan xh-admin-backend up to 1.7.0. This issue affects some unknown processing of the file /frontend-api/system-service/api/system/role/query of the component Database Query Handler. Such manipulation of the argument prop leads to sql injection. It ...
CVE-2026-2663 Alixhan xh-admin-backend Database Query query sql injection
A security vulnerability has been detected in Alixhan xh-admin-backend up to 1.7.0. This issue affects some unknown processing of the file /frontend-api/system-service/api/system/role/query of the component Database Query Handler. Such manipulation of the argument prop leads to sql injection. It ...
CVE-2026-2663
Summary: CVE-2026-2663 affects Alixhan xh-admin-backend v1.0–1.7.0 (unknown exact initial versions) due to vulnerable handling in the Database Query Handler for the endpoint /frontend-api/system-service/api/system/role/query, where argument manipulation enables SQL injection. This reportedly allo...
CVE-2025-70866
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges User role can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the admin/login process. An attacker can gain unauthorized access to administrative backend functionality by leveraging insufficient role-based access control checks during authentication. This is only...
CVE-2025-70866
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges User role can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider...
CVE-2025-70866
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges User role can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider...
CVE-2025-70866
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges User role can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider...
PT-2026-8034
Name of the Vulnerable Software and Affected Versions LavaLite CMS version 10.1.0 Description An authenticated user with low-level privileges User role can access the admin backend by logging in through the /admin/login endpoint. This occurs because the admin and user authentication guards share...
CVE-2025-70866
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges User role can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider...
CVE-2025-70866
CVE-2025-70866 — LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low privileges (User role) can directly access the admin backend via /admin/login because the admin and user authentication guards share the same user provider without role-based access cont...
CVE-2025-15476
The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlisterdoadminajax function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and...
MiracleLinux 7 : gvfs-1.36.2-3.el7 (AXSA:2019-4036:01)
The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2019-4036:01 advisory. gvfs: Incorrect authorization in admin backend allows privileged users to read and modify arbitrary files without prompting for password CVE-2019-3827 Tenabl...
CVE-2026-0589
A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be us...
CVE-2026-0589 code-projects Online Product Reservation System Administration Backend improper authentication
A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be us...