Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI

For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment...

PT-2026-1345

Name of the Vulnerable Software and Affected Versions Craft versions 5.0.0-RC1 through 5.8.20 Craft versions 4.0.0-RC1 through 4.16.16 Description Craft is susceptible to authenticated Remote Code Execution RCE through a Twig Server-Side Template Injection SSTI. Successful exploitation requires...

CVE-2019-25242

The CVE covers FaceSentry Access Control System version 6.4.8, where a cross-site request forgery (CSRF) vulnerability enables an attacker to perform administrative actions without user consent by persuading an authenticated user to load a crafted page. The vulnerability targets the web interface...

PT-2025-46769

Name of the Vulnerable Software and Affected Versions Frappe Learning versions 2.0.0 through 2.40.9 Description Frappe Learning is a learning system used to structure content. A flaw exists where changes to user roles made by administrators were not immediately reflected due to caching mechanisms...

CVE-2025-7330

A cross-site request forgery security issue exists in the product and version listed. The vulnerability stems from missing CSRF checks on the impacted form. This allows for unintended configuration modification if an attacker can convince a logged in admin to visit a crafted link...

CVE-2025-7330 Rockwell Automation 1783-NATR Cross-Site Request Forgery Vulnerability

A cross-site request forgery security issue exists in the product and version listed. The vulnerability stems from missing CSRF checks on the impacted form. This allows for unintended configuration modification if an attacker can convince a logged in admin to visit a crafted link...

CVE-2025-11166 WP Go Maps (formerly WP Google Maps) <= 9.0.46 - Cross-Site Request Forgery to Plugin Settings Update

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having...

EUVD-2025-29761

Malicious code in bioql PyPI...

CVE-2025-59416

CVE-2025-59416 affects The Scratch Channel web application. The vulnerability arises from the API’s POST handling, which can be abused by a user with fork privileges to alter administrators and publish articles without proper permission checks. This could allow arbitrary article creation and admi...

CVE-2025-59416 The Scratch Channel forks can publish articles

The Scratch Channel is a news website. If the user makes a fork, they can change the admins and make an article. Since the API uses a POST request, it will make an article. This issue is fixed in v1.2...

The Scratch Channel 安全漏洞

The Scratch Channel is a project site of The Scratch Channel open source. A security vulnerability exists in versions of The Scratch Channel prior to 1.2, which stems from the API's failure to validate user permissions when using a POST request, which could lead to arbitrary article creation and...

BIT-MONGODB-2025-6707 Race condition in privilege cache invalidation cycle

Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior ...

Arbitrary Code Injection

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Arbitrary Code Injection via the checkArrowFunction function in src/web/twig/Extension.php. An attacker can execute arbitrary code by injecting malicious payloads into templates. Note: This i...

Craft CMS Potential Remote Code Execution via Twig SSTI

Note that users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craftset-allowAdminChanges-to-false-in-productio...

GHSA-CRCQ-738G-PQVC Craft CMS Potential Remote Code Execution via Twig SSTI

Note that users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craftset-allowAdminChanges-to-false-in-productio...

CVE-2025-7965 CBX Restaurant Booking <= 1.2.1 - Plugin Reset via CSRF

The CBX Restaurant Booking WordPress plugin through 1.2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

UBUNTU-CVE-2025-6707

Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior ...

CVE-2022-2912

The Craw Data WordPress plugin through 1.0.0 does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites SSRF...

CVE-2025-46731 Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI

Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and ALLOWADMINCHANGES must be enabled for this to work...

PT-2025-19793 · Craft Cms · Craft Cms

Name of the Vulnerable Software and Affected Versions: Craft CMS versions 4.0.0-RC1 through 4.14.12 Craft CMS versions 5.0.0-RC1 through 5.6.15 Description: Craft is a content management system that contains a potential remote code execution vulnerability via Twig SSTI. This issue can be exploite...