EUVD-2021-34830

WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter. Attackers can submit POST requests to the jslmfieldordering page with XSS payloads in the fieldtitle field to execute...

EUVD-2026-30371

Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can...

CVE-2026-44403

Wing FTP Server 8.1.2 is affected: an authenticated remote code execution due to unsafe session serialization that injects Lua via the domain admin mydirectory field, leading to code execution when a poisoned session is loaded with loadfile(). Root cause: unsafe serialization of session values in...

CVE-2026-42562 Plainpad: Privilege Escalation via Writable Admin Field in Profile Update (Access Control)

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/id. The endpoint directly persists the admin attribute from user input, and the escalated accou...

CVE-2026-42562 Plainpad: Privilege Escalation via Writable Admin Field in Profile Update (Access Control)

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/id. The endpoint directly persists the admin attribute from user input, and the escalated accou...

CVE-2026-40349

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending isAdmin=true to PUT /settings/users/userId for their own user ID. The endpoint is intended to let a user ed...

GHSA-5RMX-256W-8MJ9 WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level

Privilege Escalation to Admin via User Self-Update in wg-portal Summary Any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with "IsAdmin": true in the JSON body. After logging out and back in, the session picks up...

EUVD-2021-26686

Malware in sbrugna...

EUVD-2008-5776

Malware in sbrugna...

CVE-2025-10758

A security vulnerability has been detected in htmly up to 3.1.0. The impacted element is an unknown function of the file /htmly/admin/field/post of the component Custom Field Handler. Such manipulation of the argument label leads to cross site scripting. The attack can be launched remotely. The...

Linux Distros Unpatched Vulnerability : CVE-2019-12308

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the...

Joplin 安全漏洞

Joplin is an open source note-taking and to-do list application by Laurent Cozic, an individual developer. A security vulnerability exists in Joplin versions prior to 3.3.3, which stems from an API endpoint that can be exploited by a non-administrative user to set the isadmin field, potentially...

CVE-2024-6632

A vulnerability exists in FileCatalyst Workflow whereby a field accessible to the super admin can be used to perform an SQL injection attack which can lead to a loss of confidentiality, integrity, and availability...

PT-2024-37761 · Unknown · Filecatalyst Workflow

Name of the Vulnerable Software and Affected Versions: FileCatalyst Workflow versions 5.1.6 and earlier Description: A vulnerability exists in FileCatalyst Workflow whereby a field accessible to the super admin can be used to perform an SQL injection attack, which can lead to a loss of...

USN-6946-1 python-django vulnerabilities

It was discovered that Django incorrectly handled certain strings in floatformat function. An attacker could possibly use this issue to cause a memory exhaustion. CVE-2024-41989 It was discovered that Django incorrectly handled very large inputs. An attacker could possibly use this issue to cause...

SUSE CVE-2019-12308

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provid...

Cross site scripting

XSS exists in Lavalite CMS 5.7 via the admin/profile name or designation field...

ALPINE-CVE-2019-12308

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provid...

DEBIAN-CVE-2019-12308

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provid...

PYSEC-2019-79

An issue was discovered in Django 1.11 before 1.11.21, 2.1 before 2.1.9, and 2.2 before 2.2.2. The clickable Current URL value displayed by the AdminURLFieldWidget displays the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provid...