CVE-2026-42286 Emlog: Cross-Site Request Forgery in Admin Functions

Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This...

CVE-2026-42286

The CVE-2026-42286 entry concerns Emlog, an open source website building system. Affected versions prior to 2.6.11 lack CSRF protection in critical admin functions, enabling an attacker to coerce authenticated admins into actions such as system registration, plugin management, and configuration c...

CVE-2026-42286 Emlog: Cross-Site Request Forgery in Admin Functions

Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This...

DEBIAN-CVE-2026-41176

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and pri...

CVE-2026-40041

CVE-2026-40041 affects Pachno 1.0.6 and describes a cross-site request forgery (CSRF) vulnerability arising from missing CSRF protections on state-changing endpoints. Attackers can craft requests that execute actions in an authenticated user context via attacker-controlled sites, targeting login,...

CVE-2026-40041

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload,...

EUVD-2026-12643

IBM Planning Analytics Local 2.1.0 through 2.1.17 could allow an unauthorized access to sensitive application data and administrative functionalities due to lack of proper access controls...

CVE-2026-22207 OpenViking Missing root_api_key Allows Anonymous ROOT Access

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the rootapikey configuration is omitted. Attackers can send requests to protected endpoints without authentication headers ...

CVE-2026-1364

CVE-2026-1364 affects IAQS and I6 developed by JNC, with a Missing Authentication vulnerability that allows unauthenticated remote attackers to directly operate system administrative functionalities. The issue is labeled as CRITICAL (CVSS v4.0: AV:N/AC:L/AT:N/PR:N/UI:N/V C:H/I:H/A:H; base score 9...

PT-2026-4343

Name of the Vulnerable Software and Affected Versions IAQS and I6 affected versions not specified Description A missing authentication issue exists in IAQS and I6 developed by JNC. This allows unauthenticated remote attackers to directly operate system administrative functionalities...

CVE-2024-34240

QDOCS Smart School 7.0.0 is vulnerable to Cross Site Scripting XSS resulting in arbitrary code execution in admin functions related to adding or updating records...

CVE-2025-13990

CVE-2025-13990 concerns the Mamurjor Employee Info WordPress plugin. The vulnerability is a Cross-Site Forgery (CSRF) in all versions up to 1.0.0, caused by missing nonce validation on multiple admin actions. This allows unauthenticated attackers to forge requests that create, update, or delete e...

WordPress plugin Mamurjor Employee Info 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blogging sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site reque...

CVE-2025-52692

Successful exploitation of the vulnerability could allow an attacker with local network access to send a specially crafted URL to access certain administration functions without login credentials...

EUVD-2025-204429

Successful exploitation of the vulnerability could allow an attacker with local network access to send a specially crafted URL to access certain administration functions without login credentials...

Linksys E9450-SG 安全漏洞

The Linksys E9450-SG is a WiFi router from Linksys USA. A security vulnerability exists in the Linksys E9450-SG that originates from a local network attacker being able to send a specially crafted URL to access certain administrative functions without requiring login credentials...

PT-2025-52402

Name of the Vulnerable Software and Affected Versions versions prior to 2025-52692 Description Exploitation of this issue could allow an attacker with local network access to access certain administration functions without login credentials by sending a specially crafted URL. Recommendations At t...

CVE-2025-64055

An issue was discovered in Fanvil x210 V2 2.12.20 allowing unauthenticated attackers on the local network to access administrative functions of the device e.g. file upload, firmware update, reboot... via a crafted authentication bypass...

PT-2025-48998

Name of the Vulnerable Software and Affected Versions Fanvil x210 V2 version 2.12.20 Description An issue exists in Fanvil x210 V2 version 2.12.20 that allows unauthenticated attackers on the local network to access administrative functions of the device. These functions include file upload,...

CVE-2025-64055

CVE-2025-64055 affects Fanvil x210 V2 (firmware 2.12.20). The issue is an unauthenticated authentication bypass on the local network that enables access to administrative functions such as file upload, firmware update, and reboot. The root cause is a crafted bypass that bypasses authentication, g...