PT-2026-44189

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the handle oauth redirect function, which is registered on the admin init hook and processes Square OAuth tokens fr...

CVE-2026-42084

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid...

CVE-2025-55275

HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user...

EUVD-2025-209073

HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user...

MiracleLinux 3 : drupal-6.4-3AXS3 (AXBA:2008-316:03)

The remote MiracleLinux 3 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXBA:2008-316:03 advisory. - Multiple cross-site request forgery CSRF vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions vi...

Stored XSS in Home Feed via Post Content Lead to Account Takeover

Description A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of the application. The backend fails to sanitize user-provided content in the post creation endpoint. This allows an attacker to inject and store malicious JavaScript, which is then executed in the...

CVE-2023-43183

Incorrect access control in Reprise License Management Software Reprise License Manager v15.1 allows read-only users to arbitrarily change the password of an admin and hijack their account...

CVE-2025-10293

The Keyy Two Factor Authentication like Clef plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.3. This is due to the plugin not properly validating a user's identity associated with a token generated. This makes it possible f...

CVE-2025-59429

FreePBX is an open source GUI for managing Asterisk. In versions prior to 16.0.68.39 for FreePBX 16 and versions prior to 17.0.18.38 for FreePBX 17, a reflected cross-site scripting vulnerability is present on the Asterisk HTTP Status page. The Asterisk HTTP status page is exposed by FreePBX and ...

EUVD-2025-33724

ReNgine thru 2.2.0 is vulnerable to a Stored Cross-Site Scripting XSS vulnerability in the Vulnerabilities module. When scanning a target with an XSS payload, the unsanitized payload is rendered in the ReNgine web UI, resulting in arbitrary JavaScript execution in the victim's browser. This can b...

EUVD-2015-4696

Malware in sbrugna...

GHSA-7R4H-VMJ9-WG42 Flowise Stored XSS vulnerability through logs in chatbot

Description In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin's credentials or sensitive...

CVE-2025-50975

The CVE-2025-50975 entry concerns IPFire 2.29, where the web-based firewall interface (firewall.cgi) does not sanitize multiple rule parameters (PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, tgt_addr). This allows an authenticated administrator to inject persistent J...

Linux Distros Unpatched Vulnerability : CVE-2015-3902

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Multiple cross-site request forgery CSRF vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1...

Linux Distros Unpatched Vulnerability : CVE-2013-7233

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Cross-site request forgery CSRF vulnerability in the retrospam component in wp-admin/options- discussion.php in WordPress 2.0.11 and earlier allows remote...

Linux Distros Unpatched Vulnerability : CVE-2016-3168

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests th...

CVE-2021-20646

Cross-site request forgery CSRF vulnerability in ELECOM WRC-300FEBK-A allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via unspecified vector. As a result, the device settings may be altered and/or telnet daemon may be started...

CVE-2010-5191

Multiple cross-site request forgery CSRF vulnerabilities on the Blue Coat ProxyAV appliance before 3.2.6.1 allow remote attackers to hijack the authentication of administrators for requests that 1 change a password, 2 modify a policy, or 3 restart the device...

Netis Systems WF2220 访问控制错误漏洞

The Netis Systems WF2220 is a wireless USB network card from Netis Systems. An access control error vulnerability exists in the Netis Systems WF2220 version 1.2.31706, which originates from accessing the /cgi-bin-igd/netcoreset.cgi endpoint without authentication, which could lead to administrato...

CVE-2024-51382

Cross-Site Request Forgery CSRF vulnerability in JATOS v3.9.3 allows an attacker to reset the administrator's password. This critical security flaw can result in unauthorized access to the platform, enabling attackers to hijack admin accounts and compromise the integrity and security of the syste...