CVE-2025-71165 Typesetter CMS Reflected XSS via Status.php

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting XSS vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php...

CVE-2026-23492

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL...

EUVD-2026-2449

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL...

CVE-2026-23492 Pimcore has a Blind SQL Injection in Admin Search Find API due to an incomplete fix for CVE-2023-30848

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, an incomplete SQL injection patch in the Admin Search Find API allows an authenticated attacker to perform blind SQL injection. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL...

CVE-2025-37185

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting XSS attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary...

CVE-2026-22238

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful...

CVE-2022-50911

...

CVE-2022-50911

...

CVE-2026-0405 Authentication Bypass in NETGEAR Orbi Devices

An authentication bypass vulnerability in NETGEAR Orbi devices allows users connected to the local network to access the router web interface as an admin...

PT-2026-2387

Name of the Vulnerable Software and Affected Versions Bitrix24 affected versions not specified Description A logged-in attacker can execute arbitrary system commands through the PHP command line admin interface, leading to remote code execution. The attacker leverages this by sending crafted POST...

PT-2026-2410

Name of the Vulnerable Software and Affected Versions Wing FTP Server versions 4.3.8 and below Description The software contains a remote code execution issue that allows attackers to execute arbitrary PowerShell commands. An attacker can leverage a crafted Lua script payload, base64-encoded with...

PT-2026-2312

Name of the Vulnerable Software and Affected Versions PILOS versions prior to 4.10.0 Description PILOS Platform for Interactive Live-Online Seminars is a frontend for BigBlueButton. A Cross-Site Request Forgery CSRF issue exists in an administrative API endpoint responsible for terminating all...

CVE-2025-15505

A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The attack may be launched remotely. The exploit...

POC-APISIX-RCE

Apache APISIX - Remote Code Execution Admin API script inject...

CVE-2026-22596 Ghost has SQL Injection in Members Activity Feed

Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in...

Ghost SQL注入漏洞

Ghost is a hosting service of Ghost open source. An SQL injection vulnerability exists in Ghost versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, which stems from a flaw in the /ghost/api/admin/members/events endpoint that could lead to the execution of arbitrary SQL by a user who has...

CVE-2018-10032

CMS Made Simple aka CMSMS 2.2.7 has Reflected XSS in admin/moduleinterface.php via the m1version parameter...

CVE-2018-18270

XSS exists in CMS Made Simple version 2.2.7 via the m1newsurl parameter in an admin/moduleinterface.php "Content--News--Add Article" action...

CVE-2018-18626

An issue was discovered in PHPYun V4.6. There is a vulnerability that can delete any file or directory via the "admin/index.php?m=database=del" sql parameter because delaction in admin/model/database.class.php mishandles this parameter...

CVE-2021-31280

An issue was discovered in tp5cms through 2017-05-25. admin.php/system/set.html has XSS via the keywords parameter...