Cross-site Scripting (XSS)

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the TableBlock class attributes. A user with access to create or edit pages containing TableBlock StreamField blocks in the admin interfac...

WatchGuard Fireware OS 安全漏洞

WatchGuard Fireware OS is a software operated by the American company WatchGuard, running on Firebox devices. Vulnerabilities exist in versions 11.9 to 11.12.4Update1, 12.0 to 12.11.7, and 2025.1 to 2026.1.1 of WatchGuard Fireware OS. These vulnerabilities stem from out-of-bound writing, allowing...

CVE-2026-0654

Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availabili...

CVE-2026-0654 Command injection on TP-Link Deco BE25

Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availabili...

CVE-2025-50197

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/admin/sublanguageajax.inc.php via the POST newlanguage parameter. This issue has been patched in version 1.11.30...

PT-2026-22661

Improper input handling in the administration web interface on TP-Link Deco BE25 v1.0 allows crafted input to be executed as part of an OS command. An authenticated adjacent attacker may execute arbitrary commands via crafted configuration file, impacting confidentiality, integrity and availabili...

CVE-2026-26700

sourcecodester Personnel Property Equipment System v1.0 is vulnerable to SQL Injection in /ppes/admin/editemployee.php...

CVE-2026-26699

sourcecodester Personnel Property Equipment System v1.0 is vulnerable to arbitrary code execution in ip/ppes/admin/adminchangepicture.php...

CVE-2026-3262

A vulnerability has been found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected is an unknown function of the component Administrative Interface. Such manipulation leads to execution after redirect. The attack may be launched remotely. The exploit has been...

CVE-2026-3262 go2ismail Asp.Net-Core-Inventory-Order-Management-System Administrative redirect

A vulnerability has been found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected is an unknown function of the component Administrative Interface. Such manipulation leads to execution after redirect. The attack may be launched remotely. The exploit has been...

CVE-2026-3262

A vulnerability has been found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected is an unknown function of the component Administrative Interface. Such manipulation leads to execution after redirect. The attack may be launched remotely. The exploit has been...

CVE-2026-27516

Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior expose user passwords in plaintext within the administrative interface and HTTP responses, allowing recovery of valid credentials...

EUVD-2026-8511

A flaw has been found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/teacher-salary.php. This manipulation of the argument teacherid causes sql injection. It is possible to initiate the attack remotely. The exploit has been published a...

CVE-2026-26351

GetSimpleCMS Community Edition CE version 3.3.16 contains a stored cross-site scripting XSS vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored without proper output encoding. While other fields ar...

CVE-2026-27512

Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55multi contains a content-type confusion vulnerability in the administrative interface. Responses omit the X-Content-Type-Options: nosniff header and include attacker-influenced content that can be reflected into the response body. Under...

CVE-2026-27513

Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55multi contains a cross-site request forgery CSRF vulnerability in the web-based administrative interface. The interface does not implement anti-CSRF protections, allowing an attacker to induce an authenticated administrator to submit...

CVE-2026-22568

Improper neutralization of special elements in user-supplied input within the ZIA Admin UI could allow an authenticated administrator to access or retrieve unauthorized internal information in rare conditions...

CVE-2026-26351

CVE-2026-26351 affects GetSimpleCMS Community Edition 3.3.16. A stored XSS flaw exists in the Theme to Components workflow (components.php): user input in the component "slug" field is written to XML and later rendered in the admin interface without proper sanitization, enabling persistent script...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the adminLoad.handleLoad process. An attacker can modify the running configuration and alter server behavior by sending cross-origin requests to the local admin API when origin enforcement is not...

CVE-2026-27589

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API default listen 127.0.0.1:2019 exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement is not enabled enforceorigin not...