CVE-2025-56082

The CVE-2025-56082 entry describes an OS Command Injection in Ruijie RG-BCR600W. Affected component: the LUCI admin controller at /usr/lib/lua/luci/controller/admin/common.lua. Root cause: unvalidated input in the check_changes function allows arbitrary command execution via a crafted POST reques...

Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions

A flaw was found in Keycloak Admin REST Representational State Transfer API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/realm/roles endpoint...

CVE-2025-13954

Hard-coded cryptographic keys in Admin UI of EZCast Pro II before version 1.17478.177 allows attackers to bypass authorization checks and gain full access to the admin UI...

CVE-2025-13954

Summary: EZCast Pro II Admin UI (version 1.17478.146) exposes hard-coded cryptographic keys, allowing bypass of authorization checks and granting full admin UI access. Affected product/component: EZCast Pro II Admin UI. Root cause: hard-coded cryptographic keys in the Admin UI. Impact: unauthoriz...

EUVD-2025-202408

Hard-coded cryptographic keys in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI...

PT-2025-50313

A flaw was found in Keycloak Admin REST Representational State Transfer API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/realm/roles endpoint...

PT-2025-50309

Name of the Vulnerable Software and Affected Versions EZCast Pro II version 1.17478.146 Description The Admin UI contains hard-coded cryptographic keys. This allows attackers to bypass authorization checks and gain full access to the admin UI. Recommendations Update to a newer version that does n...

PT-2025-50221

Name of the Vulnerable Software and Affected Versions Emby Server versions prior to 4.9.1.81 Description Emby Server is a home media server application. Versions prior to 4.9.1.81 allow an attacker to gain full administrative access to the Emby Server. Network access is the only requirement for...

CVE-2025-14219 Campcodes Retro Basketball Shoes Online Store admin_running.php unrestricted upload

A weakness has been identified in Campcodes Retro Basketball Shoes Online Store 1.0. The impacted element is an unknown function of the file /admin/adminrunning.php. Executing a manipulation of the argument productimage can lead to unrestricted upload. It is possible to launch the attack remotely...

PT-2025-49557

phpIPAM v1.7.3 contains a Cross-Site Request Forgery CSRF vulnerability in the database export functionality. The generate-mysql.php function, located in the /app/admin/import-export/ endpoint, allows remote attackers to trigger large database dump downloads via crafted HTTP GET requests if an...

CVE-2025-66308

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/config/site endpoint of the Grav application. This...

EUVD-2025-200265

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting XSS. The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface...

GHSA-CCHQ-397M-Q2QM Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting XSS. The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface...

Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting XSS. The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface...

CVE-2025-65186

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting XSS. The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface...

CVE-2025-65186

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting XSS. The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface...

EUVD-2025-200101

Grav is vulnerable to Cross-Site Scripting XSS Reflected endpoint /admin/pages/page, parameter dataheadercontentitems, located in the "Blog Config" tab...

GHSA-H756-WH59-HHJV Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption

Summary When a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences for example ..\Nijat or ../Nijat, Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain...

CVE-2025-65186

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting XSS. The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface...

CVE-2025-65186

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting XSS. The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface...