EUVD-2026-30599

phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated...

PT-2026-41364

phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission that fails to terminate execution after sending a forbidden response. Attackers can access all permission-protected admin pages by requesting their URLs as authenticated...

CVE-2026-3718 ManageWP Worker <= 4.9.31 - Unauthenticated Stored Cross-Site Scripting via 'MWP-Key-Name' Header

The ManageWP Worker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'MWP-Key-Name' HTTP request header in all versions up to, and including, 4.9.31. This is due to insufficient input sanitization and output escaping of attacker-controlled header values. This makes it...

Incorrect Authorization

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Incorrect Authorization in the userHasPermission process. An attacker can gain unauthorized access to sensitive administrative data by sending requests ...

EUVD-2026-9791

EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...

CVE-2026-30777

EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...

CVE-2026-30777

EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...

CVE-2019-25235 Smartwares HOME easy 1.0.9 Client-Side Authentication Bypass via Web Pages

Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system...

EUVD-2020-7401

Malware in sbrugna...

EUVD-2008-1269

Malware in sbrugna...

PT-2025-3800 · Unknown · Code-Projects Responsive Hotel Site

Name of the Vulnerable Software and Affected Versions: code-projects Responsive Hotel Site version 1.0 Description: A critical vulnerability was found in the code-projects Responsive Hotel Site. The issue affects an unknown function of the file /admin/print.php. Manipulation of the pid argument...

CVE-2024-3437

A vulnerability was found in SourceCodester Prison Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /Admin/add-admin.php of the component Avatar Handler. The manipulation of the argument avatar leads to unrestricted upload. The attack ma...

PT-2023-22771 · Kiwi Tcms · Kiwi Tcms

Name of the Vulnerable Software and Affected Versions: Kiwi TCMS versions prior to 12.2 Description: Kiwi TCMS is an open source test management system. In versions prior to 12.2, users were able to update their email addresses via the My profile admin page without the ownership verification...

PT-2023-16046 · WordPress · All-In-One Security

Name of the Vulnerable Software and Affected Versions: All-In-One Security AIOS WordPress plugin versions prior to 5.1.5 Description: The issue allows an authorized user with admin+ privileges to plant bogus log files containing malicious JavaScript code. This code will be executed in the context...

Duplicate Page or Post < 1.5.1 - Arbitrary Settings Update to Stored XSS

The plugin does not have any authorisation and has a flawed CSRF check in the wpdevartduplicatepostparametrssaveindb AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of...

PT-2020-17397 · Phplist · Phplist

Name of the Vulnerable Software and Affected Versions: phpList version 3.5.9 Description: The issue allows SQL injection by admins who provide a crafted fourth line of a file to the "Config - Import Administrators" page. Recommendations: For phpList version 3.5.9, consider restricting access to t...

CVE-2020-20183

Insecure direct object reference vulnerability in Zyxel’s P1302-T10 v3 with firmware version 2.00ABBX.3 and earlier allows attackers to gain privileges and access certain admin pages...

Zyxel P1302-T10 代码问题漏洞

The Zyxel P1302-T10 is a modem device from China-based Zyxel. A security vulnerability exists in Zyxel s P1302-T10 v3, which stems from an insecure direct object reference vulnerability that can be exploited by an attacker to gain privileges and access to certain administrative pages...

CVE-2020-15408

Pulse Connect Secure (PCS) before 9.1R8 is affected by CVE-2020-15408. An authenticated attacker can access the admin page console via the end-user web interface due to a rewrite. This is documented in multiple sources (NVD/NIST entry and Pulse advisory SA44516). The issue’s impact is limited to ...

OS Commerce 2.2r2 authentication bypass

Exploit for unknown platform in category web applications ======================================= OS Commerce 2.2r2 authentication bypass ======================================= When this hole was brought to our attention, we were amazed to find that it seems nobody has caught it yet!! There is a...