Handala Claims Israeli Radar Hack, But Evidence Shows Phone Admin Panel

An Iranian-linked hacker group called Handala claimed to have hit Israeli military targets with massive cyberattacks on Sunday,…...

Tieline IP Audio Gateway <=2.6.4.8 - Unauthorized Remote Admin Panel Access

Tieline IP Audio Gateway 2.6.4.8 and below is affected by a vulnerability in the web administrative interface that could allow an unauthenticated user to access a sensitive part of the system with a high privileged account. id: CVE-2021-35336 info: name: Tieline IP Audio Gateway =2.6.4.8 -...

Etherpad Lite <1.6.4 - Admin Authentication Bypass

Etherpad Lite before 1.6.4 is exploitable for admin access. id: CVE-2018-9845 info: name: Etherpad Lite 1.6.4 - Admin Authentication Bypass author: philippedelteil severity: critical description: Etherpad Lite before 1.6.4 is exploitable for admin access. impact: | An attacker can bypass the admi...

KevinLAB BEMS (Building Energy Management System) - Backdoor Account

KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highes...

Triofox - Improper Access Control

The Gladinet Triofox solution before 12.91.1126.65588 and CentreStack before 12.10.595.65696 allow unauthenticated access to the /management/admindatabase.aspx endpoint, exposing sensitive database management functionality to anyone with network access. An unauthenticated attacker can remotely...

Sidekiq < 7.0.8 - Cross-Site Scripting

An XSS vulnerability on a Sidekiq admin panel can pose serious risks to the security and functionality of the system. id: CVE-2023-1892 info: name: Sidekiq 7.0.8 - Cross-Site Scripting author: ritikchaddha,princechaddha severity: critical description: | An XSS vulnerability on a Sidekiq admin pan...

strapi CMS <3.0.0-beta.17.5 - Admin Password Reset

strapi CMS before 3.0.0-beta.17.5 allows admin password resets because it mishandles password resets within packages/strapi-admin/controllers/Auth.js and packages/strapi-plugin-users-permissions/controllers/Auth.js. id: CVE-2019-18818 info: name: strapi CMS 3.0.0-beta.17.5 - Admin Password Reset...

CVE-2026-8901

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This make...

EUVD-2026-33407

Shopper: Authorization bypass and RBAC privilege escalation in team settings...

CVE-2025-65132

alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting XSS in /public/admin/editroom.php which allows an attacker to inject and execute arbitrary JavaScript via the roomid GET parameter...

CVE-2026-36608

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP 192.168.1.1 or localhost 127.0.0.1 as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the intern...

CVE-2026-42842

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting XSS vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the...

CVE-2026-22707

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restrictions plugin.upload.security.allowedTypes and deniedTypes. The same restrictions were correctly...

CVE-2026-0856

Improper Access Control vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables a normal user gaining access to the admin panel. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+3230...

CVE-2026-8076

Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This coul...

CVE-2026-8077

Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escala...

EUVD-2026-34542

A vulnerability was identified in projectworlds Online Art Gallery Shop Project 1.0. The affected element is an unknown function of the file /admin/adminHome.php. The manipulation of the argument socialinsta leads to sql injection. The attack may be initiated remotely. The exploit is publicly...

Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

Summary There is a Proof of Concept which is able to enumerate the usernames of administrator users. This was possible by performing a timing attack. Details The faulty code exists in src/Core/Framework/Api/OAuth/UserRepository.php: public function getUserEntityByUserCredentials string $username,...

CVE-2026-50224 Unauthenticated IPv6 WAN Management Exposure

The web administration panel binds broadly to the public IPv6 address space on port :::8080 without default firewall limits, making internal API endpoints reachable over the WAN...

CVE-2026-50224

The web administration panel binds broadly to the public IPv6 address space on port :::8080 without default firewall limits, making internal API endpoints reachable over the WAN...