Lucene search
K

2733 matches found

Vulnrichment
Vulnrichment
added 2026/05/07 2:59 a.m.7 views

CVE-2026-41660 Admidio: Inverted 2FA Reset Authorization Check Lets Group Leaders Strip Admin TOTP

Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A...

7.1CVSS5.7AI score0.00297EPSS
Exploits0References2
NVD
NVD
added 2026/05/06 7:16 p.m.7 views

CVE-2026-41936

Vvveb before version 1.0.8.2 contains an XML external entity XXE injection vulnerability in the admin Tools/Import feature that allows authenticated siteadmin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to...

8.6CVSS0.00271EPSS
Exploits0References4
NVD
NVD
added 2026/05/06 7:16 p.m.9 views

CVE-2026-34474

Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. In affected builds, the response may include the administrator password and WLAN PSK, enabling...

7.5CVSS0.24681EPSS
Exploits3References3
Vulnrichment
Vulnrichment
added 2026/05/06 6:27 p.m.9 views

CVE-2026-41936 Vvveb < 1.0.8.2 XML External Entity Injection via Import

Vvveb before version 1.0.8.2 contains an XML external entity XXE injection vulnerability in the admin Tools/Import feature that allows authenticated siteadmin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to...

8.6CVSS5.9AI score0.00271EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/06 12:0 a.m.9 views

CVE-2026-34474

Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. In affected builds, the response may include the administrator password and WLAN PSK, enabling...

5.8AI score0.24681EPSS
Exploits3References2
Cvelist
Cvelist
added 2026/05/06 12:0 a.m.33 views

CVE-2026-34474

Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. In affected builds, the response may include the administrator password and WLAN PSK, enabling...

0.24681EPSS
Exploits3References2
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.11 views

PT-2026-38218

Name of the Vulnerable Software and Affected Versions ZTE ZXHN H298A version 1.1 ZTE H108N version 2.6 Description A crafted request to the router web interface can cause sensitive data exposure. This issue may leak device and account information, including the administrator password and WLAN...

7.5CVSS5.8AI score0.24681EPSS
Exploits3References8
ATTACKERKB
ATTACKERKB
added 2026/05/06 12:0 a.m.8 views

CVE-2026-34474

Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. In affected builds, the response may include the administrator password and WLAN PSK, enabling...

5.8AI score0.24681EPSS
Exploits3References3
CVE
CVE
added 2026/05/06 12:0 a.m.26 views

CVE-2026-34474

CVE-2026-34474 affects ZTE ZXHN H298A (1.1) and H108N (2.6) routers. A crafted request to the device’s web interface can cause a sensitive-data exposure, potentially returning the administrator password and WLAN PSK, which could enable authentication bypass and wireless/network compromise. Some f...

7.5CVSS5.8AI score0.24681EPSS
Exploits3References3
OSV
OSV
added 2026/05/05 9:26 p.m.8 views

GHSA-3F29-PQWF-V4J4 Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass

Summary Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches notably in v1.8.0-beta.27/28 aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed. A low-privileged user EX: Content Editor with only...

6.5CVSS5.8AI score0.0029EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/05 9:26 p.m.11 views

Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass

Summary Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches notably in v1.8.0-beta.27/28 aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed. A low-privileged user EX: Content Editor with only...

6.5CVSS5.8AI score0.0029EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.17 views

PT-2026-37240

Name of the Vulnerable Software and Affected Versions Pi-hole FTL versions prior to 6.6.1 Description The dns.interface configuration field in Pi-hole FTL accepts newline characters without validation, which allows an attacker to inject arbitrary directives into the generated dnsmasq configuratio...

8.8CVSS6AI score0.00956EPSS
Exploits1References9
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.17 views

PT-2026-37276

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2 Description A low-privileged user, such as a Content Editor with pages.update permissions, can bypass Twig sandbox restrictions by utilizing the grav'accounts' service. This allows an attacker to...

6.5CVSS5.8AI score0.0029EPSS
Exploits1References5
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.11 views

VulnCheck KEV: CVE-2026-33478

WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without...

10CVSS6.3AI score0.13266EPSS
In wildExploits1References2
RedhatCVE
RedhatCVE
added 2026/04/29 8:48 p.m.5 views

CVE-2026-41460

SocialEngine versions 7.8.0 and prior contain a SQL injection vulnerability in the /activity/index/get-memberall endpoint where user-supplied input passed via the text parameter is not sanitized before being incorporated into a SQL query. An unauthenticated remote attacker can exploit this...

9.8CVSS6.4AI score0.00972EPSS
Exploits2References1
NVD
NVD
added 2026/04/27 9:16 p.m.4 views

CVE-2026-7155

A security vulnerability has been detected in Totolink A8000RU 7.1cu.643b20200521. This impacts the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass leads to os command injection. The attack may be initiated...

10CVSS0.01766EPSS
Exploits0References5
NVD
NVD
added 2026/04/27 4:16 a.m.5 views

CVE-2026-3867

An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this...

6CVSS0.0024EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/27 2:54 a.m.6 views

CVE-2026-3867

An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this...

6CVSS5.4AI score0.0024EPSS
Exploits0References2Affected Software2
Cvelist
Cvelist
added 2026/04/27 2:54 a.m.32 views

CVE-2026-3867

An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this...

6CVSS0.0024EPSS
Exploits0References1
CVE
CVE
added 2026/04/27 2:54 a.m.16 views

CVE-2026-3867

CVE-2026-3867 and CVE-2026-3868 affect Moxa’s Secure Router. CVE-2026-3867: improper ownership management may allow a low-privileged authenticated user to access a configuration file containing the hashed admin password when the config is exported, exposing sensitive information (confidentiality ...

6CVSS5.4AI score0.0024EPSS
Exploits0References1
Rows per page
Query Builder