22 matches found
GHSA-92PP-H63X-V22M @hono/node-server: Middleware bypass via repeated slashes in serveStatic
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
PT-2026-31280
Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...
PT-2026-26775
Name of the Vulnerable Software and Affected Versions h3 versions 2.0.0-0 through 2.0.1-rc.16 Description The mount method in h3 uses a simple startsWith check to determine if incoming requests fall under a mounted sub-application's path prefix. This check does not verify a path segment boundary,...
GHSA-F339-246P-WWJP FroshAdminer Adminer UI is accessible without admin session
Summary Unauthenticated access to Adminer UI Details The Adminer route /admin/adminer was accessible without Shopware admin authentication. The route was configured with authrequired=false and performed no session validation, exposing the Adminer UI to unauthenticated users. Note: Database access...
FroshAdminer Adminer UI is accessible without admin session
Summary Unauthenticated access to Adminer UI Details The Adminer route /admin/adminer was accessible without Shopware admin authentication. The route was configured with authrequired=false and performed no session validation, exposing the Adminer UI to unauthenticated users. Note: Database access...
CVE-2026-25878
FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route /admin/adminer was accessible without Shopware admin authentication. The route was configured with authrequired=false and performed no session validation, exposing the Adminer UI to unauthenticated users...
CVE-2026-25878
FroshAdminer is the Adminer plugin for Shopware Platform. Prior to 2.2.1, the Adminer route /admin/adminer was accessible without Shopware admin authentication. The route was configured with authrequired=false and performed no session validation, exposing the Adminer UI to unauthenticated users...
GHSA-G6Q3-96CP-5R5M @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
Summary A security vulnerability exists in @fastify/express where middleware registered with a specific path prefix can be bypassed using URL-encoded characters e.g., /%61dmin instead of /admin. While the middleware engine fails to match the encoded path and skips execution, the underlying Fastif...
CVE-2024-42617
Pligg CMS v2.0.2 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability via /admin/adminconfig.php?action=saveid=32...
CVE-2024-21515
This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login a...
PT-2024-18929 · Opencart · Opencart
Name of the Vulnerable Software and Affected Versions: opencart/opencart versions 4.0.0.0 through 4.1.0.0 Description: A reflected XSS issue was identified in the directory parameter of the admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click ...
PT-2024-18928 · Opencart · Opencart
Name of the Vulnerable Software and Affected Versions: opencart/opencart version 4.0.0.0 Description: A reflected XSS issue was identified in the filename parameter of the "admin tool/log" route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. T...
CVE-2024-0471
A vulnerability was found in code-projects Human Resource Integrated System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /adminroute/decservicecredits.php. The manipulation of the argument date leads to sql injection. The attack can be initiated...
CVE-2024-0470
A vulnerability was found in code-projects Human Resource Integrated System 1.0. It has been classified as critical. This affects an unknown part of the file /adminroute/incservicecredits.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack...
Human Resource Integrated System SQL Injection Vulnerability
Human Resource Integrated System is a human resource integration system. A SQL injection vulnerability exists in code-projects Human Resource Integrated System version 1.0, which stems from a SQL injection vulnerability in the /adminroute/incservicecredits.php file...
Human Resource Integrated System SQL Injection Vulnerability
Human Resource Management System is a human resource management system by maverickosama Personal Developer. A SQL injection vulnerability exists in Human Resource Integrated System version 1.0, which originates from a SQL injection vulnerability in the /adminroute/decservicecredits.php file...
PT-2024-15588 · Code Projects · Code-Projects Human Resource Integrated System
Name of the Vulnerable Software and Affected Versions: code-projects Human Resource Integrated System version 1.0 Description: A critical issue has been identified, affecting the file /admin route/dec service credits.php. The manipulation of the date argument leads to SQL injection. This issue ca...
PT-2022-16931 · Django +1 · Django +1
Name of the Vulnerable Software and Affected Versions: django-mfa3 versions prior to 0.5.0 Description: The issue is related to a library that implements multi-factor authentication for the Django web framework. It modifies the regular login view but does not modify the second login view for the...
Improper Access Control
librenms/librenms is vulnerable to improper access control. Missing to keep plugin admin pages to be within admin route and missing admin check/control allows an attacker to perform unauthorized access...
OpenCart Catalog Traversal Vulnerability
OpenCart is an open source e-commerce system from OpenCart China . The system provides product reviews, product ratings, product additions and other modules. A security vulnerability exists in the admin\model\catalog\download.php file in OpenCart 3.0.2.0 and earlier versions. An attacker can...