Lucene search
K

608 matches found

RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.6 views

CVE-2026-29520

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the pingipaddr parameter t...

6.1CVSS5.9AI score0.00155EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.4 views

CVE-2026-32891

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the...

9CVSS6AI score0.00164EPSS
Exploits0References1
NVD
NVD
added 2026/03/26 1:16 p.m.4 views

CVE-2025-55275

HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user...

8.1CVSS0.00218EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/26 12:47 p.m.1 views

CVE-2025-55275 HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability

HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user...

3.7CVSS5.8AI score0.00218EPSS
Exploits0References1
CVE
CVE
added 2026/03/26 12:47 p.m.11 views

CVE-2025-55275

CVE-2025-55275 affects HCL Aftermarket DPC. The issue is an Admin Session Concurrency vulnerability that allows an attacker to hijack or impersonate an administrator via concurrent sessions. Root cause described as improper handling of admin sessions. Impact per sources indicates high confidentia...

8.1CVSS5.8AI score0.00218EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/03/26 12:47 p.m.27 views

CVE-2025-55275 HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability

HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user...

3.7CVSS0.00218EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/26 12:0 a.m.5 views

PT-2026-28300

Name of the Vulnerable Software and Affected Versions HCL Aftermarket DPC affected versions not specified Description An attacker can exploit concurrent sessions to hijack or impersonate an admin user. The issue involves Admin Session Concurrency. Recommendations At the moment, there is no...

8.1CVSS5.9AI score0.00218EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/23 6:26 p.m.21 views

CVE-2026-33649 AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/Permissions/setPermission.json.php endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application...

8.1CVSS0.00172EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/23 4:32 p.m.3 views

CVE-2026-33507 AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting...

8.8CVSS5.9AI score0.00367EPSS
Exploits1References2
CVE
CVE
added 2026/03/23 12:9 p.m.7 views

CVE-2026-31848

Nexxt Solutions Nebula 300+ firmware

9.8CVSS5.8AI score0.00281EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/20 9:47 p.m.5 views

GHSA-HV36-P4W4-6VMJ AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload

Summary The objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting session.cookiesamesite = 'None' for HTTPS connections, an unauthenticated...

8.8CVSS6.2AI score0.00367EPSS
Exploits1References4
NVD
NVD
added 2026/03/20 3:16 a.m.5 views

CVE-2026-32891

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the...

9CVSS0.00164EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/20 2:38 a.m.2 views

CVE-2026-32891

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the...

9CVSS6AI score0.00164EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/03/20 2:38 a.m.20 views

CVE-2026-32891

Anchorr (Discord bot) versions 1.4.1 and earlier contain a stored XSS vulnerability in the Jellyseerr user selector. An attacker can execute arbitrary JavaScript in the Anchorr admin’s browser session, calling the authenticated /api/config endpoint, which returns the full application configuratio...

9CVSS6AI score0.00164EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/20 2:38 a.m.4 views

CVE-2026-32891 Anchorr Privilege Escalation: Jellyseerr User → Anchorr Admin via Stored XSS

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the...

9CVSS6.1AI score0.00164EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/20 2:38 a.m.3 views

CVE-2026-32891 Anchorr Privilege Escalation: Jellyseerr User → Anchorr Admin via Stored XSS

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the...

9CVSS6AI score0.00164EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/20 2:38 a.m.27 views

CVE-2026-32891 Anchorr Privilege Escalation: Jellyseerr User → Anchorr Admin via Stored XSS

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the...

9CVSS0.00164EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/18 12:58 p.m.6 views

Cross-site Scripting (XSS)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the fullName field in the revision/draft context menu, which is rendered as raw HTML due to improper handling with Template::raw and string interpolation. An...

6.4CVSS5.8AI score0.00243EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/18 12:0 a.m.8 views

PT-2026-26084

MuraCMS through 10.1.10 contains a CSRF vulnerability that allows attackers to permanently destroy all deleted content stored in the trash system through a simple CSRF attack. The vulnerable cTrash.empty function lacks CSRF token validation, enabling malicious websites to forge requests that...

8.1CVSS5.8AI score0.00124EPSS
Exploits0References4
EUVD
EUVD
added 2026/03/16 6:32 p.m.3 views

EUVD-2026-12462

Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the pingipaddr parameter t...

5.1CVSS5.9AI score0.00155EPSS
Exploits0References3
Rows per page
Query Builder