CVE-2026-40041

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload,...

hackage-server 跨站请求伪造漏洞

hackage-server is a Haskell open-source package repository server. hackage-server has a cross-site request forgery vulnerability. This vulnerability stems from the lack of protection against cross-site request forgery attacks, which may allow external scripts to trigger requests, enabling the abu...

CVE-2026-40041 Pachno 1.0.6 Cross-Site Request Forgery via State-Changing Endpoints

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload,...

CVE-2026-32126

OpenEMR prior to version 8.0.0.1 contains an inverted boolean condition in ControllerRouter::route() that enforces the admin/super ACL check only for controllers with their own internal authorization (e.g., review, log). As a result, all other CDR controllers (alerts, ajax, edit, add, detail, bro...

EUVD-2019-17276

Malware in sbrugna...

EUVD-2022-38181

Malicious code in bioql PyPI...

CVE-2023-26062

A mobile network solution internal fault is found in Nokia Web Element Manager before 22 R1, in which an authenticated, unprivileged user can execute administrative functions. Exploitation is not possible from outside of mobile network solution architecture. This means that exploit is not possibl...

GHSA-X7WV-5QG4-VMR6 org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right

Impact When a user with programming right edits a document in XWiki that was last edited by a user without programming right and contains an XWiki.ComponentClass, there is no warning that this will grant programming right to this object. An attacker who created such a malicious object could use...

ZOHO ManageEngine PAM360 安全漏洞

ZOHO ManageEngine PAM360 is a complete PAM software from ZOHO, Inc. It provides complete privileged access security for your IT infrastructure. A security vulnerability exists in Zoho ManageEngine PAM360 version 6601, which stems from allowing a low-privileged user to perform administrative...

CVE-2024-4735

A vulnerability has been found in Campcodes Legal Case Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/tasks. The manipulation of the argument tasksubject leads to cross site scripting. The attack can be launched...

Legal Case Management System 跨站脚本漏洞

Campcodes Legal Case Management System is a legal case management system from Campcodes, Inc. A cross-site scripting vulnerability exists in Campcodes Legal Case Management System version 1.0, which stems from a vulnerability in the /admin/tasks file...

CVE-2024-2659

A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute system commands when performing a specific administrative function...

Upgraded Q -> 2 from #112 [1686922871117]

Judge has assessed an item in Issue 112 as 2 risk. The relevant finding follows: | | Issue | Instances ---|---|--- M-1 | Centralization Risk for trusted owners | 19 M-1 Centralization Risk for trusted owners Impact: Contracts have owners with privileged rights to perform admin tasks and need to b...

CVE-2023-26062

A mobile network solution internal fault is found in Nokia Web Element Manager before 22 R1, in which an authenticated, unprivileged user can execute administrative functions. Exploitation is not possible from outside of mobile network solution architecture. This means that exploit is not possibl...

Centralization Risk for trusted owners

Lines of code https://github.com/code-423n4/2023-02-ethos/blob/73687f32b934c9d697b97745356cdf8a1f264955/Ethos...

PT-2023-16476 · WordPress · Wicked Folders

Name of the Vulnerable Software and Affected Versions: Wicked Folders plugin for WordPress versions up to, and including, 2.18.16 Description: The issue is related to a missing capability check on the ajax save folder order function, which allows authenticated attackers with subscriber-level...

CVE-2022-2197

By using a specific credential string, an attacker with network access to the device’s web interface could circumvent the authentication scheme and perform administrative operations...

CVE-2020-19417

Emerson Smart Wireless Gateway 1420 4.6.59 allows non-privileged users such as the default account 'maint' to perform administrative tasks by sending specially crafted HTTP requests to the application...

CVE-2020-19417

Emerson Smart Wireless Gateway 1420 4.6.59 allows non-privileged users such as the default account 'maint' to perform administrative tasks by sending specially crafted HTTP requests to the application...

Multiple vulnerabilities in WordPress Plugin "Online Lesson Booking"

Overview WordPress Plugin "Online Lesson Booking" provided by SUKIMALAB.COM contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2019-5972 Cross-site request forgery vulnerability CWE-352 - CVE-2019-5973 Natsumi Matsuoka of Cryptography...