WordPress HC Custom WP-Admin URL <=1.4 - Admin Login URL Disclosure

The HC Custom WP-Admin URL WordPress plugin through 1.4 leaks the secret login URL when sending a specific crafted request id: CVE-2022-1595 info: name: WordPress HC Custom WP-Admin URL =1.5 to mitigate the vulnerability. reference: -...

CVE-2026-41170 Squidex has SSRF via Backup Restore Endpoint — Admin-Controlled URL Download Allows Internal and External Requests

Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the RestoreController.PostRestoreJob endpoint allows an administrator to supply an arbitrary URL for downloading backup archives. This URL is fetched using the "Backup" HttpClient...

CVE-2026-25523

Magento-lts is a long-term support alternative to Magento Community Edition CE. Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1...

CVE-2026-25523

Magento-lts is a long-term support alternative to Magento Community Edition CE. Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1...

CVE-2026-25523 Magento's X-Original-Url header can expose admin url

Magento-lts is a long-term support alternative to Magento Community Edition CE. Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1...

CVE-2026-25523

Magento-lts versions prior to 20.16.1 are affected: the admin URL can be discovered without prior knowledge by exploiting the X-Original-Url header in certain configurations. The root cause is exposure via the X-Original-Url header; patches exist and are applied in version 20.16.1. Several connec...

Magento's X-Original-Url header can expose admin url

Impact The admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. Patches The bug comes from the Zend library and is patche by unsetting the header in the bootstrap process. Workarounds Unset the X-Original-Url header i...

GHSA-JG68-VHV3-9R8F Magento's X-Original-Url header can expose admin url

Impact The admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. Patches The bug comes from the Zend library and is patche by unsetting the header in the bootstrap process. Workarounds Unset the X-Original-Url header i...

PT-2026-6440

Impact The admin url can be discovered without prior knowledge of its location by exploiting the X-Original-Url header on some configurations. Patches The bug comes from the Zend library. Workarounds Unset the X-Original-Url header in the web server configuration. Resources...

PT-2026-6312

Name of the Vulnerable Software and Affected Versions Magento-lts versions prior to 20.16.1 Description Magento-lts is a long-term support alternative to Magento Community Edition CE. Prior to version 20.16.1, the admin URL can be discovered without prior knowledge of its location by exploiting t...

CVE-2022-31971

ChatBot App with Suggestion v1.0 is vulnerable to SQL Injection via /simplechatbot/admin/?page=responses/viewresponse=...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-000180)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000180 advisory. An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subjec...

CVE-2025-14007

CVE-2025-14007 affects dayrui XunRuiCMS up to v4.7.1. Affected component: the Domain Name Binding Page, specifically the file path /admin79f2ec220c7e.php?c=api&m=demo&name=mobile. Root cause described as incorrect handling/manipulation in that page, resulting in cross-site scripting. Attacker can...

EUVD-2022-47226

Malicious code in bioql PyPI...

CVE-2022-32363

Product Show Room Site v1.0 is vulnerable to SQL Injection via /psrs/admin/categories/viewcategory.php?id=...

CVE-2022-32010

Complete Online Job Search System v1.0 is vulnerable to SQL Injection via /eris/admin/user/index.php?view=edit=...

python-django: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget

A flaw was found in Django. 'urlize', 'urlizetrunc', and 'AdminURLFieldWidget' may be subject to a denial of service attack via certain inputs with a very large number of Unicode characters...

GHSA-R836-HH6V-RG5G Django vulnerable to denial-of-service attack

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters...

DEBIAN-CVE-2024-41991

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters...

PYSEC-2024-69

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters...