Lucene search
K

2492 matches found

CVE
CVE
added 2026/04/09 4:14 p.m.19 views

CVE-2026-39957

Lychee (open-source photo manager) prior to version 7.5.4 is affected by a SQL operator-precedence bug in SharingController::listAll() that causes the orWhereNotNull('user_group_id') clause to bypass the ownership filter within the when() block. This allows any authenticated non-admin user with u...

4.3CVSS6AI score0.00208EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/04/08 7:15 p.m.6 views

GHSA-7CM9-V848-CFH2 CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List

Summary The blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other...

4.8CVSS6AI score0.0023EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/08 7:15 p.m.6 views

CI4MS has stored XSS via Unescaped Blacklist Note in Admin User List

Summary The blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into an HTML data-note attribute without escaping. An admin with blacklist privileges can inject arbitrary JavaScript that executes in the browser of any other...

4.8CVSS6.1AI score0.0023EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/04/08 2:30 p.m.11 views

CVE-2026-39391

CVE-2026-39391 affects CI4MS, a CodeIgniter 4-based CMS skeleton. Before 0.31.4.0, the blacklist (ban) note parameter stored in the database was rendered into an HTML data-note attribute without escaping, enabling a stored XSS when an admin with blacklist privileges views the user management page...

4.8CVSS6AI score0.0023EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/08 2:30 p.m.4 views

CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into a...

4.8CVSS6AI score0.0023EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/08 2:30 p.m.25 views

CVE-2026-39391 CI4MS has Stored XSS via Unescaped Blacklist Note in Admin User List

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the blacklist ban note parameter in UserController::ajaxblackListpost is stored in the database without sanitization and rendered into a...

4.8CVSS0.0023EPSS
Exploits1References1
NVD
NVD
added 2026/04/07 9:17 p.m.3 views

CVE-2026-39400

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

6.1CVSS0.00171EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.4 views

PT-2026-31019

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with create events and run events privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The...

5.3CVSS6AI score0.00171EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.8 views

xyOps 跨站脚本漏洞

xyOps is a multi-server task scheduling and execution platform developed by Joseph Huckaby. Versions of xyOps prior to 0.9.111 contained a cross-site scripting vulnerability. This vulnerability stemmed from servers failing to clean up the data stored in the job output fields, allowing...

6.1CVSS5.9AI score0.00171EPSS
Exploits1References2
OSV
OSV
added 2026/04/04 9:30 p.m.4 views

GHSA-3QCM-PJ6Q-W4C5 Nodcms contains a cross-site request forgery vulnerability

Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/usermanipulate and admin/settings/generall endpoints to...

5.3CVSS5.7AI score0.00106EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/04 9:30 p.m.6 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the admin/usermanipulate and admin/settings/generall endpoints. An attacker can perform unauthorized administrative actions by tricking an authenticated administrator into submitting crafted...

7.4CVSS5.7AI score0.00106EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/04 7:59 p.m.20 views

CVE-2016-20054 Nodcms Cross Site Request Forgery via admin endpoints

Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/usermanipulate and admin/settings/generall endpoints to...

5.3CVSS0.00106EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/04 7:59 p.m.3 views

CVE-2016-20054 Nodcms Cross Site Request Forgery via admin endpoints

Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/usermanipulate and admin/settings/generall endpoints to...

5.3CVSS5.9AI score0.00106EPSS
Exploits1References1
NVD
NVD
added 2026/03/31 9:16 p.m.7 views

CVE-2026-3469

A denial-of-service DoS vulnerability exists due to improper input validation in the SonicWall Email Security appliance, allowing a remote authenticated attacker as admin user to cause the application to become unresponsive...

2.7CVSS0.00386EPSS
Exploits0References1
CVE
CVE
added 2026/03/31 8:19 p.m.11 views

CVE-2026-3470

CVE-2026-3470 concerns the SonicWall Email Security appliance, where improper input sanitization allows data corruption in the application database. The issue is triggered by crafted input that can be provided by a remote authenticated attacker who operates as an admin user. Affected component: t...

3.8CVSS5.9AI score0.00321EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/03/31 8:17 p.m.22 views

CVE-2026-3468

A stored Cross-Site Scripting XSS vulnerability has been identified in the SonicWall Email Security appliance due to improper neutralization of user-supplied input during web page generation, allowing a remote authenticated attacker as admin user to potentially execute arbitrary JavaScript code...

0.00226EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/31 8:17 p.m.5 views

CVE-2026-3468

A stored Cross-Site Scripting XSS vulnerability has been identified in the SonicWall Email Security appliance due to improper neutralization of user-supplied input during web page generation, allowing a remote authenticated attacker as admin user to potentially execute arbitrary JavaScript code...

6AI score0.00226EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.8 views

PT-2026-29346

Name of the Vulnerable Software and Affected Versions SonicWall Email Security affected versions not specified Description A flaw exists in the SonicWall Email Security appliance related to insufficient input validation. This could result in data corruption, potentially allowing a remote attacker...

3.8CVSS5.9AI score0.00321EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.13 views

PT-2026-29322

Pega Platform versions 8.1.0 through 25.1.0 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality is low and Integrity is none...

4.8CVSS5.9AI score0.00258EPSS
Exploits0References4
OSV
OSV
added 2026/03/30 5:49 p.m.4 views

GHSA-73GR-R64Q-7JH4 AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php

Summary The categories.json.php endpoint, which serves the category listing API, fails to enforce user group-based access controls on categories. In the default request path no ?user= parameter, user group filtering is entirely skipped, exposing all non-private categories including those restrict...

5.3CVSS5.8AI score0.00319EPSS
Exploits1References4
Rows per page
Query Builder