Lucene search
K

2482 matches found

Positive Technologies
Positive Technologies
added 2026/04/29 12:0 a.m.13 views

PT-2026-37141

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9 Description An authorization mismatch exists between the frontend UI and the backend data endpoint. While the frontend correctly restricts the "show all organizations" filter to full administrators, the 'contact...

4.9CVSS5.8AI score0.00322EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/27 9:31 p.m.12 views

Duplicate Advisory: Pimcore admin users can trigger SQL Injection

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r2f4-ff2p-xc64. This link is maintained to preserve external references. Original Description An authenticated administrative user who can import or save DataObject class definitions can inject attacker-controll...

7CVSS5.9AI score0.00346EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/27 12:0 a.m.18 views

PT-2026-35518

Name of the Vulnerable Software and Affected Versions Pimcore version 12.3.3 Description An authenticated administrative user with permissions to import or save DataObject class definitions can inject malicious composite index metadata. This action allows the execution of unintended SQL commands ...

7CVSS6AI score0.00346EPSS
Exploits0References13
ATTACKERKB
ATTACKERKB
added 2026/04/22 11:27 p.m.3 views

CVE-2026-4917

IBM Guardium Data Protection 12.1 could allow an administrative user to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences /../ to write arbitrary files on the system...

4.9CVSS5.9AI score0.00356EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/22 11:26 p.m.34 views

CVE-2026-4918 IBM Guardium Data Protection is affected by multiple vulnerabilities

IBM Guardium Data Protection 12.1 is vulnerable to stored cross-site scripting. This vulnerability allows an administrative user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

5.5CVSS0.00142EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/22 11:23 p.m.34 views

CVE-2026-4919 IBM Guardium Data Protection is affected by multiple vulnerabilities

IBM Guardium Data Protection 12.1 is vulnerable to cross-site scripting. This vulnerability allows an administrative user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

4.8CVSS0.00185EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/22 5:6 p.m.8 views

Cross-site Scripting (XSS)

Overview bagisto/bagisto is a hand tailored E-Commerce framework designed on some opensource technologies such as Laravel a PHP framework, Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Custom Scripts interface. An...

5.4CVSS5.5AI score0.00191EPSS
Exploits0References2
OSV
OSV
added 2026/04/22 2:38 p.m.6 views

GHSA-49VV-25QX-MG44 OpenRemote has Improper Access Control via updateUserRealmRoles function

Summary A user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the realm path segment when talking to the identity provider but does not check that the caller may administer that realm...

7CVSS5.7AI score0.00285EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.7 views

PT-2026-34583

IBM Guardium Data Protection 12.1 is vulnerable to cross-site scripting. This vulnerability allows an administrative user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session...

4.8CVSS5.5AI score0.00185EPSS
Exploits0References2
NVD
NVD
added 2026/04/21 3:16 p.m.10 views

CVE-2025-1241

Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data...

5.8CVSS0.00127EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/21 12:0 a.m.9 views

Visitor Management System 安全漏洞

The Visitor Management System is a system for managing visitors. Version 1.0 of the Visitor Management System has security vulnerabilities. These vulnerabilities stem from the lack of validation in the upload functions of the vms/php/adminuserinsert.php and vms/php/update1.php files, which may le...

7.2CVSS6.1AI score0.00807EPSS
Exploits1References1
CVE
CVE
added 2026/04/21 12:0 a.m.12 views

CVE-2026-37748

CVE-2026-37748 affects Visitor Management System 1.0 by sanjay1313. The vulnerability is an Unrestricted File Upload in vms/php/admin_user_insert.php and vms/php/update_1.php, where move_uploaded_file() runs without MIME type, extension, or content validation. This allows an authenticated admin t...

7.2CVSS5.9AI score0.00807EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/04/20 1:55 p.m.18 views

CVE-2026-34427

Vvveb versions prior to 1.0.8.1 contain a privilege escalation in the admin/user/save endpoint. An authenticated user can inject role_id=1 in profile save requests to elevate to Super Administrator, enabling plugin upload functionality and remote code execution. The fix is provided in 1.0.8.1 (se...

8.8CVSS6.2AI score0.00562EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/04/18 12:0 a.m.7 views

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : NetworkManager (SUSE-SU-2026:1443-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:1443-1 advisory. This update for NetworkManager fixes the following issue: Security fixes: - CVE-2025-9615: Fixed non-admi...

3.3CVSS5.8AI score0.00162EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/04/17 9:4 p.m.6 views

CVE-2026-40304 zrok's broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler controller/unaccess.go contains a logical error in its ownership guard: when a frontend record has environmentid = NULL the marker for admin-created global frontends, the conditio...

5.3CVSS5.7AI score0.00286EPSS
Exploits0References2
OSV
OSV
added 2026/04/17 2:40 p.m.3 views

SUSE-SU-2026:1443-1 Security update for NetworkManager

This update for NetworkManager fixes the following issue: Security fixes: - CVE-2025-9615: Fixed non-admin user using others' certificates bsc1257359. Other fixes: - Don't renew DHCP lease when software devices' MAC is empty bsc1225498...

3.3CVSS5.7AI score0.00162EPSS
Exploits0References4
OSV
OSV
added 2026/04/17 9:58 a.m.10 views

SUSE-SU-2026:1427-1 Security update for NetworkManager

This update for NetworkManager fixes the following issue: - CVE-2025-9615: Fixed non-admin user using others' certificates bsc1257359...

3.3CVSS5.7AI score0.00162EPSS
Exploits0References3
CVE
CVE
added 2026/04/16 9:17 p.m.11 views

CVE-2026-34164

CVE-2026-34164 concerns Valtimo, where the InboxHandlingService logged the full content of incoming inbox messages at INFO level across versions 13.0.0–13.21.0. This exposed sensitive data (PII, BSN, case details) to anyone with log access or admin UI users. The issue was fixed in 13.22.0: the lo...

4.9CVSS5.8AI score0.00366EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/04/16 9:17 p.m.7 views

CVE-2026-34164

Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data PII, citizen identifier...

4.9CVSS5.8AI score0.00366EPSS
Exploits0References6Affected Software1
Snyk
Snyk
added 2026/04/16 8:42 p.m.8 views

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the InboxHandlingService. An attacker can access sensitive information such as personal data, citizen identifiers, and case details by viewing application logs that contain full inbox...

7.1CVSS5.8AI score0.00366EPSS
Exploits0References2
Rows per page
Query Builder