CVE-2026-40874 mailcow: dockerized missing authorization on Forwarding Hosts delete action

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with /api/v1/delete/fwdhost. Any authenticated user can call this API. Checks are only applied for edit/add actions,...

CVE-2026-40304 zrok's broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler controller/unaccess.go contains a logical error in its ownership guard: when a frontend record has environmentid = NULL the marker for admin-created global frontends, the conditio...

CVE-2026-25220

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter showall=yes and passes it to getPnotesByUser, which returns all internal messages all users’ notes. The backend does not...

CVE-2026-25220 OpenEMR Messages "Show All" Not Restricted to Admins

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter showall=yes and passes it to getPnotesByUser, which returns all internal messages all users’ notes. The backend does not...

OpenEMR 安全漏洞

OpenEMR is a set of open-source medical management systems developed by the OpenEMR community. This system can be used for medical practice management, electronic medical records, prescription writing, and medical billing applications. Versions of OpenEMR prior to 8.0.0 contained security...

EUVD-2018-9598

Malware in sbrugna...

EUVD-2005-0777

Malware in sbrugna...

EUVD-2023-44639

Malicious code in bioql PyPI...

EUVD-2024-51249

Malicious code in bioql PyPI...

CVE-2024-12990

A vulnerability was found in ruifang-tech Rebuild 3.8.6. It has been classified as problematic. This affects an unknown part of the file /user/admin-verify of the component Admin Verification Page. The manipulation of the argument nexturl with the input http://localhost/evil.html leads to open...

Insufficient Isolation of System-Dependent Functions

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Insufficient Isolation of System-Dependent Functions due to improper access control on the /api/v1/prompts/ and /api/v1/prompts/command/commandid interfaces. An attacker can view and retrieve prompt informati...

PT-2024-34393 · Teampass · Teampass

Name of the Vulnerable Software and Affected Versions: TeamPass versions prior to 3.1.3.1 Description: The issue arises from the software not properly checking if a mail me also known as action mail operation is performed on behalf of an administrator or manager. This lack of verification can lea...

CVE-2024-12990

A vulnerability was found in ruifang-tech Rebuild 3.8.6. It has been classified as problematic. This affects an unknown part of the file /user/admin-verify of the component Admin Verification Page. The manipulation of the argument nexturl with the input http://localhost/evil.html leads to open...

CVE-2024-12990 ruifang-tech Rebuild Admin Verification Page admin-verify redirect

A vulnerability was found in ruifang-tech Rebuild 3.8.6. It has been classified as problematic. This affects an unknown part of the file /user/admin-verify of the component Admin Verification Page. The manipulation of the argument nexturl with the input http://localhost/evil.html leads to open...

CVE-2024-12990

The CVE-2024-12990 entry concerns ruifang-tech Rebuild 3.8.6, specifically the Admin Verification Page file /user/admin-verify. The vulnerability arises from manipulating the nexturl parameter (e.g., http://localhost/evil.html), causing an open redirect. It can be exploited remotely and has been ...

CVE-2024-12990 ruifang-tech Rebuild Admin Verification Page admin-verify redirect

A vulnerability was found in ruifang-tech Rebuild 3.8.6. It has been classified as problematic. This affects an unknown part of the file /user/admin-verify of the component Admin Verification Page. The manipulation of the argument nexturl with the input http://localhost/evil.html leads to open...

PT-2024-17853 · Ruifang Tech · Ruifang-Tech Rebuild

Name of the Vulnerable Software and Affected Versions: ruifang-tech Rebuild version 3.8.6 Description: A vulnerability was found in the Admin Verification Page of the affected software, specifically in the file /user/admin-verify. The issue is related to the manipulation of the nexturl argument,...

CVE-2023-40020

CVE-2023-40020 affects PrivateUploader (Vue/TypeScript image hosting server). In affected versions the route at app/routes/v3/admin.controller.ts did not properly verify whether a user was an administrator or moderator, causing the request to continue processing after a 403 ADMIN_ONLY response. A...

executeTransaction function allows executing a queued transaction.

Lines of code Vulnerability details Impact The executeTransaction function allows executing a queued transaction. It requires the caller to be the admin, verifies the transaction's queue status and time lock, and executes the transaction. The use of target.call this can be exploit it by an attack...

Cross-site Scripting (XSS) - Stored in admidio/admidio

Description When adding a menu after logging in with an administrator account, there is no verification of the URL value, so the XSS payload is stored in the DB. After that, when you click the saved menu, XSS is triggered. If an administrator adds a menu, normal users can click it too. Proof of...