Lucene search
K

489 matches found

Vulnrichment
Vulnrichment
added 2026/04/21 10:12 p.m.7 views

CVE-2026-40926 WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script)

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check Category::canCreateCategory / User::isAdmin and...

7.1CVSS5.9AI score0.00166EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/04/07 5:3 p.m.7 views

CVE-2026-26026

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6...

9.1CVSS5.9AI score0.0037EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/01 11:25 p.m.10 views

AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin

Summary The TopMenu plugin renders menu item fields icon classes, URLs, and text labels directly into HTML without applying htmlspecialchars or any other output encoding. Since menu items are rendered on every public page through plugin hooks, a single malicious menu entry results in stored...

5.8AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/04/01 11:25 p.m.11 views

GHSA-GMPC-FXG2-VCMQ AVideo has Stored XSS via Unescaped Menu Item Fields in TopMenu Plugin

Summary The TopMenu plugin renders menu item fields icon classes, URLs, and text labels directly into HTML without applying htmlspecialchars or any other output encoding. Since menu items are rendered on every public page through plugin hooks, a single malicious menu entry results in stored...

6.1CVSS5.8AI score0.00167EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/01 3:31 a.m.6 views

EUVD-2026-17771

A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch...

6.5CVSS6.4AI score0.00242EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/03/30 7:38 a.m.15 views

WordPress WP Lightbox 2 plugin < 3.0.7 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Krugov Artyom in WordPress Plugin WP Lightbox 2 versions 3.0.7...

4.8CVSS5.9AI score0.00189EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/03/30 6:30 a.m.4 views

EUVD-2026-17058

A flaw has been found in code-projects Exam Form Submission 1.0. The impacted element is an unknown function of the file /admin/updatefst.php. Executing a manipulation of the argument sname can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been...

4.8CVSS4.2AI score0.00191EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/03/26 3:10 p.m.3 views

CVE-2026-1278

The Mandatory Field plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

4.4CVSS5.9AI score0.00195EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.6 views

PT-2026-26506

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading ...

6.4CVSS5.8AI score0.0032EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/19 9:30 a.m.4 views

EUVD-2026-13070

The Add Custom Fields to Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.3. This is due to missing nonce validation on the field deletion functionality in the admin display template. The plugin properly validates a nonce for the 'ad...

4.3CVSS5.8AI score0.00132EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/03/12 8:2 a.m.3 views

CVE-2026-4013

A vulnerability was identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown function of the file addadmin.php. Such manipulation leads to improper authorization. The attack may be launched remotely...

6.5CVSS5.6AI score0.00224EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/26 12:0 a.m.8 views

PT-2026-22095

The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.4CVSS5.6AI score0.00193EPSS
Exploits0References4
NVD
NVD
added 2026/02/22 11:15 p.m.10 views

CVE-2026-2957

A weakness has been identified in qinming99 dst-admin up to 1.5.0. This impacts the function deleteBackup of the file src/main/java/com/tugos/dst/admin/controller/BackupController.java of the component File Handler. This manipulation causes denial of service. The attack may be initiated remotely...

8.1CVSS0.00371EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/02/19 12:2 p.m.28 views

CVE-2019-25404 Comodo Dome Firewall 2.7.0 Stored Cross-Site Scripting via admins

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input through admin management parameters. Attackers can inject script payloads in the adminname, name, and surname parameters via...

6.4CVSS0.00301EPSS
Exploits1References4
Patchstack
Patchstack
added 2026/02/13 11:49 p.m.5 views

WordPress Mail Mint plugin <= 1.19.2 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints vulnerability

Authenticated Administrator+ SQL Injection via Multiple API Endpoints vulnerability discovered by Paolo Tresso - Wordfence in WordPress Plugin Mail Mint versions = 1.19.2...

4.9CVSS6AI score0.00351EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/02/12 10:55 p.m.20 views

CVE-2026-26188

The vulnerability CVE-2026-26188 affects Solspace Freeform plugin for Craft CMS 5.x. An authenticated, low-privilege user who can create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel builder and integrations views. User-controlled form labels and integration metadata are re...

5.4CVSS5.7AI score0.00253EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/09 7:55 p.m.4 views

CVE-2026-25498

Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution RCE vulnerability exists in Craft CMS where the assembleLayoutFromPost function in src/services/Fields.php fails to sanitize user-supplied configuratio...

8.6CVSS6.2AI score0.0097EPSS
Exploits2References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/06 1:26 a.m.10 views

CVE-2025-70792

Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "relid" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was...

6.1CVSS6AI score0.0027EPSS
Exploits1References1
Patchstack
Patchstack
added 2026/02/05 10:39 p.m.7 views

WordPress Ultimate Maps by Supsystic plugin < 1.2.16 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Mert Umut in WordPress Plugin Ultimate Maps by Supsystic versions 1.2.16...

4.8CVSS5.3AI score0.00416EPSS
Exploits1References1Affected Software1
Snyk
Snyk
added 2026/02/05 6:30 p.m.3 views

Cross-site Scripting (XSS)

Overview microweber/microweber is a new generation CMS with drag and drop. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the orderDirection parameter in the /admin/order/abandoned endpoint. An attacker can execute arbitrary JavaScript code in the context of an...

6.1CVSS5.5AI score0.0027EPSS
Exploits1References2
Rows per page
Query Builder