87835 matches found
CVE-2026-58319
Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to...
EUVD-2026-43629
A security flaw has been discovered in code-projects Online Job Portal up to 1.0. The impacted element is an unknown function of the file /Admin/DeleteUser.php. Performing a manipulation results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the...
EUVD-2026-43623
A vulnerability was identified in code-projects Online Job Portal 1.0. The affected element is an unknown function of the file /Admin/EditUser.php. Such manipulation of the argument UserId leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be...
EUVD-2026-43575
Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API /system/buckets/api. The api method in modules/System/Controller/Buckets.php executes bucket commands ls, upload, removefiles, rename, createfolder without performing any ACL or role check. Any authenticated...
EUVD-2026-43556
Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managementUrl parameters without validation against private IP ranges or metadata endpoints. Attackers can...
EUVD-2026-43564
OpenClaw versions before 2026.6.8 contain an authorization bypass vulnerability in OpenAI-compatible HTTP model overrides that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to bypass admin authorization...
CVE-2026-58411
ChurchCRM (open-source church management system) Vulnerability: Prior to version 7.4.0, a Reflected XSS was identified due to insufficient output encoding of user-controlled request parameter names and values. The application reflects attacker-controlled input into JavaScript string contexts and ...
CVE-2026-62242
CVE-2026-62242 affects Spring Boot Admin Server prior to 4.1.2. The vulnerability is a server-side request forgery in the unauthenticated instance registration flow, where attacker-controlled healthUrl and managementUrl are not validated against private IP ranges or metadata endpoints. This allow...
CVE-2026-61502
Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions including account creation and configuration changes leading to code execution - by causing a...
CVE-2026-61501
Rejetto HFS 3.0.0 through 3.2.0 renders log entries in the administration panel as HTML without sanitization. A remote unauthenticated attacker can submit a failed login with a crafted username that is written to the error log and executes JavaScript in an administrator's browser when the logs ar...
CVE-2026-61463
Shiori contains a privilege escalation vulnerability in the account update endpoint that allows authenticated users to modify the owner field without authorization checks. Attackers can escalate to administrator by submitting a crafted PATCH request with owner: true, then re-authenticate to obtai...
CVE-2026-61500
Rejetto HFS 3.0.0 through 3.2.0 derives its session-cookie signing key from the non-cryptographic Math.random generator and discloses outputs of the same generator to unauthenticated clients during login. A remote attacker can collect a small number of login responses, reconstruct the generator's...
CVE-2026-61503
CVE-2026-61503 – Rejetto HFS : Affects HFS 3.0.0–3.2.0. The login endpoint returns observably different responses depending on whether the username exists, enabling remote, unauthenticated actors to confirm valid accounts (including the default admin) and facilitating password guessing and sessio...
CVE-2026-61502
CVE-2026-61502 affects Rejetto HFS versions 3.0.0 through 3.2.0. The root cause is that state-changing API requests can be issued via GET and are exempt from the anti-CSRF header check, enabling a remote attacker to perform administrative actions (e.g., account creation, configuration changes) an...
CVE-2026-61501
Rejetto HFS versions 3.0.0–3.2.0 expose a stored XSS in the admin log viewer: log entries rendered as HTML without sanitization allow a remote unauthenticated attacker to craft a username, write JavaScript to the error log, and execute code in an administrator’s browser when logs are viewed, pote...
CVE-2026-61500
Affected software: Rejetto HFS 3.0.0–3.2.0. Root cause: session-cookie signing key derived from the non‑cryptographic Math.random() generator; outputs disclosed to unauthenticated clients during login. Impact: remote attacker can observe login responses, reconstruct the generator state, recover t...
CVE-2026-61983
Missing Authorization vulnerability in andymoyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through = 5.0.30...
EUVD-2026-43282
A security flaw has been discovered in SourceCodester Online Book Store System 1.0. This vulnerability affects unknown code of the file admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit has been released to the...
EUVD-2026-43295
A security vulnerability has been detected in SourceCodester Online Book Store System 1.0. Impacted is an unknown function of the file /admin/index.php?page=books of the component Book Image Upload Feature. Such manipulation leads to unrestricted upload. The attack may be performed from remote. T...
EUVD-2026-43296
A vulnerability was detected in SourceCodester Online Book Store System 1.0. The affected element is an unknown function of the file /admin/index.php of the component Administrative Interface. Performing a manipulation of the argument page results in improper control of filename for include/requi...