CVE-2026-41933

Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset path...

CVE-2026-41933

CVE-2026-41933 details : Vvveb (before 1.0.8.3) has a directory listing information disclosure vulnerability enabling unauthenticated attackers to enumerate files and directories by hitting multiple paths without proper index directives in .htaccess. Exposed directories include admin asset paths,...

CVE-2026-41933

Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset path...

EUVD-2026-30294

Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset path...

GHSA-VRQV-52X7-RM4V Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates

Summary Kimai's Twig sandbox StrictPolicy, used for admin-uploaded invoice and export templates allow-lists the config Twig function with no key filtering. configname delegates to App\Configuration\SystemConfiguration::find$name, which returns arbitrary entries from the flattened kimai.config...

GHSA-FFV6-JJ46-X367 django-unicorn affected by component state manipulation via unvalidated attribute access

Summary Component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended ispublic protection to modify internal attributes such as templatename or trigger protected methods. Vulnerability...

CVE-2024-58292

CVE-2024-58292 affects XMB Forum 1.9.12.06. Red Hat and NVD entries describe a persistent cross-site scripting vulnerability exploitable by authenticated administrators who can inject JavaScript into templates and front-page settings (footer templates, news ticker). When pages render, the script ...

CVE-2024-58292 XMB Forum 1.9.12.06 Persistent Cross-Site Scripting via Admin Templates

XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for...

CVE-2024-58292 XMB Forum 1.9.12.06 Persistent Cross-Site Scripting via Admin Templates

XMB Forum 1.9.12.06 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, enabling script execution for...

CVE-2025-12859

CVE-2025-12859 affects DedeBIZ

EUVD-2017-7294

Malware in sbrugna...

EUVD-2013-2235

Malware in sbrugna...

CVE-2017-15872

phpwcms 1.8.9 has XSS in include/inctmpl/admin.edituser.tmpl.php and include/inctmpl/admin.newuser.tmpl.php via the username aka newlogin field...

CVE-2024-10754

A vulnerability was found in PHPGurukul Online Shopping Portal 2.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/assets/plugins/DataTables/media/unittesting/templates/dymanictable.php. The manipulation of the argument scripts leads to cross site...

CVE-2023-41362

MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP...

PT-2023-5287 · Mybb · Mybb

Name of the Vulnerable Software and Affected Versions: MyBB versions prior to 1.8.36 Description: The issue is related to code injection by users with certain high privileges in the MyBB software. Templates in the Admin CP intentionally use eval, and there was some validation of the input to eval...

CVE-2022-2184

The CAPTCHA 4WP WordPress plugin before 7.1.0 lets user input reach a sensitive requireonce call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server...

CVE-2022-2184

The CAPTCHA 4WP WordPress plugin before 7.1.0 lets user input reach a sensitive requireonce call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server...

CVE-2022-24609

Luocms v2.0 is affected by an incorrect access control vulnerability. Through /admin/templates/templatemanage.php, an attacker can write an arbitrary shell file...

Chadha PHPKB Cross-Site Scripting Vulnerability (CNVD-2020-18329)

Chadha Software Technologies PHPKB Standard Multi-Language is a web-based, multi-language knowledge base management system from Chadha Software Technologies, India. A reflective cross-site scripting vulnerability exists in admin/manage-templates.php in Chadha PHPKB Standard Multi-Language 9. The...