CVE-2020-37079 Wing FTP Server < 6.2.7 - Cross-site Request Forgery

Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery CSRF vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user...

PT-2026-6812

Name of the Vulnerable Software and Affected Versions Wing FTP Server versions prior to 6.2.7 Description Wing FTP Server versions prior to 6.2.7 have a cross-site request forgery CSRF issue in the web administration interface. This allows attackers to delete administrative users by crafting a...

CVE-2026-21893

n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system...

CVE-2020-37145

HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user...

CVE-2020-37118

P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking...

CVE-2020-37145 HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)

HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user...

CVE-2020-37118

CVE-2020-37118 affects P5 FNIP-8x16A FNIP-4xSH 1.0.20. The vulnerability is a cross-site request forgery that can perform administrative actions without user interaction by tricking an authenticated user into loading a crafted page (e.g., adding admin users, changing passwords, modifying configs)...

CVE-2020-37118 P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)

P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking...

CVE-2025-70791

Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The iss...

CVE-2025-15396

The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

PT-2026-6307

Name of the Vulnerable Software and Affected Versions Wagtail versions prior to 6.3.6 Wagtail versions prior to 7.0.4 Wagtail versions prior to 7.1.3 Wagtail versions prior to 7.2.2 Wagtail versions prior to 7.3 Description Wagtail, an open source content management system built on Django, contai...

EUVD-2025-206615

The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2025-15396

The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2025-15396

The Library Viewer WordPress plugin (before 3.2.0) is vulnerable to Reflected Cross-Site Scripting due to inadequate sanitisation/escaping of certain parameters, potentially impacting high-privilege users (e.g., admins). Affected product/version: Library Viewer WordPress plugin

CVE-2025-15396 Library Viewer < 3.2.0 - Reflected Cross-Site Scripting

The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2020-36969

M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standa...

UBUNTU-CVE-2020-36968

M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for al...

CVE-2020-36969

M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standa...

CVE-2020-36969 M/Monit 3.7.4 - Privilege Escalation

M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standa...

CVE-2020-36968

CVE-2020-36968 affects M/Monit 3.7.4. An authentication vulnerability allows authenticated attackers to retrieve user password hashes by calling administrative API endpoints /api/1/admin/users/list and /api/1/admin/users/get, extracting MD5 hashes for all users. Multiple connected sources (Debian...