CVE-2016-20034 Wowza Streaming Engine 4.5.0 Privilege Escalation via user edit

Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser...

CVE-2016-20034 Wowza Streaming Engine 4.5.0 Privilege Escalation via user edit

Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser...

Exploit for Code Injection in Invoiceplane

CVE-2026-25548 — Remote Code Execution in InvoicePlane 1.7.0...

CVE-2016-20028

CVE-2016-20028 affects ZKTeco ZKBioSecurity 3.0. The issue is a Cross-Site Request Forgery (CSRF) that lets an attacker cause administrative actions by coaxing an authenticated user to visit a malicious page. Attacks can craft HTTP requests that add superadmin accounts without validity checks, po...

CVE-2025-36368 IBM Sterling B2B Integrator and IBM Sterling File Gateway SQL Injection

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.72, 6.2.0.0 through 6.2.0.51, and 6.2.1.0 through 6.2.1.11 are vulnerable to SQL injection. An administrative user could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization through the device.token.rotate process. An attacker can gain unauthorized administrative access and potentially execute arbitrary code on connected nodes by minti...

GHSA-4JPW-HJ22-2XMC OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE

Summary In affected versions of openclaw, a caller holding only operator.pairing could use device.token.rotate to mint a new token with broader scopes for an already paired device. If the target device was approved for operator.admin, the attacker could obtain an administrative token without...

Exploit for CVE-2026-29000

CVE-2026-29000 - pac4j-jwt Authentication Bypass PoC Not...

CVE-2026-22209

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like alert1...

CVE-2026-22209 wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Custom CSS in Style Tag

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like alert1 in the custom CSS setting to execute arbitrary JavaScript i...

CVE-2026-22209 wpDiscuz before 7.6.47 - Cross-Site Scripting via Unescaped Custom CSS in Style Tag

wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin access can inject payloads like alert1 in the custom CSS setting to execute arbitrary JavaScript i...

PT-2026-25362

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.7 2, 6.2.0.0 through 6.2.0.5 1, and 6.2.1.0 through 6.2.1.1 1 are vulnerable to SQL injection. An administrative user could send specially crafted SQL statements, which could allow the attacker to view, add, modify, o...

PT-2026-25145

Name of the Vulnerable Software and Affected Versions thingino-firmware versions prior to commit e3f6a41 wpDiscuz versions prior to 7.6.47 Description thingino-firmware contains an unauthenticated operating system command injection issue in the WiFi captive portal CGI script. This allows remote...

CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode

OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted rever...

CVE-2026-32302

CVE-2026-32302 affects OpenClaw. In versions before 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode = trusted-proxy and the request carried proxy headers, allowing an untrusted-origin page to connect through a trusted reverse proxy and obt...

CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode

OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted rever...

CVE-2026-32302 OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode

OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted rever...

EUVD-2026-11717

OpenClaw: Untrusted web origins can obtain authenticated operator.admin access in trusted-proxy mode...

CVE-2019-25520 Jettweb PHP Hazir Haber Sitesi Scripti V1 Authentication Bypass

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an authentication bypass vulnerability in the administration panel that allows unauthenticated attackers to gain administrative access by exploiting improper SQL query validation. Attackers can submit SQL injection payloads in the username and...

CVE-2019-25515

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an authentication bypass vulnerability in the login.php administration panel that allows unauthenticated attackers to gain administrative access by submitting crafted SQL syntax. Attackers can bypass authentication by submitting equals signs and...