332 matches found
GHSA-GFPW-JGVR-CW4J Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability
Summary A cross-site scripting XSS vulnerability in Fleet’s Windows MDM authentication flow could allow an attacker to compromise a Fleet user account. In certain cases, this could lead to administrative access and the ability to perform privileged actions on managed devices. Impact If Windows MD...
CVE-2026-22596
Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in...
BIT-GHOST-2026-22596 Ghost has SQL Injection in Members Activity Feed
Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in...
PoC-Apisix
PoC-Apisix RCE via serverless-pre-function plugin when Admi...
CVE-2026-22596
Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in...
CVE-2026-22597 Ghost has SSRF via External Media Inliner
Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF...
CVE-2026-22597 Ghost has SSRF via External Media Inliner
Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF...
CVE-2026-22596 Ghost has SQL Injection in Members Activity Feed
Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in...
CVE-2022-31367
Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses...
CVE-2020-10574
An issue was discovered in Janus through 0.9.1. janus.c tries to use a string that doesn't actually exist during a "querylogger" Admin API request, because of a typo in the JSON validation...
CVE-2024-39020
idccms v1.35 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability via /admin/vpsApiDatadeal.php?mudi=rev=close...
GHSA-GJRP-XGMH-X9QQ Ghost has SQL Injection in Members Activity Feed
Impact A vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. Vulnerable versions This vulnerability is present in Ghost v5.90.0 to v5.130.5 to and Ghost v6.0.0 to v6.10.3. Patches v5.130.6 and...
CVE-2025-15442 CRMEB product_list sql injection
A vulnerability was determined in CRMEB up to 5.6.1. This vulnerability affects unknown code of the file /adminapi/export/productlist. This manipulation of the argument cateid causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized...
CRMEB SQL注入漏洞
CRMEB is a Java mall system of CRMEB open source. A SQL injection vulnerability exists in CRMEB 5.6.1 and earlier versions, which originates from the incorrect operation of the parameter cateid in the file /adminapi/product/productexport, which could lead to a SQL injection attack...
CRMEB SQL注入漏洞
CRMEB is a Java mall system of CRMEB open source. A SQL injection vulnerability exists in CRMEB 5.6.1 and earlier versions, which stems from the incorrect operation of the parameter cateid in the file /adminapi/export/productlist, which may lead to SQL injection attacks...
CVE-2025-66906
Cross Site Request Forgery CSRF vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escalated privileges...
EUVD-2025-204543
Cross Site Request Forgery CSRF vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escalated privileges...
CVE-2025-66906
Cross Site Request Forgery CSRF vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escalated privileges...
CVE-2025-66906
Cross Site Request Forgery CSRF vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escalated privileges...
CVE-2025-66906
Cross Site Request Forgery CSRF vulnerability in Turms Admin API thru v0.10.0-SNAPSHOT allows attackers to gain escalated privileges...