Bagisto Missing Authentication on Installer API Endpoints

Vulnerable Code File: packages/Ibkul/Installer/src/Routes/Ib.php groupfunction Route::controllerInstallerController::class-\groupfunction Route::get'install', 'index'-\name'installer.index'; Route::middlewareStartSession::class-\prefix'install/api'-\groupfunction Route::post'env-file-setup',...

CVE-2026-21446

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints /install/api/ are directly accessible and exploitable without any authentication. An attacker can...

CVE-2026-21446 Bagisto Missing Authentication on Installer API Endpoints

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints /install/api/ are directly accessible and exploitable without any authentication. An attacker can...

CVE-2026-21446 Bagisto Missing Authentication on Installer API Endpoints

Bagisto is an open source laravel eCommerce platform. In versions on the 2.3 branch prior to 2.3.10, API routes remain active even after initial installation is complete. The underlying API endpoints /install/api/ are directly accessible and exploitable without any authentication. An attacker can...

CVE-2026-21446

Summary (CVE-2026-21446) Bagisto (Laravel-based eCommerce) prior to 2.3.10 exposes installer API endpoints under /install/api/* that remain accessible after installation. The root cause is unauthenticated access to API routes (no auth/CSRF in /install/api/*), enabling an attacker to create admin ...

CVE-2018-25134

Synaccess netBooter NP-02x/NP-08x 6.8 contains an authentication bypass vulnerability in the webNewAcct.cgi script that allows unauthenticated attackers to create admin user accounts. Attackers can exploit the missing control check by sending crafted POST requests to create administrative account...

CVE-2018-25134 Synaccess netBooter NP-02x/NP-08x 6.8 Authentication Bypass via webNewAcct.cgi

Synaccess netBooter NP-02x/NP-08x 6.8 contains an authentication bypass vulnerability in the webNewAcct.cgi script that allows unauthenticated attackers to create admin user accounts. Attackers can exploit the missing control check by sending crafted POST requests to create administrative account...

📄 Litespeed Cache 6.4.0.1 Privilege Escalation

WordPress Litespeed Cache plugin version 6.4.0.1 allows attackers to brute-force authentication hashes and create administrative users without any initial credentials...

PT-2025-53333

Name of the Vulnerable Software and Affected Versions Beward N100 H.264 VGA IP Camera version M2.1.6 Description The Beward N100 H.264 VGA IP Camera version M2.1.6 contains a cross-site request forgery issue. This allows attackers to perform administrative actions without proper validation of...

📄 WordPress ACF 0.9.1.1 Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability in the Advanced Custom Fields: Extended ACF Extended WordPress plugin versions 0.9.0.5 through 0.9.1.1. The vulnerability exists in the prepareform function of the acfemoduleformfrontrender class, which accepts...

CVE-2025-68434

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery CSRF vulnerability exists in the application's filter configuration. The CSRF protection...

CVE-2023-53923 UliCMS 2023.1 Privilege Escalation via Unauthenticated Admin Account Creation

UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrative accounts through the UserController endpoint. Attackers can send a crafted POST request to /dist/admin/index.php with specific parameters to generate a new admin user with fu...

CVE-2023-53914 UliCMS 2023.1 Authentication Bypass via Mass Assignment Vulnerability

UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate an administrative...

CVE-2023-53914 UliCMS 2023.1 Authentication Bypass via Mass Assignment Vulnerability

UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through mass assignment in the UserController. Attackers can send a crafted POST request to the admin index.php endpoint with specific parameters to generate an administrative...

CVE-2023-53914

CVE-2023-53914 affects UliCMS 2023.1. An authentication bypass exists due to mass assignment in the UserController, enabling unauthenticated attackers to create admin users by sending a crafted POST to the admin/index.php endpoint with specific parameters, yielding full system access. Root cause:...

EUVD-2025-204014

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery CSRF vulnerability exists in the application's filter configuration. The CSRF protection...

CVE-2023-53895

PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account,...

Exploit for CVE-2025-68434

CVE-2025-68434: CSRF Unauthorized Administrator Creation in Op...

Exploit for Authentication Bypass Using an Alternate Path or Channel in Jetbrains Teamcity

CVE-2024-27198 – JetBrains TeamCity Authentication Bypass & RC...

PT-2025-51977

Name of the Vulnerable Software and Affected Versions Open Source Point of Sale versions 3.4.0 through 3.4.1 Description Open Source Point of Sale is a web based point of sale application written in PHP using the CodeIgniter framework. Versions 3.4.0 through 3.4.1 have a Cross-Site Request Forger...