Lucene search
K

2349 matches found

EUVD
EUVD
added 2026/05/13 6:30 p.m.12 views

EUVD-2026-29943

ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken...

5.1CVSS5.8AI score0.00207EPSS
Exploits0References3
NVD
NVD
added 2026/05/13 4:16 p.m.13 views

CVE-2020-37217

Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the admin.php?action=adduser endpoint with POST requests...

5.1CVSS0.0014EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/13 2:21 p.m.12 views

CVE-2026-6710

The Skysa Text Ticker App plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the SkysaAppsAdminAppPage function. This makes it possible for unauthenticated attackers to trick a site...

4.3CVSS5.7AI score0.00128EPSS
Exploits0References1
NVD
NVD
added 2026/05/13 1:16 p.m.12 views

CVE-2026-42950

ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken...

5.1CVSS0.00207EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/13 12:2 p.m.62 views

CVE-2026-42950

ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken...

5.1CVSS0.00207EPSS
Exploits0References2
CVE
CVE
added 2026/05/13 12:2 p.m.23 views

CVE-2026-42950

The CVE-2026-42950 entry concerns ELECOM wireless LAN access point devices where the language parameter can be given an inappropriate value. The underlying issue may cause the admin page in the user’s web browser to become broken if a logged-in user visits a malicious page. Documented impact is b...

5.1CVSS5.8AI score0.00207EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/13 12:2 p.m.7 views

CVE-2026-42950

ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken...

5.1CVSS5.8AI score0.00207EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/13 12:2 p.m.7 views

CVE-2026-42950

ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken...

5.1CVSS5.8AI score0.00207EPSS
Exploits0References3Affected Software4
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.11 views

ELECOM WAB 代码问题漏洞

ELECOM WAB is a series of wireless access points produced by the ELECOM company in Japan. ELECOM WAB has a code vulnerability that stems from the lack of checking whether the language parameter has an appropriate value. This vulnerability may cause administrator pages to be displayed incorrectly ...

5.1CVSS6.2AI score0.00207EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.19 views

PT-2026-40600

ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value. If a user views a malicious page while logged in, the admin page on the user's web browser may become broken...

5.1CVSS5.8AI score0.00207EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.16 views

PT-2026-39964

The Skysa Text Ticker App plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the SkysaApps Admin AppPage function. This makes it possible for unauthenticated attackers to trick a site...

4.3CVSS5.7AI score0.00128EPSS
Exploits0References6
NVD
NVD
added 2026/05/10 1:16 p.m.17 views

CVE-2022-50970

WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Attackers can craft URLs with XSS payloads in the tab parameter of the aawp-settings admin page to execute arbitrar...

5.4CVSS0.00172EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/10 12:52 p.m.11 views

CVE-2021-47950 Advanced Guestbook 2.4.4 Persistent XSS via Smilies

Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the semotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in...

6.4CVSS5.7AI score0.00187EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/10 12:13 p.m.37 views

CVE-2022-50970 WordPress Plugin AAWP 3.16 Reflected XSS via tab Parameter

WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Attackers can craft URLs with XSS payloads in the tab parameter of the aawp-settings admin page to execute arbitrar...

5.4CVSS0.00172EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/10 12:12 p.m.10 views

CVE-2022-50961 WordPress Plugin IP2Location Country Blocker 2.26.7 Stored XSS

WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend Settings interface. Attackers can inject malicious scripts in the URL field of the Display page setting...

6.4CVSS5.9AI score0.00191EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/10 12:12 p.m.6 views

CVE-2022-50960

WordPress International SMS for Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary...

6.1CVSS5.9AI score0.00187EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/05/10 12:12 p.m.17 views

CVE-2022-50960

The vulnerability is in WordPress International Sms For Contact Form 7 Integration v1.2, which contains a reflected XSS in the page parameter of the admin settings interface. The issue is triggered via class-sms-log-display.php, allowing an attacker to inject malicious JavaScript that runs in adm...

6.1CVSS5.9AI score0.00187EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/07 11:45 p.m.54 views

CVE-2026-8117 SourceCodester Pizzafy Ecommerce System index.php cross site scripting

A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects some unknown processing of the file /admin/index.php. Such manipulation of the argument page leads to cross site scripting. The attack may be launched remotely. The exploit has been...

5.3CVSS0.00269EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/07 1:25 a.m.58 views

CVE-2026-6222 Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the processRequest method in ForminatorAdminModuleEditPage admin/abstracts/class-admin-module-edit-page.php dispatching sensitive module-management actions —...

5.3CVSS0.00425EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/05/06 8:11 p.m.11 views

phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check

Summary AbstractAdministrationController::userHasPermission catches the ForbiddenException thrown when a user lacks a specific permission, sends a "forbidden" HTML page via $response-send, but does not terminate execution. The calling controller method continues to execute, fetches protected data...

7.1CVSS6AI score0.00303EPSS
Exploits0References4Affected Software2
Rows per page
Query Builder