Lucene search
K

2727 matches found

CNNVD
CNNVD
added 2026/05/29 12:0 a.m.9 views

mall 授权问题漏洞

Mall is a set of e-commerce systems developed by Macro Personal Developers, including a front-end shopping mall system and a back-end management system. Versions of Mall 1.0.3 and earlier had authorization-related vulnerabilities. These vulnerabilities stemmed from improper authorization in the...

5.8CVSS5.9AI score0.00218EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.13 views

Sitejo HaPe PKH 跨站请求伪造漏洞

Sitejo HaPe PKH is a community poverty alleviation project management system developed by Sitejo Corporation. Version 1.1 of Sitejo HaPe PKH contains a cross-site request forgeing vulnerability. This vulnerability stems from the lack of verification of the request source, which may allow attacker...

6.9CVSS5.7AI score0.00175EPSS
Exploits0References4
Packet Storm
Packet Storm
added 2026/05/29 12:0 a.m.61 views

📄 D-Link DSL2600U Password Disclosure

D-Link DSL2600U suffers from an administrative password disclosure vulnerability. Exploit Title: D-Link DSL2600U - 'rom-0' Admin Password Disclosure Date: 2026-05-02 Exploit Author: Amir Hossein Jamshidi Vendor Homepage: https://www.dlink.com Version: DSL-2600U Tested on: ubuntu CVE : N/A Firmwar...

5.8AI score
Exploits0
Exploit DB
Exploit DB
added 2026/05/29 12:0 a.m.84 views

ZTE H298A / H108N - Unauthenticated Credential Exposure

Exploit Title: ZTE H298A / H108N - Unauthenticated Credential Exposure via ETHCheat Parameter Date: 2026-05-20 Exploit Author: Mina Nageh Salalma Monx Research Vendor Homepage: https://www.zte.com.cn Software Link:...

7.5CVSS5.8AI score0.24681EPSS
Exploits3
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.20 views

PT-2026-44921

A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the...

5.8CVSS5.5AI score0.00218EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.9 views

PT-2026-44865

HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi user.php script with parameters like id user, password, and...

6.9CVSS5.7AI score0.00175EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/05/28 8:13 p.m.13 views

CVE-2026-9476

A vulnerability was identified in Totolink A8000RU 7.1cu.643b20200521. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be...

10CVSS7.1AI score0.01909EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/28 6:22 p.m.33 views

CVE-2026-45332 Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...

7.5CVSS0.00298EPSS
Exploits1References1
CVE
CVE
added 2026/05/28 6:22 p.m.19 views

CVE-2026-45332

Affected software: Automad (flat-file CMS/template engine). Vulnerability: Broken Access Control allowing an unauthenticated attacker to retrieve bcrypt password hashes of all administrator accounts (and, in 2.0.0-beta.27, TOTP secrets) via the publicly accessible /_api/user-collection/create-fir...

7.5CVSS5.8AI score0.00298EPSS
Exploits1References1
NVD
NVD
added 2026/05/28 4:16 p.m.18 views

CVE-2026-35671

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to...

8.8CVSS0.00303EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/28 2:13 p.m.9 views

EUVD-2026-32902

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to...

8.8CVSS5.8AI score0.00303EPSS
Exploits0References2
CVE
CVE
added 2026/05/28 2:13 p.m.26 views

CVE-2026-35671

phpMyFAQ is affected by an insecure direct object reference (IDOR) in the admin API: overwrite-password allows changing any user’s password when the requester is an authenticated admin with USER_EDIT permission. The root causes cited are: (1) no verification that the requesting admin may modify t...

8.8CVSS5.8AI score0.00303EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/28 1:12 p.m.8 views

CVE-2026-8980

The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin operator and manufacturer accounts via crafted POST requests...

10CVSS5.8AI score0.00331EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/28 1:12 p.m.37 views

CVE-2026-8980 Privilege Escalation

The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin operator and manufacturer accounts via crafted POST requests...

10CVSS0.00331EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/28 1:12 p.m.9 views

CVE-2026-8980 Privilege Escalation

The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin operator and manufacturer accounts via crafted POST requests...

10CVSS5.8AI score0.00331EPSS
Exploits1References1
CVE
CVE
added 2026/05/28 1:12 p.m.22 views

CVE-2026-8980

The CVE-2026-8980 entry concerns the Mennekes Amtron series with firmware versions ≤ 5.22.3. Affected component: firmware handling privilege levels. The vulnerability allows an authenticated low-privileged user to escalate privileges by issuing crafted POST requests to change passwords for admin ...

10CVSS5.8AI score0.00331EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.9 views

phpMyFAQ 安全漏洞

phpMyFAQ is a multilingual, fully database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ prior to 4.1.3 contained security vulnerabilities. These vulnerabilities stemmed from an insecure direct object reference in the management API’s user password endpoint. As a result,...

8.8CVSS5.8AI score0.00303EPSS
Exploits0References2
CVE
CVE
added 2026/05/27 12:30 a.m.19 views

CVE-2026-9609

CVE-2026-9609 affects QianFox FoxCMS up to version 1.2.6, targeting the Admin.php Edit function. The vulnerability enables weak password recovery through manipulation of the admin password flow, with remote initiation. Public exploit code exists, and the issue was reported via an issue but not ye...

5.8CVSS5.5AI score0.00223EPSS
Exploits0References5
Exploit DB
Exploit DB
added 2026/05/26 12:0 a.m.69 views

D-Link DSL2600U - 'rom-0' Admin Password Disclosure

Exploit Title: D-Link DSL2600U - 'rom-0' Admin Password Disclosure Date: 2026-05-02 Exploit Author: Amir Hossein Jamshidi Vendor Homepage: https://www.dlink.com Version: DSL-2600U Tested on: ubuntu CVE : N/A Firmware Version: v1.08 from routersploit.libs.lzs.lzs import LZSDecompress import reques...

5.8AI score
Exploits0
Packet Storm
Packet Storm
added 2026/05/26 12:0 a.m.78 views

📄 ZTE ZXHN H298A / H108N Credential Disclosure

A single unauthenticated HTTP GET to /getpage.lua?pid=1000&ETHCheat=1 on ZTE H298A or H108N routers returns the live administrator password OBJUSERINFOIDPassword1, WLAN PSK WLANPSKKeyPassphrase1, and SSID in plaintext HTML. A second endpoint exposes the device serial number. -----BEGIN SECURITY...

7.5CVSS5.8AI score0.24681EPSS
Exploits3
Rows per page
Query Builder