Lucene search
K

396 matches found

Packet Storm
Packet Storm
added 2026/04/29 12:0 a.m.66 views

📄 School Management System PHP 1.0.0 Cross Site Scripting

School Management System PHP version 1.0.0 suffers from a persistent cross site scripting vulnerability that can lead to administrative account takeover. ==================================================== School Management System PHP - Stored XSS leading to Admin Account Takeover...

5AI score
Exploits0
EUVD
EUVD
added 2026/04/28 3:18 p.m.5 views

EUVD-2026-26065

UNSUPPORTED WHEN ASSIGNED Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under t...

9.8CVSS5.3AI score0.00444EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/28 3:18 p.m.28 views

CVE-2026-41873 Pony Mail: Admin account takeover via request smuggling

UNSUPPORTED WHEN ASSIGNED Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under t...

0.00444EPSS
Exploits0References1
CVE
CVE
added 2026/04/28 3:18 p.m.23 views

CVE-2026-41873

Technical details are not publicly available in the provided documents; no concrete information on affected products, versions, root cause, or fixes is present. Monitor for updates.

9.8CVSS5.3AI score0.00444EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.5 views

PT-2026-35747

Name of the Vulnerable Software and Affected Versions Pony Mail Lua implementation affected versions not specified Description Inconsistent interpretation of HTTP requests, known as HTTP Request/Response Smuggling, allows for admin account takeover. This occurs when a front-end server and a...

9.8CVSS5.8AI score0.00444EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/04/21 12:50 a.m.5 views

CVE-2026-39386

Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance member management, room settings, broadcast control, session...

8.8CVSS5.7AI score0.00437EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.16 views

PT-2026-36921

Name of the Vulnerable Software and Affected Versions Nginx UI versions 2.0.0 through 2.3.7 Description An unauthenticated network attacker can claim the initial administrator account on a fresh instance during the first-run setup window. The public endpoint "/api/install" is accessible without...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References13
GithubExploit
GithubExploit
added 2026/04/18 10:7 a.m.118 views

Exploit for CVE-2025-53580

CVE-2025-53580 WordPress Simple Business Directory Pro Plugin...

9.8CVSS5.8AI score0.00345EPSS
Exploits1
GithubExploit
GithubExploit
added 2026/04/18 9:59 a.m.163 views

Exploit for CVE-2025-15030

CVE-2025-15030 User Profile Builder 3.15.2 - Unauthentica...

9.8CVSS5.8AI score0.00487EPSS
Exploits1
GithubExploit
GithubExploit
added 2026/04/14 5:15 p.m.155 views

Exploit for CVE-2025-24000

CVE-2025-24000 — Post SMTP Privilege Escalation Exploit Ov...

6AI score0.00546EPSS
Exploits1
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.104 views

📄 ChurchCRM Cross Site Scripting

ChurchCRM versions 6.5.2 and below suffer from a persistent cross site scripting vulnerability in the person property assignment functionality. Note that the advisory says versions 6.3.0 and below are affected but the CVE entry states versions prior to 6.5.3. CVE-2025-67875: ChurchCRM has stored...

8.5CVSS5.2AI score0.00164EPSS
Exploits3
GithubExploit
GithubExploit
added 2026/04/06 7:59 p.m.111 views

Multi-Stage-Web-Attack-XSS-to-Admin-Takeover-and-RCE

🛡️ Multi-Stage Web Attack: XSS to Admin Takeover & RCE This p...

6AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/04/06 5:0 p.m.2 views

CVE-2026-25726

Cloudreve is a self-hosted file management and sharing system. Prior to version 4.13.0, the application uses the weak pseudo-random number generator math/rand seeded with time.Now.UnixNano to generate critical security secrets, including the secretkey, and hashidsalt. These secrets are generated...

9.8CVSS5.8AI score0.00376EPSS
Exploits0References1
NVD
NVD
added 2026/04/03 8:16 p.m.6 views

CVE-2026-25726

Cloudreve is a self-hosted file management and sharing system. Prior to version 4.13.0, the application uses the weak pseudo-random number generator math/rand seeded with time.Now.UnixNano to generate critical security secrets, including the secretkey, and hashidsalt. These secrets are generated...

9.8CVSS0.00376EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/03 8:6 p.m.27 views

CVE-2026-25726 Cloudreve is vulnerable to Account Takeover via Weak Cryptographic Token Generation (Insecure PRNG Seeding)

Cloudreve is a self-hosted file management and sharing system. Prior to version 4.13.0, the application uses the weak pseudo-random number generator math/rand seeded with time.Now.UnixNano to generate critical security secrets, including the secretkey, and hashidsalt. These secrets are generated...

8.1CVSS0.00376EPSS
Exploits0References2
NVD
NVD
added 2026/04/02 3:16 p.m.6 views

CVE-2026-34974

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ SvgSanitizer.php can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with editfaq permission can upload a malicious SVG that executes...

5.4CVSS0.00176EPSS
Exploits1References2
CVE
CVE
added 2026/04/02 2:48 p.m.21 views

CVE-2026-34974

The CVE-2026-34974 vulnerability affects phpMyFAQ prior to version 4.1.1, where the SVG sanitizer (SvgSanitizer.php) uses regexes that can be bypassed by HTML entity encoding in javascript: URLs inside SVG attributes. An attacker with edit_faq permission can upload a malicious SVG that executes ...

5.4CVSS5.8AI score0.00176EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/02 2:48 p.m.2 views

CVE-2026-34974

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ SvgSanitizer.php can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with editfaq permission can upload a malicious SVG that executes...

5.4CVSS5.8AI score0.00176EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/01 10:7 p.m.8 views

CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via Blog Category Title Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Blog Category Title in Blog Management Description The application fails to properly sanitize user-controlled input when creating or editing blog categories. An...

9.9CVSS6.2AI score0.00324EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/01 10:7 p.m.2 views

GHSA-X7WH-G25G-53VG CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via Blog Post Content Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management Description The application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker...

9.1CVSS6.2AI score0.00317EPSS
Exploits1References4
Rows per page
Query Builder