87873 matches found
CVE-2026-62422
CVE-2026-62422 affects JetBrains YouTrack, with authentication bypass via direct database access that enables administrative access. Affects: YouTrack builds listed in the entry (before 2026.1.13757; 2025.3.148033; 2025.2.148048; 2025.1.148120; 2024.3.148430; 2024.2.148429). The entry does not pr...
CVE-2026-56451
A vulnerability has been identified in Opcenter X All versions V2604. Affected applications do not properly validate the algorithm specified in the JSON Web Token JWT header. This could allow an unauthenticated remote attacker to forge arbitrary JWT, bypass authentication mechanisms and impersona...
CVE-2026-58319
Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to...
EUVD-2026-43653
Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to...
CVE-2026-58319 Apache Doris: Improper Authentication in Frontend HTTP API
Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to...
CVE-2026-58319
Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to...
CVE-2026-56451
A vulnerability has been identified in Opcenter X All versions V2604. Affected applications do not properly validate the algorithm specified in the JSON Web Token JWT header. This could allow an unauthenticated remote attacker to forge arbitrary JWT, bypass authentication mechanisms and impersona...
EUVD-2026-43650
A vulnerability has been identified in Opcenter X All versions V2604. Affected applications do not properly validate the algorithm specified in the JSON Web Token JWT header. This could allow an unauthenticated remote attacker to forge arbitrary JWT, bypass authentication mechanisms and impersona...
EUVD-2026-43647
In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker only...
Aajoda Testimonials < 2.2.2 - Cross-Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. id: CVE-2023-2178 info: name: Aajoda Testimonials...
System Dashboard < 2.8.15 - Admin+ Path Traversal
The System Dashboard WordPress plugin before 2.8.15 does not validate user input used in a path, which could allow high privilege users such as admin to perform path traversal attacks an read arbitrary files on the server id: CVE-2024-10708 info: name: System Dashboard 2.8.15 - Admin+ Path...
ISPConfig - PHP Code Injection
An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if adminallowlangedit is enabled. id: CVE-2023-46818 info: name: ISPConfig - PHP Code Injection author: non-things severity: high description: | An issue was discovered...
Wavlink WL-WN533A8 M33A8.V5030.190716 - Information Disclosure
An access control issue in the component /cgi-bin/ExportLogs.sh of Wavlink WL-WN533A8 M33A8.V5030.190716 allows unauthenticated attackers to download configuration data and log files and obtain admin credentials. id: CVE-2022-48164 info: name: Wavlink WL-WN533A8 M33A8.V5030.190716 - Information...
WordPress Admin Font Editor <=1.8 - Cross-Site Scripting
WordPress Admin Font Editor 1.8 and before contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...
Etherpad Lite <1.6.4 - Admin Authentication Bypass
Etherpad Lite before 1.6.4 is exploitable for admin access. id: CVE-2018-9845 info: name: Etherpad Lite 1.6.4 - Admin Authentication Bypass author: philippedelteil severity: critical description: Etherpad Lite before 1.6.4 is exploitable for admin access. impact: | An attacker can bypass the admi...
W&B Weave Server - Remote Arbitrary File Leak
The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin. id:...
Sidekiq < 7.0.8 - Cross-Site Scripting
An XSS vulnerability on a Sidekiq admin panel can pose serious risks to the security and functionality of the system. id: CVE-2023-1892 info: name: Sidekiq 7.0.8 - Cross-Site Scripting author: ritikchaddha,princechaddha severity: critical description: | An XSS vulnerability on a Sidekiq admin pan...
GetSimple CMS 3.3.13 - Open Redirect
GetSimple CMS 3.3.13 contains an open redirect vulnerability via the admin/index.php redirect parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2019-9915 info: name: GetSimple CMS...
WPBot <= 8.4.9 - Cross-Site Scripting
WPBot = 8.4.9 is vulnerable to stored cross-site scripting via the conversation parameter in the qcldwbchatbotconversationsave AJAX action. The AJAX nonce qcsecretbotnonceval123qc is publicly emitted on every frontend page via wplocalizescript under the ajaxnonce key, making it freely obtainable ...
Gorse < 0.5.10 - Unauthenticated Database Dump
Gorse 0.5.10 contains an authentication bypass caused by empty adminapikey in /api/dump and /api/restore endpoints, letting unauthenticated remote attackers access and modify protected data, exploit requires default empty adminapikey configuration. id: CVE-2026-56782 info: name: Gorse 0.5.10 -...