MENNEKES AMTRON 安全漏洞

MENNEKES AMTRON is a series of electric vehicle AC charging stations and wall-mounted charging systems developed by MENNEKES. Versions of Mennekes Amtron 5.22.3 and earlier contain security vulnerabilities. These vulnerabilities stem from permission escalation, potentially allowing low-privilege...

SourceBans Material Admin 安全漏洞

SourceBans Material Admin is a game server management panel tool developed by SourceBans Material Admin developers. Version 1.1.6 of SourceBans Material Admin contains a security vulnerability. This vulnerability stems from an arbitrary file upload vulnerability present in the...

SourceBans Material Admin 安全漏洞

SourceBans Material Admin is a game server management panel tool developed by SourceBans Material Admin developers. Versions prior to 1.1.6 of SourceBans Material Admin contained security vulnerabilities; these vulnerabilities allowed attackers to manipulate arbitrary user data in web application...

Mantis Bug Tracker（MantisBT） 跨站脚本漏洞

Mantis Bug Tracker MantisBT is an open-source bug tracker developed by Mantis Bug Tracker. Versions of Mantis Bug Tracker from 1.3.0 to 2.28.1 contained a cross-site scripting vulnerability. This vulnerability occurred due to the lack of escaping of project names, allowing attackers with...

Portainer 安全漏洞

Portainer is a lightweight user management interface developed by Portainer Foundation for managing Docker environments and Docker hosts. There were security vulnerabilities in versions of Portainer Community Edition from 2.33.0 to 2.33.8, as well as in versions prior to 2.39.2 and 2.41.0. These...

CVE-2026-38702

A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target...

PT-2026-44744

Name of the Vulnerable Software and Affected Versions WP Maps Pro versions prior to 6.1.1 Description The WP Maps Pro plugin for WordPress contains a flaw allowing unauthenticated attackers to create administrator accounts and achieve complete site takeover. The issue stems from a temporary acces...

CVE-2026-43000

CVE-2026-43000 affects OpenStack Keystone (identity service). Affected: Keystone before 29.0.2. The issue arises when an impersonation vulnerability in application credentials is chained with Keystone trusts, allowing a user with member role to escalate to admin by delegating the victim's admin r...

PT-2026-44462

An arbitrary file upload vulnerability in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6 allows attackers to execute arbitrary code via uploading a crafted image file...

WordPress plugin Frontend Admin by DynamiApps 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

Mattermost Server 10.11.x < 10.11.15 / 11.4.x < 11.4.5 / 11.5.x < 11.5.4 / 11.6.x < 11.6.1 Path Traversal (MMSA-2026-00640)

The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2026-00640 advisory. - Mattermost Server fails to check the integration URL for path traversal which allows a malicious authenticated user to call an arbitrary API via a system...

CVE-2026-30761

SourceBans Material Admin v1.1.6 contains an arbitrary file upload vulnerability in pages/admin.uploadmapimg.php that allows code execution via a crafted image file. Affected component is the upload handler; root cause is improper validation of uploaded files. CVSS v3.1 base score 7.3 (HIGH); att...

poc-wondercms-360-xss

CVE — WonderCMS 3.6.0 Stored XSS via Search Widget Severity...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the /api/user-collection/create-first-user endpoint, which remains publicly accessible after initial setup. An attacker can obtain bcrypt password hashes of all administrator accounts and...

Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint

Summary A Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is...

CVE-2026-42197

RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin...

CVE-2026-9527

A vulnerability was determined in itsourcecode Electronic Judging System 1.0. This issue affects some unknown processing of the file /admin/judges.php. This manipulation of the argument fname causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly...

CVE-2026-44832

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/id with permissionsadmin=1. The API controller only strips the superuser key from the...

CVE-2026-42197 RELATE Vulnerable to Stored XSS via Unprivileged User Profile

RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin...

EUVD-2026-32627

RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin...