PT-2026-32166

ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL...

ImpressCMS SQL注入漏洞

ImpressCMS is a modular content management system CMS based on MySQL, developed by ImpressCMS Inc. This system includes modules for news publishing, forums, and photo albums. Version 1.3.11 of ImpressCMS has a SQL injection vulnerability, which stems from insufficient input validation for the bid...

Pachno 1.0.6 (uploadfile) Unrestricted File Upload Remote Code Execution

Summary Pachno is an open-source collaboration platform formerly known as The Bug Genie designed for team project management, issue tracking, and documentation. It offers a module-based, customizable environment for software development and team workflows, distributed under the Mozilla Public...

Updated python-django packages fix security vulnerabilities

ASGI header spoofing via underscore/hyphen conflation. CVE-2026-3902 Privilege abuse in GenericInlineModelAdmin. CVE-2026-4277 Privilege abuse in ModelAdmin.listeditable. CVE-2026-4292 Potential denial-of-service vulnerability in MultiPartParser via base64-encoded file upload. CVE-2026-33033...

Exploit for Cross-site Scripting in Churchcrm

CVE-2025-67875: ChurchCRM has stored XSS via Person Property A...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the AdminService/StreamWorkflowReplicationMessages endpoint. An attacker can access replication streams and exfiltrate data by connecting to the frontend gRPC server without providing...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the AdminService/StreamWorkflowReplicationMessages endpoint. An attacker can access replication streams and exfiltrate data by connecting to the frontend gRPC server without providing...

CVE-2026-5724

The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload. An administrator can execute arbitrary JavaScript in the context of the application by uploading a crafted SVG or HTML file containing malicious scripts, which are then served to users without...

Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure

Summary The system log endpoints GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing authorization checks in the GetSystemLogs, SSESubscribeSystemLogs, and WSSubscribeSystemLogs endpoints. A non-admin user can access sensitive server log information, including error stack traces,...

GHSA-W8JJ-CWMC-WGQ2 Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure

Summary The system log endpoints GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary...

Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass

Summary All 9 comment panel admin endpoints /api/panel/comments/ are missing RequireScopes middleware, while every other admin endpoint in the application enforces scope-based authorization on access tokens. An admin-issued access token scoped to minimal permissions e.g., echo:read only can perfo...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to the lack of a RequireScopes call in internal/router/comment.go comment panel admin endpoint. An attacker can gain unauthorized access to comment moderation operations, including listing, approving, rejecting...

GHSA-FWG7-53P4-G33C Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass

Summary All 9 comment panel admin endpoints /api/panel/comments/ are missing RequireScopes middleware, while every other admin endpoint in the application enforces scope-based authorization on access tokens. An admin-issued access token scoped to minimal permissions e.g., echo:read only can perfo...

Ech0 Scope Bypass: profile:read Access Token Can Change Admin Password and Escalate to Unrestricted Session

Summary The PUT /user endpoint is protected by RequireScopes"profile:read", which is a read-only scope. However, the endpoint performs write operations including password changes. An attacker who obtains an admin's restricted profile:read access token can change the admin's password, then login t...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the PUT /user route. An attacker can gain full administrative privileges by using a read-only access token to change the administrator's password, then logging in to obtain an unrestricted session token that...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the PUT /user route. An attacker can gain full administrative privileges by using a read-only access token to change the administrator's password, then logging in to obtain an unrestricted session token that...

GHSA-HM2H-WWWH-G49X Ech0 Scope Bypass: profile:read Access Token Can Change Admin Password and Escalate to Unrestricted Session

Summary The PUT /user endpoint is protected by RequireScopes"profile:read", which is a read-only scope. However, the endpoint performs write operations including password changes. An attacker who obtains an admin's restricted profile:read access token can change the admin's password, then login t...

Ech0: Missing authorization on dashboard log endpoints allows low-privilege users to access sensitive system logs

Summary Ech0 allows any authenticated user to read historical system logs and subscribe to live log streams because the dashboard log endpoints validate only that a JWT is present and valid, but do not require an administrator role or privileged scope. Impact Any valid user session can access GET...