Lucene search
K

87078 matches found

Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.5 views

PT-2026-31280

Summary A path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the router may not match paths containing repeated slashes, while serveStatic...

5.3CVSS5.9AI score0.00376EPSS
Exploits0References5
CNVD
CNVD
added 2026/04/08 12:0 a.m.3 views

OpenClaw has an unspecified vulnerability (CNVD-2026-16698)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that can be exploited by an attacker to cause an attacker with operator.pairing privileges to cast tokens with broader privileges to obtain an operator.admin token and execute...

9.9CVSS7.7AI score0.0054EPSS
Exploits0
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.10 views

CI4MS 安全漏洞

CI4MS is an open-source blog page management tool developed by Ci4MS. Versions of CI4MS prior to 0.31.4.0 contained security vulnerabilities. These vulnerabilities stemmed from the improper storage and rendering of blacklist remark parameters into HTML attributes, potentially allowing...

4.8CVSS6.1AI score0.0023EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/08 12:0 a.m.18 views

CVE-2025-52222

D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G v17.12.20A1, DI-8200 v16.07.26A1, DI-8400 v16.07.26A1, DI-8004w v16.07.26A1, DI-8100 v16.07.26A1, and DI-8100G v17.12.20A1 were discovered to contain a buffer overflow via the rden, rdauth, rdacct, httphadmin,...

0.00326EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.4 views

PT-2026-31552

Name of the Vulnerable Software and Affected Versions PHPGurukul Online Course Registration version 3.1 Description A security issue exists in PHPGurukul Online Course Registration 3.1 related to the processing of the /admin/check availability.php file. Manipulation of the regno argument can lead...

7.5CVSS7.1AI score0.00254EPSS
Exploits0References12
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.6 views

CI4MS 跨站脚本漏洞

CI4MS is an open-source blog page management tool developed by Ci4MS. Versions of CI4MS prior to 0.31.4.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the Pages module not applying the htmlpurify validation rule to content fields, allowing authenticated...

5.5CVSS5.9AI score0.00247EPSS
Exploits1References1
Patchstack
Patchstack
added 2026/04/07 11:22 p.m.5 views

WordPress Inquiry form to posts or pages plugin <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Form Header Field vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Form Header Field vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Inquiry form to posts or pages versions = 1.0...

4.4CVSS5.9AI score0.00254EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.7 views

CVE-2026-35180

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customizesettingsnativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with...

4.3CVSS5.8AI score0.00112EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.3 views

CVE-2026-35181

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing...

4.3CVSS5.9AI score0.00134EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.4 views

CVE-2026-35182

Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/id lacks the checkUserPermissions:assign-user-roles middleware. This allows any authenticated user to...

8.8CVSS5.9AI score0.00336EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/07 11:1 p.m.4 views

CVE-2026-35174

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download...

9.1CVSS6.2AI score0.00559EPSS
Exploits0References1
NVD
NVD
added 2026/04/07 9:17 p.m.3 views

CVE-2026-39400

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

6.1CVSS0.00171EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/07 8:22 p.m.16 views

CVE-2026-39400 Stored XSS via Job HTML/Table Output in Cronicle

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

5.3CVSS0.00171EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 8:22 p.m.2 views

CVE-2026-39400

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

5.3CVSS6AI score0.00171EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/07 8:22 p.m.4 views

CVE-2026-39400 Stored XSS via Job HTML/Table Output in Cronicle

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

5.3CVSS5.9AI score0.00171EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/07 8:22 p.m.4 views

EUVD-2026-19923

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

5.3CVSS6AI score0.00171EPSS
Exploits1References1
CVE
CVE
added 2026/04/07 8:22 p.m.8 views

CVE-2026-39400

Cronicle suffers a Stored XSS vulnerability in versions before 0.9.111. A non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without ...

6.1CVSS6AI score0.00171EPSS
Exploits1References1Affected Software1
Snyk
Snyk
added 2026/04/07 8:17 p.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of Mustache navigation templates when user-controlled values are interpolated into the href attribute without proper URL scheme validation. An attacker can execute arbitrary JavaScript in the...

4.8CVSS5.7AI score0.00176EPSS
Exploits1References2
OSV
OSV
added 2026/04/07 8:17 p.m.2 views

GHSA-CPM7-CFPX-3HVP Emissary has Stored XSS via Navigation Template Link Injection

Summary Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting XSS against other...

4.8CVSS5.8AI score0.00176EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/04/07 8:17 p.m.6 views

Emissary has Stored XSS via Navigation Template Link Injection

Summary Mustache navigation templates interpolated configuration-controlled link values directly into href attributes without URL scheme validation. An administrator who could modify the navItems configuration could inject javascript: URIs, enabling stored cross-site scripting XSS against other...

4.8CVSS5.9AI score0.00176EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder