Lucene search
K

87080 matches found

RedhatCVE
RedhatCVE
added 2026/04/07 5:42 p.m.4 views

CVE-2026-4277

A flaw was found in Django. This vulnerability allows an attacker to bypass permission validation by submitting forged POST data to the GenericInlineModelAdmin component. As a result, unauthorized inline model instances could be added, potentially leading to privilege abuse or unauthorized data...

9.8CVSS5.8AI score0.00458EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/04/07 5:42 p.m.10 views

CVE-2026-4292

A flaw was found in Django. Admin changelist forms utilizing ModelAdmin.listeditable were susceptible to improper access control. A remote attacker could exploit this by sending forged POST data, leading to the unauthorized creation of new instances within the application. Mitigation Mitigation f...

5.3CVSS5.8AI score0.00294EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/04/07 5:40 p.m.1 views

CVE-2026-39336 ChurchCRM has Stored XSS from unescaped config values in HTML attributes

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-adm...

6.1CVSS5.8AI score0.00207EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/07 5:40 p.m.9 views

EUVD-2026-19833

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-adm...

6.1CVSS5.8AI score0.00207EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/07 5:32 p.m.1 views

CVE-2026-39328 ChurchCRM has Stored XSS in Social Profile Fields

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, an...

8.9CVSS5.9AI score0.00203EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 5:32 p.m.1 views

CVE-2026-39328

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, an...

8.9CVSS5.9AI score0.00203EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/04/07 5:29 p.m.4 views

EUVD-2026-19810

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative users can inject arbitrary SQL statements through the type array parameter via the index and thus extra...

7.2CVSS6AI score0.00254EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/07 5:23 p.m.2 views

EUVD-2026-19812

ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1...

6.1CVSS5.9AI score0.00252EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/07 5:23 p.m.18 views

CVE-2026-39335 ChurchCRM has Stored XSS via Unescaped data-* Attributes in Group/Family Controls

ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1...

6.1CVSS0.00252EPSS
Exploits1References1
CVE
CVE
added 2026/04/07 5:23 p.m.13 views

CVE-2026-39335

ChurchCRM is affected by a Stored XSS in unescaped data-* attributes used in the Group remove control and Family editor state/country prior to version 7.1.1. The issue is fixed in 7.1.1. Impact is described as admin-to-admin stored XSS; CVSS metrics indicate Confidentiality/Integrity impact High,...

6.1CVSS5.9AI score0.00252EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/07 5:23 p.m.1 views

CVE-2026-39335

ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1...

6.1CVSS5.9AI score0.00252EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/04/07 5:16 p.m.3 views

CVE-2026-35610

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-14 and earlier, setCustomPassworduserId, password and deleteUseruserId in the account-management module used an inverted admin check. Because of the inverted condition, authenticated non-admin users were allowed to execute bot...

8.8CVSS0.00298EPSS
Exploits1References1
OSV
OSV
added 2026/04/07 5:16 p.m.12 views

PYSEC-2026-123

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMINONLYCOREOPTIONS authorization set in setconfigvalue uses incorrect option names sslcert and sslkey, while the actual configuration option names are sslcertfile and sslkeyfile. This name mismatch...

6.8CVSS5.8AI score0.00142EPSS
Exploits1References1
PyPA
PyPA
added 2026/04/07 5:16 p.m.10 views

PYSEC-2026-123

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the ADMINONLYCOREOPTIONS authorization set in setconfigvalue uses incorrect option names sslcert and sslkey, while the actual configuration option names are sslcertfile and sslkeyfile. This name mismatch...

6.8CVSS5.8AI score0.00142EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2026/04/07 5:8 p.m.11 views

CVE-2026-35575

ChurchCRM (open-source church management) has a Stored XSS in the admin panel’s group-creation feature, prior to version 6.5.3. The vulnerability allows any user with group-creation privileges to inject malicious JavaScript that executes when an administrator views the page, enabling theft of the...

8CVSS5.9AI score0.00243EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/04/07 5:8 p.m.2 views

EUVD-2026-19773

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting Stored XSS vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator...

8CVSS5.9AI score0.00243EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/07 5:8 p.m.17 views

CVE-2026-35575 ChurchCRM has Stored XSS in Group Name

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting Stored XSS vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator...

8CVSS0.00243EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 5:8 p.m.3 views

CVE-2026-35575

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting Stored XSS vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator...

8CVSS5.9AI score0.00243EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/07 5:7 p.m.3 views

CVE-2026-33404

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js Network page and charts.js/index....

6.1CVSS5.9AI score0.00145EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/07 5:6 p.m.5 views

CVE-2026-33403

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface...

6.1CVSS6AI score0.00187EPSS
Exploits0References1
Rows per page
Query Builder