Lucene search
K

87126 matches found

NVD
NVD
added 2026/04/06 10:16 p.m.8 views

CVE-2026-35411

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication 2FA visits a...

4.3CVSS0.00256EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/06 9:46 p.m.4 views

CVE-2026-35450

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/API/check.ffmpeg.json.php endpoint probes the FFmpeg remote server configuration and returns connectivity status without any authentication. All sibling FFmpeg management endpoints kill.ffmpeg.json.php,...

5.3CVSS5.9AI score0.0037EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/06 9:33 p.m.3 views

CVE-2026-35411 Directus is an Open Redirect in Admin 2FA Setup Page

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication 2FA visits a...

4.3CVSS5.9AI score0.00256EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/06 9:33 p.m.8 views

CVE-2026-35411

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication 2FA visits a...

4.3CVSS5.9AI score0.00256EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/06 9:33 p.m.14 views

CVE-2026-35411 Directus is an Open Redirect in Admin 2FA Setup Page

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication 2FA visits a...

4.3CVSS0.00256EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/06 8:17 p.m.14 views

EUVD-2026-19480

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP function in lib/admin/session.ts trusted the first leftmost entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to...

8.7CVSS6AI score0.00136EPSS
Exploits0References1
NVD
NVD
added 2026/04/06 8:16 p.m.7 views

CVE-2026-35182

Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/id lacks the checkUserPermissions:assign-user-roles middleware. This allows any authenticated user to...

8.8CVSS0.00336EPSS
Exploits1References1
NVD
NVD
added 2026/04/06 8:16 p.m.4 views

CVE-2026-35181

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing...

4.3CVSS0.00134EPSS
Exploits1References1
GithubExploit
GithubExploit
added 2026/04/06 7:59 p.m.105 views

Multi-Stage-Web-Attack-XSS-to-Admin-Takeover-and-RCE

🛡️ Multi-Stage Web Attack: XSS to Admin Takeover & RCE This p...

6AI score
Exploits0
Vulnrichment
Vulnrichment
added 2026/04/06 7:10 p.m.2 views

CVE-2026-35182 Missing Authorization Privilege Escalation

Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/id lacks the checkUserPermissions:assign-user-roles middleware. This allows any authenticated user to...

8.8CVSS5.9AI score0.00336EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/06 7:10 p.m.3 views

CVE-2026-35182

Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/id lacks the checkUserPermissions:assign-user-roles middleware. This allows any authenticated user to...

8.8CVSS5.9AI score0.00336EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/04/06 7:10 p.m.15 views

CVE-2026-35182 Missing Authorization Privilege Escalation

Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/id lacks the checkUserPermissions:assign-user-roles middleware. This allows any authenticated user to...

8.8CVSS0.00336EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/06 7:10 p.m.4 views

EUVD-2026-19458

Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/id lacks the checkUserPermissions:assign-user-roles middleware. This allows any authenticated user to...

8.8CVSS5.9AI score0.00336EPSS
Exploits1References1
CVE
CVE
added 2026/04/06 7:10 p.m.12 views

CVE-2026-35182

Brave CMS (open-source) before version 2.0.6 contains a missing authorization check in the POST /rights/update-role/{id} endpoint (routes/web.php). The update-role action lacked the checkUserPermissions:assign-user-roles middleware, allowing any authenticated user to change account roles and prom...

8.8CVSS5.9AI score0.00336EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/06 7:9 p.m.4 views

CVE-2026-35181 WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing...

4.3CVSS5.9AI score0.00134EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/06 7:9 p.m.14 views

CVE-2026-35181 WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing...

4.3CVSS0.00134EPSS
Exploits1References1
CVE
CVE
added 2026/04/06 7:9 p.m.12 views

CVE-2026-35181

CVE-2026-35181 affects WWBN AVideo prior to 29.x. The endpoint admin/playerUpdate.json.php does not validate CSRF tokens, and the ORM security check excludes the plugins table via ignoreTableSecurityCheck(), removing the remaining defense. Coupled with SameSite=None cookies, an authenticated admi...

4.3CVSS5.9AI score0.00134EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/06 7:6 p.m.4 views

CVE-2026-35180

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customizesettingsnativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with...

4.3CVSS5.8AI score0.00112EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/04/06 6:33 p.m.2 views

EUVD-2026-19365

A flaw has been found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This affects an unknown part of the file /admin/Add%20notice/add%20notice.php. This manipulation of the argument $SERVER'PHPSELF' causes cross site scripting. It is possible to initiate th...

4.8CVSS4.5AI score0.00206EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/06 6:33 p.m.9 views

EUVD-2026-19400

A vulnerability was determined in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. Impacted is an unknown function of the file /admin/class%20schedule/deletebatch.php of the component Class Schedule Deletion Endpoint. Executing a manipulation of the argument bat...

5.3CVSS4.2AI score0.00278EPSS
Exploits0References6
Rows per page
Query Builder