Lucene search
K

87138 matches found

Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.6 views

PT-2026-30341

Name of the Vulnerable Software and Affected Versions pyLoad affected versions not specified Description pyLoad, a Python-based download manager, has a flaw where a user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store. This allows planting a maliciou...

8.8CVSS6.5AI score0.00529EPSS
Exploits2References14
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.3 views

PT-2026-30345

Name of the Vulnerable Software and Affected Versions Visitor Traffic Real Time Statistics plugin for WordPress versions up to and including 8.4 Description The Visitor Traffic Real Time Statistics plugin for WordPress is susceptible to Stored Cross-Site Scripting through the page title parameter...

7.2CVSS6.1AI score0.00257EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.9 views

PT-2026-30328

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.16.1 Description Directus is susceptible to an open redirect issue through the redirect parameter on the /admin/tfa-setup page. An administrator who has not configured Two-Factor Authentication 2FA may be redirect...

4.3CVSS5.8AI score0.00256EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.9 views

PT-2026-30351

Redaxo CMS 5.2 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the users endpoint with hidden fields...

6.9CVSS5.9AI score0.00146EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.3 views

PT-2026-30349

Snews CMS 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials without authentication by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that submits POST...

6.9CVSS5.9AI score0.00162EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/04/04 12:0 a.m.9 views

NodCMS 跨站脚本漏洞

NodCMS is a free, multilingual, and powerful CMS developed by Mojtaba, based on CodeIgniter4. NodCMS has a cross-site scripting vulnerability, which stems from a susceptibility to cross-site request forgeing attacks. This vulnerability could allow attackers to execute unauthorized administrative...

5.3CVSS5.7AI score0.00106EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.7 views

PT-2026-30379

Nodcms contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious forms. Attackers can trick authenticated administrators into submitting requests to admin/user manipulate and admin/settings/generall endpoints to...

5.3CVSS5.9AI score0.00106EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/04 12:0 a.m.25 views

VulnCheck KEV: CVE-2023-22621

Strapi through 4.5.5 allows authenticated Server-Side Template Injection SSTI that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses t...

10CVSS7.6AI score0.76825EPSS
In wildExploits2References2
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.8 views

PT-2026-30340

Name of the Vulnerable Software and Affected Versions pyLoad affected versions not specified Description The ADMIN ONLY OPTIONS protection mechanism, intended to restrict access to sensitive configuration values, is not applied to plugin configuration options. Specifically, the AntiVirus plugin...

8.8CVSS6.3AI score0.00815EPSS
Exploits1References11
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.3 views

PT-2026-30368

MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes when administrators...

7.2CVSS5.9AI score0.00225EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.6 views

PT-2026-30336

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description The plugin/CloneSite/client.log.php endpoint serves the clone operation log file without authentication. Other endpoints in the CloneSite plugin directory enforce User::isAdmin. The log contains...

5.3CVSS6AI score0.00367EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/04/03 11:43 p.m.5 views

AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php

Severity: Medium CWE: CWE-352 Cross-Site Request Forgery Summary The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing the only...

4.3CVSS6AI score0.00134EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/04/03 11:43 p.m.4 views

GHSA-4Q27-4RRQ-FX95 AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php

Severity: Medium CWE: CWE-352 Cross-Site Request Forgery Summary The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing the only...

4.3CVSS6AI score0.00134EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/03 11:43 p.m.3 views

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the admin/playerUpdate.json.php process. An attacker can modify the video player appearance across the platform by tricking an...

5.3CVSS5.8AI score0.00134EPSS
Exploits1References2
NVD
NVD
added 2026/04/03 11:17 p.m.2 views

CVE-2026-34607

Emlog is an open source website building system. In versions 2.6.2 and prior, a path traversal vulnerability exists in the emUnZip function include/lib/common.php:793. When extracting ZIP archives plugin/template uploads, backup imports, the function calls $zip-extractTo$path without sanitizing Z...

7.2CVSS0.00874EPSS
Exploits1References1
NVD
NVD
added 2026/04/03 11:17 p.m.1 views

CVE-2026-34787

Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion LFI vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a requireonce path without proper sanitization. If the CSRF token check can ...

6.5CVSS0.00511EPSS
Exploits1References1
NVD
NVD
added 2026/04/03 11:17 p.m.7 views

CVE-2017-20234

GarrettCom Magnum 6K and 10K managed switches contain an authentication bypass vulnerability that allows unauthenticated attackers to gain unauthorized access by exploiting a hardcoded string in the authentication mechanism. Attackers can bypass login controls to access administrative functions a...

9.8CVSS0.00455EPSS
Exploits0References2
NVD
NVD
added 2026/04/03 11:17 p.m.4 views

CVE-2018-25236

Hirschmann HiOS and HiSecOS products RSP, RSPE, RSPS, RSPL, MSP, EES, EESX, GRS, OS, RED, EAGLE contain an authentication bypass vulnerability in the HTTPS management module that allows unauthenticated remote attackers to gain administrative access by crafting specially formed HTTP requests...

9.8CVSS0.00502EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/03 11:2 p.m.3 views

CVE-2026-25212

An issue was discovered in Percona PMM before 3.7. Because an internal database user retains specific superuser privileges, an attacker with pmm-admin rights can abuse the "Add data source" feature to break out of the database context and execute shell commands on the underlying operating system...

9.9CVSS6AI score0.00289EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/03 10:51 p.m.6 views

CVE-2017-20235 ProSoft Technology ICX35-HWC Authentication Bypass

ProSoft Technology ICX35-HWC version 1.3 and prior cellular gateways contain an authentication bypass vulnerability in the web user interface that allows unauthenticated attackers to gain access to administrative functions without valid credentials. Attackers can bypass the authentication mechani...

9.3CVSS5.9AI score0.00451EPSS
Exploits0References2
Rows per page
Query Builder