CVE-2026-34917

CVE-2026-34917 affects Revive Adserver: low-privilege session IDs generated for the web admin console can be reused in the XML-RPC API, whose authentication is normally admin-restricted. This allowed scenario enables an attacker to gain unauthorized API access and potentially exploit API-level vu...

Moodle - Cross-Site Scripting/Remote Code Execution

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system. Moodle versions 4.1.x before 4.1.3 and 4.2.x before...

Adobe Coldfusion - Authentication Bypass

Adobe ColdFusion versions 2023.5 and earlier and 2021.11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to access the administration CFM and CFC endpoints...

Order Delivery Date Pro for WooCommerce < 12.3.1 - Arbitrary Option Update

The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modi...

i-Panel Administration System 2.0 - Cross-Site Scripting

i-Panel Administration System 2.0 contains a cross-site scripting vulnerability that enables an attacker to execute arbitrary JavaScript code in the browser-based web console. id: CVE-2021-41878 info: name: i-Panel Administration System 2.0 - Cross-Site Scripting author: madrobot severity: medium...

Apache ActiveMQ <=5.15.5 - Cross-Site Scripting

Apache ActiveMQ versions 5.0.0 to 5.15.5 are vulnerable to cross-site scripting via the web based administration console on the queue.jsp page. The root cause of this issue is improper data filtering of the QueueFilter parameter. id: CVE-2018-8006 info: name: Apache ActiveMQ =5.15.5 - Cross-Site...

EUVD-2026-38135

GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization...

CVE-2026-55741

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action 'a=update' processes POST data via cotconfigupdateoptions without calling cotcheckxg to validate...

CVE-2026-46978

Vulnerability in the Oracle Solaris product of Oracle Systems component: Remote Administration Daemon. The supported version that is affected is 11.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Solaris. While the vulnerabili...

DotNetNuke 07.04.00 - Administration Authentication Bypass

The installation wizard in DotNetNuke DNN before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx. id: CVE-2015-2794 info: name: DotNetNuke 07.04.00 - Administration Authentication Bypass author: 0xr2r severity...

PT-2026-50065

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite Oracle Universal Work Queue versions 12.2.3 through 12.2.15 Description An issue exists in the Work Provider Site Level Administration component of the Oracle Universal Work Queue. A low privileged attacker with network...

PT-2026-50075

Name of the Vulnerable Software and Affected Versions Oracle Solaris version 11.4 prior to SRU93 Description An issue exists in the Remote Administration Daemon that allows an unauthenticated attacker with network access via HTTPS to compromise the system. Successful exploitation can lead to...

EUVD-2016-10896

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScrip...

CVE-2026-11860 Insecure Deserialisation via Plaintext HTTP leading to Remote Code Execution in Quick.CMS

Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class...

CVE-2026-45775

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a path traversal vulnerability in Discourse backup handling could allow an authenticated administrator on one site in a...

CVE-2026-10715

Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type//drafts and overwrite the draft of another user’s post. Affected component: draft autosave f...

CVE-2026-47366

Improper verification of access permissions when modifying permissions through the Administration Control Panel ACP allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface...

CVE-2026-47366

Improper verification of access permissions when modifying permissions through the Administration Control Panel ACP allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface...

EUVD-2026-36377

Improper verification of access permissions when modifying permissions through the Administration Control Panel ACP allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface...

CVE-2026-47366

Improper verification of access permissions when modifying permissions through the Administration Control Panel ACP allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface...