Lucene search
K

525 matches found

Github Security Blog
Github Security Blog
added 2026/02/24 8:37 p.m.7 views

Caddy is vulnerable to cross-origin config application via local admin API /load

commit: e0f8d9b2047af417d8faf354b675941f3dac9891 as-of 2026-02-04 channel: GitHub security advisory per SECURITY.md summary The local caddy admin API default listen 127.0.0.1:2019 exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement ...

8.2CVSS5.7AI score0.00166EPSS
Exploits1References8Affected Software1
RedHat Linux
RedHat Linux
added 2026/02/09 8:37 p.m.4 views

org.keycloak.services.resources.admin: Keycloak: Limited administrator can retrieve sensitive user attributes via Admin API

A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...

2.7CVSS5.7AI score0.00364EPSS
Exploits0References4
NVD
NVD
added 2026/02/07 12:15 a.m.7 views

CVE-2020-37079

Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery CSRF vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user...

5.1CVSS0.0017EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/02/06 11:16 p.m.35 views

CVE-2020-37079 Wing FTP Server < 6.2.7 - Cross-site Request Forgery

Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery CSRF vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user...

5.1CVSS0.0017EPSS
Exploits1References4
CVE
CVE
added 2026/02/02 5:43 a.m.16 views

CVE-2025-13881

The CVE-2025-13881 entry describes a vulnerability in the Keycloak Admin API where an administrator with limited privileges can retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings. Affected software is Keycloak Admin API (details ...

2.7CVSS5.8AI score0.00364EPSS
Exploits0References4
Snyk
Snyk
added 2026/01/27 12:34 p.m.3 views

Incorrect Privilege Assignment

Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the Admin API. An attacker can access sensitive user attributes ...

5.1CVSS5.9AI score0.00364EPSS
Exploits0References2
NVD
NVD
added 2026/01/27 10:15 a.m.7 views

CVE-2026-24348

Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users...

7.4CVSS0.00149EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/01/27 9:22 a.m.3 views

CVE-2026-24347 Arbitrary file write to /tmp directory in EZCast Pro II Dongle

Improper input validation in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to manipulate files in the /tmp directory...

5.7CVSS5.9AI score0.00207EPSS
Exploits0References1
NVD
NVD
added 2026/01/21 1:16 p.m.12 views

CVE-2025-14083

A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control...

2.7CVSS0.0032EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/01/21 12:4 p.m.3 views

CVE-2025-14083 Keycloak-server: keycloak: improper access control in admin rest api leads to information disclosure

A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control...

2.7CVSS5.4AI score0.0032EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/01/21 12:0 a.m.11 views

PT-2026-3762

A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control...

2.7CVSS5.4AI score0.0032EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/01/14 4:20 p.m.23 views

CVE-2025-37185 Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting XSS attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary...

5.5CVSS0.00223EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/01/14 4:20 p.m.5 views

CVE-2025-37185 Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting XSS attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary...

5.5CVSS5.7AI score0.00223EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/01/11 1:32 a.m.3 views

CVE-2025-15505 Luxul XWR-600 Web Administration cross site scripting

A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The attack may be launched remotely. The exploit...

4.8CVSS5.2AI score0.00206EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/01/11 1:32 a.m.24 views

CVE-2025-15505 Luxul XWR-600 Web Administration cross site scripting

A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The attack may be launched remotely. The exploit...

4.8CVSS0.00206EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/01/11 12:0 a.m.10 views

PT-2026-1782

Name of the Vulnerable Software and Affected Versions Luxul XWR-600 versions prior to 4.0.2 Description A cross-site scripting issue exists in the Web Administration Interface component of Luxul XWR-600. The issue is triggered by manipulating the SSID argument within the Guest Network/Wireless...

4.8CVSS3.6AI score0.00206EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/01/10 2:57 a.m.24 views

CVE-2026-22596 Ghost has SQL Injection in Members Activity Feed

Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in...

6.7CVSS0.00413EPSS
Exploits0References3
CVE
CVE
added 2026/01/10 2:57 a.m.18 views

CVE-2026-22596

CVE-2026-22596 affects Ghost, a Node.js CMS. A SQL injection flaw exists in Ghost’s /ghost/api/admin/members/events endpoint due to insufficient input validation, exploitable by users with Admin API credentials. Affected versions: 5.90.0–5.130.5 and 6.0.0–6.10.3. The issue allows arbitrary SQL ex...

7.2CVSS7.2AI score0.00413EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2025/12/18 7:53 p.m.7 views

CVE-2023-53737

CVE-2023-53737 describes a stored cross-site scripting vulnerability in Kentico Xperience, specifically via the Localization Application. The CVE entry (title: Kentico Xperience

5.1CVSS5.8AI score0.0014EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2025/12/18 7:53 p.m.2 views

CVE-2023-53736 Kentico Xperience <= 13.0.120 Administration Interface Reflected XSS

A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts in the administration interface. Attackers can exploit this vulnerability to execute arbitrary scripts within the administrative context...

5.4CVSS6.1AI score0.00165EPSS
Exploits0References2
Rows per page
Query Builder