525 matches found
Caddy is vulnerable to cross-origin config application via local admin API /load
commit: e0f8d9b2047af417d8faf354b675941f3dac9891 as-of 2026-02-04 channel: GitHub security advisory per SECURITY.md summary The local caddy admin API default listen 127.0.0.1:2019 exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement ...
org.keycloak.services.resources.admin: Keycloak: Limited administrator can retrieve sensitive user attributes via Admin API
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...
CVE-2020-37079
Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery CSRF vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user...
CVE-2020-37079 Wing FTP Server < 6.2.7 - Cross-site Request Forgery
Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery CSRF vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user...
CVE-2025-13881
The CVE-2025-13881 entry describes a vulnerability in the Keycloak Admin API where an administrator with limited privileges can retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings. Affected software is Keycloak Admin API (details ...
Incorrect Privilege Assignment
Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the Admin API. An attacker can access sensitive user attributes ...
CVE-2026-24348
Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users...
CVE-2026-24347 Arbitrary file write to /tmp directory in EZCast Pro II Dongle
Improper input validation in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to manipulate files in the /tmp directory...
CVE-2025-14083
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control...
CVE-2025-14083 Keycloak-server: keycloak: improper access control in admin rest api leads to information disclosure
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control...
PT-2026-3762
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control...
CVE-2025-37185 Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting XSS attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary...
CVE-2025-37185 Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting XSS attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary...
CVE-2025-15505 Luxul XWR-600 Web Administration cross site scripting
A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The attack may be launched remotely. The exploit...
CVE-2025-15505 Luxul XWR-600 Web Administration cross site scripting
A vulnerability was found in Luxul XWR-600 up to 4.0.1. The affected element is an unknown function of the component Web Administration Interface. The manipulation of the argument Guest Network/Wireless Profile SSID results in cross site scripting. The attack may be launched remotely. The exploit...
PT-2026-1782
Name of the Vulnerable Software and Affected Versions Luxul XWR-600 versions prior to 4.0.2 Description A cross-site scripting issue exists in the Web Administration Interface component of Luxul XWR-600. The issue is triggered by manipulating the SSID argument within the Guest Network/Wireless...
CVE-2026-22596 Ghost has SQL Injection in Members Activity Feed
Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in...
CVE-2026-22596
CVE-2026-22596 affects Ghost, a Node.js CMS. A SQL injection flaw exists in Ghost’s /ghost/api/admin/members/events endpoint due to insufficient input validation, exploitable by users with Admin API credentials. Affected versions: 5.90.0–5.130.5 and 6.0.0–6.10.3. The issue allows arbitrary SQL ex...
CVE-2023-53737
CVE-2023-53737 describes a stored cross-site scripting vulnerability in Kentico Xperience, specifically via the Localization Application. The CVE entry (title: Kentico Xperience
CVE-2023-53736 Kentico Xperience <= 13.0.120 Administration Interface Reflected XSS
A reflected cross-site scripting vulnerability in Kentico Xperience allows authenticated users to inject malicious scripts in the administration interface. Attackers can exploit this vulnerability to execute arbitrary scripts within the administrative context...