48 matches found
CVE-2026-36956
A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An...
CVE-2018-25327
Joomla! Component Js Jobs 1.2.0 contains a cross-site request forgery vulnerability that allows attackers to perform state-changing actions without token validation. Attackers can craft malicious HTML forms targeting administrative endpoints like job.jobenforcedelete to delete job entries or modi...
CVE-2026-36960
CVE-2026-36960 describes a CSRF flaw in the web management interface of the U-SPEED N300 Router V1.0.0. The device lacks anti-CSRF tokens and strict Origin/Referer checks for administrative endpoints, enabling a crafted page to trigger forged requests when an authenticated administrator visits it...
CVE-2026-31849 Missing CSRF Protection on Administrative Endpoints in Nexxt Nebula 300+
Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement CSRF protections on state-changing endpoints such as /goform/setSysTools and other administrative interfaces. As a result, an attacker can craft malicious web requests that are executed in the context of an...
PT-2026-25715
Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email',...
CVE-2026-22207
OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the rootapikey configuration is omitted. Attackers can send requests to protected endpoints without authentication headers ...
CVE-2020-36968
M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for al...
CVE-2020-36968 M/Monit 3.7.4 - Password Disclosure
M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for al...
CVE-2026-24432 Tenda W30E V2 Missing CSRF Protections for Administrative Actions
Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.195037 lack cross-site request forgery CSRF protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered b...
Keycloak has an improper input validation vulnerability
A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments,...
CVE-2026-0976
A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments,...
CVE-2026-0976
Keycloak contains an improper input validation vulnerability (CVE-2026-0976) where RFC-compliant matrix parameters in URL path segments can be processed in ways that bypass reverse-proxy path filtering, potentially exposing administrative or sensitive endpoints. Affected component commonly cited ...
EUVD-2026-2822
A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments,...
CVE-2026-0976
A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments,...
PT-2026-2984
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak related to improper input validation. The software accepts RFC-compliant matrix parameters within URL path segments, which may be ignored or mishandled by common...
CVE-2025-69211
Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...
PT-2025-53321
Smartwares HOME easy 1.0.9 contains an authentication bypass vulnerability that allows unauthenticated attackers to access administrative web pages by disabling JavaScript. Attackers can navigate to multiple administrative endpoints and to bypass client-side validation and access sensitive system...
CVE-2025-6892
An Incorrect Authorization vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended for administrative functions. This vulnerability can be...
CVE-2025-6892
An Incorrect Authorization vulnerability has been identified in Moxa’s network security appliances and routers. A flaw in the API authentication mechanism allows unauthorized access to protected API endpoints, including those intended for administrative functions. This vulnerability can be...
EUVD-2018-0419
Malware in sbrugna...