BIT-AUTHENTIK-2024-11623 Stored XSS in authentik

Authentik project is vulnerable to Stored XSS attacks through uploading crafted SVG files that are used as application icons. This action could only be performed by an authenticated admin user. The issue was fixed in 2024.10.4 release...

CVE-2026-32143

Discourse exposes a CSV export vulnerability (CVE-2026-32143) where moderators could export data from admin-restricted reports, bypassing visibility controls. Affected versions include 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0. ...

PT-2025-33632 · Ckeditor +1 · Ckeditor +1

Name of the Vulnerable Software and Affected Versions: ZenCart version 2.1.0 Description: A vulnerability exists in ZenCart 2.1.0 related to an unknown functionality of the component CKEditor. Manipulation of this functionality can lead to Cross-Site Scripting XSS. The attack can be launched...

FreeBSD : navidrome -- transcoding permission bypass vulnerability (95480188-6ebc-11f0-8a78-bf201f293bce)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 95480188-6ebc-11f0-8a78-bf201f293bce advisory. Deluan Quinto reports: A permission verification flaw in Navidrome allows any authenticated regular use...

CVE-2025-54766

An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information...

PT-2023-30420 · Unknown · Silverpeas Core

Name of the Vulnerable Software and Affected Versions: Silverpeas Core version 6.3.1 Description: The issue is related to broken access control in the "Create a Space" feature, which is supposed to be reserved for administrators. However, any authenticated user can create a space by navigating to...

CVE-2022-26494

An XSS was identified in the Admin Web interface of PrimeKey SignServer before 5.8.1. JavaScript code must be used in a worker name before a Generate CSR request. Only an administrator can update a worker name...

CVE-2021-1447 Cisco Content Security Management Appliance Privilege Escalation Vulnerability

A vulnerability in the user account management system of Cisco AsyncOS for Cisco Content Security Management Appliance SMA could allow an authenticated, local attacker to elevate their privileges to root. This vulnerability is due to a procedural flaw in the password generation algorithm. An...

CVE-2017-3191

D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 are vulnerable to authentication bypass of the remote login page. A remote attacker that can access the remote management login page can manipulate the POST request in such a manner as to access some administrator-only pages...

Authentication flaw

D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 are vulnerable to authentication bypass of the remote login page. A remote attacker that can access the remote management login page can manipulate the POST request in such a manner as to access some administrator-only pages...

CVE-2017-3191

D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 are vulnerable to authentication bypass of the remote login page. A remote attacker that can access the remote management login page can manipulate the POST request in such a manner as to access some administrator-only pages...

Atlassian JIRA < 5.0.7 Privilege Escalation

According to its self-reported version number, the version of Atlassian JIRA hosted on the remote web server is prior to 5.0.7. It is, therefore, potentially affected by a privilege escalation vulnerability. A remote attacker, using a crafted URL, can exploit this to bypass administrator-only...