Lucene search
K

11 matches found

Exploit DB
Exploit DB
added 2026/04/29 12:0 a.m.89 views

phpMyFAQ 4.0.16 - Improper Authorization

Exploit Title: phpMyFAQ = 4.0.16 - Improper Authorization Google Dork: N/A Date: 2026-01-23 Exploit Author: GUIA BRAHIM FOUAD Vendor Homepage: https://www.phpmyfaq.de/ Software Link: https://www.phpmyfaq.de/download/ Version: = 4.0.16 REQUIRED Tested on: Ubuntu 22.04, Apache 2.4.52, PHP 8.2.x,...

6.5CVSS5.2AI score0.01734EPSS
Exploits3
RedhatCVE
RedhatCVE
added 2026/01/26 3:10 p.m.6 views

CVE-2026-24421

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated but does not verify that the requester has...

6.5CVSS5.9AI score0.01734EPSS
Exploits3References1
CVE
CVE
added 2026/01/24 1:43 a.m.28 views

CVE-2026-24421

Summary: CVE-2026-24421 affects phpMyFAQ before 4.0.17. Versions 4.0.16 and earlier have flawed authorization logic that exposes the /api/setup/backup endpoint to any authenticated user. The code uses userIsAuthenticated() without verifying configuration/admin permissions, allowing non-admin user...

6.5CVSS5.6AI score0.01734EPSS
Exploits3References1Affected Software1
NVD
NVD
added 2025/12/29 4:15 p.m.4 views

CVE-2025-69200

phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive...

7.5CVSS0.02005EPSS
Exploits1References2
EUVD
EUVD
added 2025/12/18 6:30 p.m.6 views

EUVD-2025-204302

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...

6.4AI score0.00212EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/12/18 12:0 a.m.25 views

CVE-2025-63386

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...

0.00212EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/12/18 12:0 a.m.5 views

PT-2025-52262

Name of the Vulnerable Software and Affected Versions Dify version 1.9.1 Description A Cross-Origin Resource Sharing CORS misconfiguration exists in the /console/api/setup endpoint. The endpoint has an insecure CORS policy that reflects any Origin header and allows Access-Control-Allow-Credential...

9.1CVSS6.5AI score0.00212EPSS
Exploits0References11
CVE
CVE
added 2025/12/18 12:0 a.m.11 views

CVE-2025-63386

CVE-2025-63386 affects Dify v1.9.1, specifically the /console/api/setup endpoint. The vulnerability arises from a misconfigured CORS policy that reflects any Origin header and sets Access-Control-Allow-Credentials: true, allowing arbitrary external domains to make authenticated requests. Impact i...

9.1CVSS5.7AI score0.00212EPSS
Exploits0References4Affected Software1
Patchstack
Patchstack
added 2024/06/12 8:14 a.m.6 views

WordPress InstaWP Connect plugin <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation vulnerability

Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation vulnerability discovered by Truoc Phan in WordPress Plugin InstaWP Connect versions = 0.1.0.38...

9.8CVSS7AI score0.04156EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/06/11 12:0 a.m.15 views

InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.39 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation

Description The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to conne...

9.8CVSS6.7AI score0.04156EPSS
Exploits0References1Affected Software1
Kitploit
Kitploit
added 2020/01/20 8:30 p.m.663 views

TeleGram-Scraper - Telegram Group Scraper Tool (Fetch All Information About Group Members)

Telegram Group Scraper Tool. Fetch All Information About Group Members • How To Install & Setup API Termux • API Setup Go to http://my.telegram.org and log in. Click on API development tools and fill the required fields. put app name you want & select other in platform Example : copy "apiid" &...

7.2AI score
Exploits0References1
Rows per page
Query Builder