CVE-2026-34358 CtrlPanel: Missing Authorization on Admin Write Endpoints Allows RBAC Bypass

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any...

PT-2026-2411

Name of the Vulnerable Software and Affected Versions Flame II HSPA USB Modem affected versions not specified Description The Flame II HSPA USB Modem contains a flaw due to an unquoted service path in its Windows service configuration. This allows attackers to potentially execute arbitrary code...

EUVD-2020-15367

Malware in sbrugna...

EUVD-2017-2606

Malware in sbrugna...

CVE-2025-7102

CVE-2025-7102 affects BoyunCMS up to 1.4.20, targeting the file application/update/controller/Server.php. The vulnerability stems from improper handling of the argument phone, enabling SQL injection that can be triggered remotely. The initial sources indicate exploitation has been disclosed publi...

CVE-2024-1259

A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/controllers/admin/app/AppController.php of the component API. The manipulation of the argument apppicurl leads to unrestricted upload. The...

CVE-2023-48659

An issue was discovered in MISP before 2.4.176. app/Controller/AppController.php mishandles parameter parsing...

CVE-2023-34603

JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryFilterTableDictInfo at org.jeecg.modules.api.controller.SystemApiController...

CVE-2023-1494

A vulnerability classified as critical has been found in IBOS 4.5.5. Affected is an unknown function of the file ApiController.php. The manipulation of the argument emailids leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may ...

PT-2023-10262 · Harrystech · Harrystech Dynosaur-Rails

Name of the Vulnerable Software and Affected Versions: harrystech Dynosaur-Rails affected versions not specified Description: A critical vulnerability has been found in harrystech Dynosaur-Rails, affecting the basic auth function of the file app/controllers/application controller.rb. The...

Dynosaur-Rails 授权问题漏洞

Dynosaur-Rails is the web management interface for Dynosaur. An authorization issue vulnerability exists in harrystech Dynosaur-Rails that stems from a problem with the function basicauth in the file app/controllers/applicationcontroller.rb, which can lead to incorrect authentication...

SUSE CVE-2014-1985

Open redirect vulnerability in the redirectbackordefault function in app/controllers/applicationcontroller.rb in Redmine before 2.4.5 and 2.5.x before 2.5.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the back url backurl parameter...

CVE-2022-32513

A CWE-521: Weak Password Requirements vulnerability exists that could allow an attacker to gain control of the device when the attacker brute forces the password. Affected Products: C-Bus Network Automation Controller - LSS5500NAC Versions prior to V1.10.0, Wiser for C-Bus Automation Controller -...

Authentication flaw

A CWE-287: Improper Authentication vulnerability exists that could allow an attacker to gain control of the device when logging into a web page. Affected Products: C-Bus Network Automation Controller - LSS5500NAC Versions prior to V1.10.0, Wiser for C-Bus Automation Controller - LSS5500SHAC...

CVE-2023-22736 argo-cd Controller reconciles apps outside configured namespaces when sharding is enabled

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed...

FLAME II MODEM USB Unquoted Service Path

Exploit Title: FLAME II MODEM USB - Unquoted Service Path Discovery by: Ismael Nava Discovery Date: 02-02-2022 Vendor Homepage: https://www.telcel.com/personas/equipos/modems-usb/alcatel/x602a Software Links : N/A Is a BAM Tested Version: N/A Vulnerability Type: Unquoted Service Path Tested on OS...

Amzetta Technologies Amzetta zPortal DVM Buffer Overflow Vulnerability

Amzetta Technologies Amzetta Zportal is a virtual desktop and application controller from Amzetta Technologies, Inc. It is used by administrators to create and manage hosted applications, virtual desktops, shared hosted desktops, and auditing services, provide resources for virtual desktops, prox...

PT-2021-23235 · Unknown · Spree Auth Devise

Name of the Vulnerable Software and Affected Versions: spree auth devise versions prior to 4.0.1 spree auth devise versions prior to 4.1.1 spree auth devise versions prior to 4.2.1 spree auth devise versions prior to 4.4.1 Description: The issue is a CSRF vulnerability that allows user account...

CVE-2018-7219

application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request...

Spina 'spina/application_controller.rb' Cross-Site Request Forgery Vulnerability

Spina is an open source content management system CMS based on Rails development . The system provides media management , document editing , search engine optimization and other modules . A cross-site request forgery vulnerability exists in previous versions of Spina...