CVE-2026-42887 Audiobookshelf: Stored Cross-Site Scripting in Login Page Custom Message

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.33.0, a stored cross-site scripting XSS vulnerability exists in the Login Page due to improper sanitization of the authLoginCustomMessage field of the /api/auth-settings endpoint. An attacker with administrative privileges c...

PT-2026-39752

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.33.0, a stored cross-site scripting XSS vulnerability exists in the Login Page due to improper sanitization of the authLoginCustomMessage field of the /api/auth-settings endpoint. An attacker with administrative privileges c...

CVE-2026-41161 Username Enumeration via Timing Attack

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time...

PT-2026-37110

Name of the Vulnerable Software and Affected Versions Sync-in Server versions prior to 2.2.0 Description A logic flaw in the "/api/auth/login" endpoint allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This timing discrepancy occurs...

CVE-2026-33510

Homarr (open-source dashboard) contains a DOM-based XSS in the /auth/login flow prior to version 1.57.0. The app trusts a URL parameter (callbackUrl) that is passed to redirect and router.push, enabling an attacker with an authenticated user to craft a malicious link that performs a client-side r...

CVE-2016-20030 ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction

ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to...

CVE-2025-14192

A vulnerability was found in RashminDungrani online-banking up to 2337ad552ea9d385b4e07b90e6f32d011b7c68a2. This affects an unknown part of the file /site/dist/authlogin.php. Performing manipulation of the argument Username results in sql injection. The attack can be initiated remotely. The explo...

CVE-2025-14192 RashminDungrani online-banking auth_login.php sql injection

A vulnerability was found in RashminDungrani online-banking up to 2337ad552ea9d385b4e07b90e6f32d011b7c68a2. This affects an unknown part of the file /site/dist/authlogin.php. Performing manipulation of the argument Username results in sql injection. The attack can be initiated remotely. The explo...

Online Banking website using PHP SQL注入漏洞

Online Banking website using PHP is an online banking website by Rashmin Personal Developer. A SQL injection vulnerability exists in Online Banking website using PHP, which stems from incorrect manipulation of the parameter Username in the file /site/dist/authlogin.php, which can lead to SQL...

EUVD-2012-6589

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2019-7313

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects...

CVE-2025-8795

LitmusChaos Litmus up to 3.19.0 is affected by an Access Control vulnerability in the /auth/login process where manipulating the projectID parameter can bypass access controls. This allows remote exploitation with high impact on confidentiality, integrity, and availability. Public PoCs exist; ven...

LitmusChaos 安全漏洞

LitmusChaos is a program open-sourced by Litmus Chaos that practices chaos engineering in a cloud-native manner. A security vulnerability exists in LitmusChaos 3.19.0 and earlier versions, which stems from improper access control of the parameter projectID in the file /auth/login, which could lea...

Stackposts Social Marketing Tool 1.0 SQL Injection

Exploit Title: Stackposts Social Marketing Tool v1.0 - SQL Injection Date: 2023-05-17 Exploit Author: Ahmet Ümit BAYRAM Vendor: https://codecanyon.net/item/stackposts-social-marketing-tool/21747459 Demo Site: https://demo.stackposts.com Tested on: Kali Linux CVE: N/A Request POST /spmo/auth/login...

Incorrect Default Permissions

Overview com.liferay.portal:portal-impl is a Portal Impl Affected versions of this package are vulnerable to Incorrect Default Permissions due to insecure default settings in the auth.login.prompt.enabled configuration. An attacker can obtain sensitive information such as usernames, site names, a...

PT-2022-25851 · Liferay · Liferay Portal

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.0.0 through 7.4.2 Description: The issue is related to an insecure default in the auth.login.prompt.enabled component, which allows attackers to enumerate usernames, site names, and pages. Recommendations: For Lifera...

Buildbot CRLF Injection

www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain...

GHSA-66X7-2R56-FJ77 Buildbot CRLF Injection

www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain...

Stock Management System 1.0 - 'Categories Name' Persistent Cross-Site Scripting

Exploit Title: Stock Management System 1.0 - Persistent Cross-Site Scripting Categories Name Exploit Author: Adeeb Shah @hyd3sec Date: August 2, 2020 Vendor Homepage: https://www.sourcecodester.com/ Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html Version:...

CVE-2020-14408

An issue was discovered in Agentejo Cockpit 0.10.2. Insufficient sanitization of the to parameter in the /auth/login route allows for injection of arbitrary JavaScript code into a web page's content, creating a Reflected XSS attack vector...